A team of computer security experts from Ben-Gurion University in Israel have discovered 2G mobile phones could hack air-gapped computers and steal data via radio frequency wireless electromagnetic waves and a GSM network.
In order for this process to work properly, both the 2G phone and the targeted computer must have malware installed on them.
“Computers naturally emit electromagnetic radiation, and since mobile phones are designed to receive such RF signals, the malware can send passwords or encryption keys from the computer to the phone using electromagnetic waves,” according to the International Business Times.
Typically, 2G phones with just basic capabilities like text messaging and calling are the only phones allowed in secure areas, because they do not have cameras or possible malware.
However, the research team discovered “even without a phone, if they could position a dedicated electromagnetic RF signal receiver about 30m away from the air-gapped computer, even if it were through a wall, the receiver would be able to extract data, and it would be much more information than the phone would be able to siphon off.”
Air-gapped computer systems are usually used for financial payment networks to process credit card transactions for retailers, military networks or industrial control systems. These computers are isolated and kept from connecting to other computers or the internet to securely prevent data from being stolen.
Usually “the only way to remove data from an air-gapped computer is to physically access the machine, and this makes it much harder to infect it with malware, unless the malware had already been installed previously,” researchers said.
“While there may not be a threat from the network, this does not mean air-gapped computers cannot be infected by other means. This really shows why a network-only security approach is no longer viable; endpoints themselves are increasingly the target of bold hackers intent on exfiltrating data. Companies need continuous monitoring and recording on each and every endpoint device – including mobile devices – if they are to detect and respond to unusual activity and prevent these kinds of attacks,” David Flower, managing director for Europe’s security firm Bit9 + Carbon Black, said.
The team will present their research at the 24th Usenix Security Symposium in Washington DC on August 12-14.
