For many years I've just viewed all of my devices as possibly compromised. It's one of the reasons I've been very down on cryptocurrencies in general. I don't actually see USB as something that can maintain a true, robust airgap, because the amount of data transferred is not inspectable.
In my view, the best use of an airgapped machine would be for storage of extremely dense and sensitive information such as cryptographic keys. Signing or encryption should be accomplished through an inspectable data channel requiring manual interaction such as QR codes. When every bit in and out of a machine serves a purpose, it's much less likely to leak.
Example: show a qr code to a camera on the airgapped machine and get a qr code on the screen containing the signature of the data presented to it. There is very little room for nefarious code execution or data transmission.
How about a USB "MITM" device that presents itself as a serial port to the OS when the user connects a USB storage device.
The user would then use a terminal emulator to connect to something like a BBS[1] where they could browse files, and download or upload files to the connected USB storage device using XMODEM[2] like in the good old days.
edit: It could of course also filter the files, for example not list any executable files, and prevent transfer of executable files based on scanning their contents.
The MITM device would be implemented using a microcontroller with signed firmware, and careful design to prevent a connected USB device to do shenanigans like voltage glitching. This would include using isolated DC-DC and isolated data lines ala like this[3].
The MITM would only interact with the storage device class. If the connected device presents itself as more, say a keyboard, it would just ignore those.
The user must be prevented from bypassing the MITM device, though this could be done through physical means.
I like it. Seems like it might be useful for mice and keyboards as well.
Have a few ports on it:
This device can only be a mouse -> USB
This device can only be a keyboard -> USB
Then it filters everything coming in to ensure that it matches the desired type of activity.
For USB drives, I'm tempted to say it should read the USB drive once, and copy all information to internal storage in order to prevent data being sent to the usb via timed or coordinated reads. This would allow a truly read only thumbdrive.
Back in a day I've made proof of concept of animated QR codes using fountain codes - txqr. [1] Since then I received a bunch of requests to make into an actual cross-platform app, but never could find the time for this hobby project. I guess I should revive this project and make an usable open-source app.
This is probably a decent use case for plain old serial. Interface via application defined TTY.
On the other hand no matter the transport you’re probably going to get owned by well known vulnerabilities in any software processing data from the internet-connected side, if you’re using the air gap as an excuse to avoid patching or otherwise caring about secure coding practices.
Then you’re still at the mercy of the TTY application being secure. Having to go through the analog hole makes it much more difficult.
As for patching, you would ensure a secure root of trust and only allow read-only media to deliver said updates as another sibling points out
Air gapping is still valuable but it’s still hard to impossible. For example, stuxnet was delivered by an insider. So good physical security and monitoring is also needed to prevent against insider threats.
I think of the sensitive, air-gapped information as an infection. If an old and “infected” machine needs upgrading then it’s easier to put a new, freshly upgraded machine into the infected area, copy the sensitive data over to the new machine, then incinerate the old one.
Anything that does come out of the infected area in-tact has to be cleaned or inspected carefully to ensure it is free of the “sensitive data” infection.
That would happen in a secure environment with auditors and multiple sysadmins who would have the ability to do things normally disallowed. Different threat model
"Patching" is the fundamental reason airgapping isn't a sound solution, IMO. If you're a TLA you can probably find some secure, verifiable, write-only way to transfer patches to your air gapped machines. But for any normal person/organization; you'll very likely end up less secure due to how hard this is.
You can use DVD-Rs to load a WSUS server for Windows or a package mirror for Linux, I’d just be surprised if many airgapped operators were keeping on top of this.
I'm imagining a "secure slate" you can carry between the computers, a tiny tablet with a camera, e-ink display, and replaceable batteries. It does nothing but snap a picture of a QR code and then (if error checking is OK) reproduces it on its own durable display. Add a write-protection switch that doubles as a cover on the camera-lens, and have it auto-blank when not in use.
So you'd snapshot its QR code, hand-carry the slate to air-gapped Computer B, press a button to wake it up, brandish the "copied" QR code in front of B's camera, etc. Maybe even take one and (with careful labeling) put it into a safe, depending on how long you plan to store it.
You could do something similar with a camera and thermal-paper printer, but then the physical artifact needs to be reliably destroyed by manual effort, as opposed to auto-erasure.
