“aIR-Jumper” Malware Can Bypass Air-Gapped Networks

Cybercriminals can now utilize a malware-infected surveillance camera network to send additional malware or new commands, as well as exfiltrate data from devices connected to the network through infrared signals. This malware does not require an internet connection and it has the capability to jump air gaps. It is scary.

Critical infrastructure providers and security sensitive institutions know about this vulnerability and implement an air-gapped network for protection. However, cybercriminals can bypass this security measure (also called as air-gap isolation) and hack through into the network.

Researchers at Israel’s Ben-Gurion University of the Negev and Shamoon College of Engineering have demonstrated a proof-of-concept of the malware that can breach air-gapped networks. The malware dubbed as “aIR-Jumper” has the potential to be used against sensitive networks and for nation-state cyber attacks.

How The Malware Works?

The malware bridges the airgaps by connecting through connected surveillance cameras. Once it is within the network, it functions just as other typical malware and injects new commands or exfiltrates data to the command and control (C&C) servers controlled by the attacker.

Surveillance cameras are used in most critical institutions, and this malware is able to add cryptographic information and passwords into the signals transmitted to and received by these surveillance cameras. The malware utilizes the built-in infrared lights of the surveillance cameras to send and receive the signals.

The attacker has to be within visual distance of surveillance cameras to record the signals that it emits with a video camera. The data transmission speed may be up to 20 bits per second. The attacker can send data from a transmitter to these cameras at speeds of up to 100 bits per second. The researchers also report that communication with the cameras could be possible even without the transmitting and receiving devices being within sight. Data exfiltration is possible only when the devices are within tens of meters, while impregnation of malicious commands is possible even the devices are a kilometer apart.

Air-Gap Isolation

To thwart such breaches, critical networks are typically disconnected from the internet. This is a security measure to prevent any breaches and bypassing of the network. However, this malware serves as a warning that surveillance camera networks can be compromised.

Attack without Physical Access

Cyber experts fear that the aIR-Jumper malware could pave the way for other similar malicious code that can penetrate critical networks and compromise the networks, as this attack vector does not require any physical access. And hence, not only can it be used for air-gapped networks, but it can also be used to penetrate internal network systems that contain security measures such as firewalls and intrusion detection and prevention systems.