Air-gap Limitations and Bypass Techniques: “Command and Control” using Smart Electromagnetic Interferences

  • Chaouki Kasmi Wireless Security Lab French Network and Information Security Agency (ANSSI)
  • José Lopes Esteves Wireless Security Lab French Network and Information Security Agency (ANSSI)
  • Philippe Valembois Wireless Security Lab French Network and Information Security Agency (ANSSI)


Air gaps are generally considered to be a very efficient information security protection. However, this technique also showed limitations, involving finding covert channels for bridging the air gap. Interestingly, recent publications have pointed out that a smart use of the intentional electromagnetic interferences introduced new threats for information security. In this paper, an innovative way for remotely communicating with a malware already installed on a computer by involving the induced perturbations is discussed leading to the design of a new air gap bridging covert channel.


[1] NIST, National Supply Chain Risk Management Practices for Federal Information Systems, 2014.
[2] CERT-UK, Cyber-security risks in the supply chain, 2015.
[3] H. Okhravi, S. Bak, S. T. King, “Design, Implementation and Evaluation of Covert Channel Attacks”, IEEE International Conference on Technologies for Homeland Security, 2010.
[4] B. W. Lampson, “A Note on the Confinement Problem”, Communications of the ACM, pp 613-615, 1973.
[5] USB Implementers Forum, USB Device Class Definition for Human Interface Devices (HID), 2001.
[6] Video Electronics Standards Association, VESA Enhanced Display Data Channel Standard, 2004.
[7] Video Electronics Standards Association, VESA Monitor Control Command Set Standard Version 3, 2006.
[8] A. Davis, “HDMI – Hacking Displays Made Interesting”, BlackHat USA 2012.
[9] A. Kaufmann, B. Smus, “Tone: An experimental Chrome extension for instant sharing over audio”, Google Research Blog, 2015,
[10] S. J. O'Malley, K. K. R. Choo, “Bridging the Air Gap: Inaudible Data Exfiltration by Insiders”, 20th Americas Conference on Information Systems, 2014.
[11] P. M. Ricordel, P. Capillon, Rump Session, Symposium sur la Sécurité des Technologies de l’Information et des Communications, 2014.
[12] D. Goodin, “Meet "badBIOS", the mysterious Mac and PC malware that jumps airgaps”, Arstechnica, 2013,
[13] D. Genkin, A. Shamir, E. Tromer, “RSA Key Extraction via Low-Bandwith Acoustic Cryptanalysis”, Advances in Cryptology – CRYPTO 2014.
[14] Y. Michalevsky, G. Nakibly, D. Boneh, “Gyrophone: Recognizing Speech from Gyroscope Signals”, RSA Conference 2015, 2015.
[15] M. Guri, G. Kedma, A. Kachlon, Y. Elovici, “AirHopper: Bridging the Air-Gap between Isolated Networks and Mobile Phones using Radio Frequencies”, 9th IEEE International Conference on Malicious and Unwanted Software, 2014.
[16] A. Cui, M. Costello, “Hacking Cisco Phones”, CCC conference 29C3, Hamburg, Germany, 2012.
[17] M. Guri, M. Monitz, Y. Mirski, Y. Elovici: “BitWhisper: Covert Signaling Channel between Air-Gapped Computers using Thermal Manipulations”, online:, 2015.
[18] R. Hoad, N. J. Carter, D. Herke et al., “Trends in EM susceptibility of IT equipment”, Electromagnetic Compatibility, IEEE Transactions on, vol.46, no.3, pp.390-395, Aug. 2004.
[19] M. G. Bäckström, K. G. Lövstrand, “Susceptibility of electronic systems to high-power microwaves: Summary of test experience,” IEEE Trans. Electromagn. Compat., vol. 46, no. 3, 2004.
[20] L. Palisek, L. Suchy, “High Power Microwave effects on computer networks” Electromagnetic Compatibility (EMC EUROPE), 2011 International Symposium on, vol., no., pp.18-21, 26-30 Sept. 2011.
[21] J. S. Choi, J. Lee, J. Ryu, et al. “Evaluation of Effects of Electronic Equipments in Actual Environments”. In Proc. of AMEREM 2014, Albuquerque, USA, July, 2014.
[22] M. Seaborn, with contributions by T. Dullien, “Exploiting the DRAM rowhammer bug to gain kernel privileges”, online:, March 9, 2015.
[23] C. Kasmi, J. Lopes Esteves, “You don’t hear me but your phone voice interface does”, Hack In Paris 2015, Paris, France, 2015.
[24] C. Kasmi, J. Lopes Esteves, M. Renard, “Automation of the Immunity testing of COTS computers by the instrumentation of the internal sensors and involving the operating system logs – Technical report “, System Design and Assessment Note SDAN 044, November 2014.
[25] GNU Radio is a free & open-source software development toolkit, online:, 2015.
[26] V. Houchouas, C. Kasmi, J. Lopes Esteves, D. Coiffard, “Experimental comparison of mode-stirrer geometries for EMC”, In Proc. of ASIAEM 2015, Jeju, South Korea, 2015.
[27] N. Mora, F. Vega, G. Lugrin, F. Rachidi, “Study and classification of Potential IEMI sources”, System Design and Assessment Note SDAN 041, July 2014.
[28] R. H. Barker, "Group Synchronizing of Binary Digital Sequences". pp. 273–287, Communication Theory. London: Butterworth, 1953.
[29] Bluetooth SIG, Bluetooth Specification Version 4.0, 2010.
[30] Agence Nationale de la Sécurité des Systèmes d’Information, Instruction Interministérielle N°300 relative à la Protection contre les Signaux Compromettants, online :, 2014.
[31] C. Kasmi, J. Lopes Esteves, “Automated Analysis of the Effects induced by Radio-Frequency Pulses on Embedded Systems for EMC Functional Safety”, URSI AT-RASC Conference, Spain, May 2015.
How to Cite
KASMI, Chaouki; LOPES ESTEVES, José; VALEMBOIS, Philippe. Air-gap Limitations and Bypass Techniques: “Command and Control” using Smart Electromagnetic Interferences. The Journal on Cybercrime & Digital Investigations, [S.l.], v. 1, n. 1, p. 13-19, jan. 2016. ISSN 2494-2715. Available at: <>. Date accessed: 25 june 2017. doi:
Conference proceedings