With appropriate encryption between the two machines, the slate could even be a simple smartphone.
It doesn't matter whether the smartphone is internet-connected or not, as the slate's contents wouldn't be of any use without hacking one of the machines, and if you could do that, you wouldn't need to hack the slate in the first place.
For longer term storage use an analog camera to take pictures of the QR codes, then develop the film and store them in an airtight climate controlled vault. Bonus points if the film is designed to be very stable after developing. Maybe platinum prints with lots of error correction.
Well, the context is a facility where security must be so tight that you're air-gapping computers in the first place, so a lot of the same reasons nobody would be permitted to bring their personal film-camera into the place either: You don't want to make it easy for people to take pictures of arbitrary things (faces, documents, whiteboards) and you don't want to always be searching everyone's underwear for instant-photos or film-canisters.
In contrast, a worker can sign-out a hardened device, and when they return it on the way out you can be reasonably sure they couldn't have easily made copies. Plus the scanner won't capture arbitrary pictures in the first place, and it can be set to auto-wipe after X minutes of inactivity.
If you give people 10 unexposed sheets and require them to return a total of 10 used/unused on the way out, that's susceptible to them smuggling in an unexposed sheet, and you're back to underwear searches again.
This is interesting. Another use for such a secure machine would be to enter text, eg highly controversial blog entries or erotic stories. Then any common computer or phone with a camera can be used to transfer the text using 2D barcodes.
This would be a bit slow: say a barcode. If we assume a single barcode can hold 1500 characters (text twice as long as your comment), a blog entry may need 4-5 barcodes. Not undoable.
Such a machine would not have a camera, WiFi, BT, or any input or output mechanism of any kind.
I mean, this thread has itself very clearly turned into some crypto-fetishist fan fiction, completely departed from reality. I guess it’s just what came to mind.
You nailed the term I didn’t know I was looking for, that’s exactly it! As a fantasy I’ve thought about creating a secret identity and have researched how to keep it absolutely safe. This is very hard and you can spend quite a bit of time designing ever elaborate schemes.
Ok, that was the first time I heard the phrase ( recreational paranoia ) and I am now lost in a sea of links. Can you elaborate on it? It sounds fascinating to me from context alone.
Yes. But using USB devices has a practically infinitely greater attack surface that parsing data embedded in a QR Code. It's not like yo have to read QR Codes and go "echo $QRData | sudo bash"
"BadUSB is a computer security attack using USB devices that are programmed with malicious software.[2] For example, USB flash drives can contain a programmable Intel 8051 microcontroller, which can be reprogrammed, turning a USB flash drive into a malicious device.[3] This attack works by programming the fake USB flash drive to emulate a keyboard. Once it is plugged into a computer, it is automatically recognized and allowed to interact with the computer. It can than then initiate a series of keystrokes which open a command window and issue commands to download malware. " -- https://en.wikipedia.org/wiki/BadUSB
The Soviets had a strong typewriter implant game[0]. They might have to revive some of their old tradecraft to either deliver implants via the card punches, or monitor what is being sent over the air gap.
I considered saying bearish. Maybe I could have been clearer.
I have a low opinion about the usefulness of cryptocurrencies because true security is so difficult. It's basically impossible, even if you don't make any mistakes.
I really enjoy this kind of stuff, and loved reading about the z-cash ceremony. I'm not going to those lengths to protect my secrets, so I feel it's better if I don't hold a lot of wealth in such a fragile way.
I used to like it, but now I don't. It's still neat, but it's too prone to costly mistakes.
Bullish and bearish are common stock market terms[1] meaning optimistic and pessimistic. Hawkish means advocating war, which doesn't clearly align with optimistic or pessimistic.
The first time I tried to type a long public key it took me like 10 minutes, and was a pain in the butt. If it's something you're doing a lot, using QR codes can make it much faster and easier.
In my view, the best use of an airgapped machine would be for storage of extremely dense and sensitive information such as cryptographic keys. Signing or encryption should be accomplished through an inspectable data channel requiring manual interaction such as QR codes. When every bit in and out of a machine serves a purpose, it's much less likely to leak.
Example: show a qr code to a camera on the airgapped machine and get a qr code on the screen containing the signature of the data presented to it. There is very little room for nefarious code execution or data transmission.