Bridging the Air Gap between Isolated Networks and Mobile Phones in a Practical Cyber-Attack

Information is the most critical asset of modern organizations, and accordingly it is one of the resources most coveted by adversaries. When highly sensitive data is involved, an organization may resort to air gap isolation in which there is no networking connection between the inner network and the external world. While infiltrating an air-gapped network has been proven feasible in recent years, data exfiltration from an air-gapped network is still considered one of the most challenging phases of an advanced cyber-attack. In this article, we present "AirHopper," a bifurcated malware that bridges the air gap between an isolated network and nearby infected mobile phones using FM signals. While it is known that software can intentionally create radio emissions from a video card, this is the first time that mobile phones serve as the intended receivers of the maliciously crafted electromagnetic signals. We examine the attack model and its limitations and discuss implementation considerations such as modulation methods, signal collision, and signal reconstruction. We test AirHopper in an existing workplace at a typical office building and demonstrate how valuable data such as keylogging and files can be exfiltrated from physically isolated computers to mobile phones at a distance of 1-7 meters, with an effective bandwidth of 13-60 bytes per second.