top of page

🚧 Air Gapped – Why the separation is often not one 🚧

  • Writer: Daniel Eberhorn
    Daniel Eberhorn
  • Mar 3
  • 3 min read
A widescreen conceptual image depicting a large, fragmented 'air gap' glowing brightly in blue and white, separating a futuristic computer and server. The devices are sleek and modern, set against a dark gray and blue background. The gap is wide and broken, creating an airy appearance. Subtle visual hints of hidden connectivity, such as faint network lines and glowing data symbols, traverse the space, suggesting vulnerabilities despite the perceived isolation. The overall design is high-tech and minimalist.

Image generated by OpenAI's DALL·E

 

In the world of cyber security, the term "air gapped" is often used as a synonym for maximum security. Air-gapped systems, i.e. networks that are physically separated from the Internet and other networks, are considered the ultimate protective shield for critical infrastructure and sensitive data. But how secure is this isolation really? The following analysis shows that air-gapped systems are far less invulnerable than they seem at first glance.



The theory behind air-gapped systems

Air gapping is based on a simple concept: physically separating a network or system from the Internet and other wireless connections is intended to make cyberattacks almost impossible.


Main arguments for air gapped systems:
  • Minimizing remote attacks: Without a direct connection to the Internet, the attack surface remains significantly reduced.

  • Control over external access: Access points are strictly regulated, making it difficult for malware or attackers to gain access to the system.


Air-gapped systems are often used in critical infrastructures, such as nuclear power plants, military facilities or industrial control systems (ICS). Security is particularly important here, as cyberattacks could have fatal consequences.



The reality: Air Gapped – just a term without substance?

In theory, the idea of air-gapped systems sounds incredibly secure, but in practice the picture is often different: many systems that are described as "air gapped" do not meet the basic requirements of physical isolation. The term is often misapplied or deliberately used incorrectly to suggest a higher level of security.


Seemingly isolated, but still connected

  • No real air gap: In many companies, supposedly isolated systems are still part of the network, often just in a separate VLAN. Access is via firewalls that restrict data traffic but do not ensure real physical separation.


  • Access to central resources: Such systems often continue to access central IT resources, such as file shares, domain controllers or backup systems. This creates connections that attackers can exploit.


  • Workstation accessibility: Administration tools that access air-gapped systems from normal workstations on the corporate network open another potential backdoor. This connection is often not adequately secured or monitored.


  • Insufficient control: Maintenance work, such as updates or configuration changes, is often carried out via temporary network connections or even via remote desktop services. This makes isolation virtually obsolete.



The Illusion of Isolation

In practice, "air gapped" is often used as a buzzword to simulate a high level of security. In fact, many of these systems lack real physical separation. Instead, they are often just housed in separate VLANs that can be reached via firewalls. The term is therefore often used to gloss over reality: complete isolation is rarely implemented because it is complex and difficult to implement in the day-to-day operations of many companies.



Conclusion: An alibi term in cyber security

Many so-called "air gapped" systems are in fact nothing more than VLANs with limited access. The physical separation that the term suggests is usually not present. The term is often used as an alibi to justify supposed security measures without really addressing the underlying vulnerabilities.

In the end, the conclusion remains: an "air gap" is only a real protection if it is implemented consistently. But reality shows that this is rarely the case - and the term often promises more than it can deliver.



NSA ANT Catalog: Attacks also on air-gapped systems

Where there's a will, there's a way

Real attacks on air-gapped systems often require considerable effort and specialized tools. They are therefore primarily relevant for highly sensitive targets such as government agencies or critical infrastructure and less of a risk for the typical medium-sized company. But existing technologies show that physical isolation is not an insurmountable obstacle - if the attacker has enough resources and motivation.


Examples from the NSA ANT Catalog

The NSA ANT Catalog , a document published by Der Spiegel in 2013, provides an insight into the tools used by the NSA. This collection shows how even isolated air-gapped systems can be deliberately compromised. The known tools include:


  1. Cottonmouth-I : A prepared USB plug that can intercept data and transmit it via radio signal.

  2. Firewalk : A technology that can intercept network activity even in isolated environments.

  3. Ragemaster : A signal tapping tool that reads the electromagnetic radiation of a monitor and provides data for further analysis.

  4. HowlerMonkey : A hardware implant that transmits data from an air-gapped system via radio signal.


These tools demonstrate that physical isolation alone does not provide absolute protection. Specialized technologies can bypass security measures and exfiltrate information even from highly sensitive environments.

Logo of SecurityWho - A fingerprint and the slogon IT-Security made simple

Contact me

© Daniel Eberhorn - SecurityWho

bottom of page