The field of cybersecurity is obsessed with preventing and detecting breaches, finding every possible strategy to keep hackers from infiltrating your digital inner sanctum. But Mordechai Guri has spent the last four years fixated instead on exfiltration: How spies pull information out once they've gotten in. Specifically, he focuses on stealing secrets sensitive enough to be stored on an air-gapped computer, one that's disconnected from all networks and sometimes even shielded from radio waves. Which makes Guri something like an information escape artist.

More, perhaps, than any single researcher outside of a three-letter agency, Guri has uniquely fixated his career on defeating air gaps by using so-called "covert channels," stealthy methods of transmitting data in ways that most security models don't account for. As the director of the Cybersecurity Research Center at Israel's Ben Gurion University, 38-year-old Guri's team has invented one devious hack after another that takes advantage of the accidental and little-noticed emissions of a computer's components—everything from light to sound to heat.

Guri and his fellow Ben-Gurion researchers have shown, for instance, that it's possible to trick a fully offline computer into leaking data to another nearby device via the noise its internal fan generates, by changing air temperatures in patterns that the receiving computer can detect with thermal sensors, or even by blinking out a stream of information from a computer hard drive LED to the camera on a quadcopter drone hovering outside a nearby window. In new research published today, the Ben-Gurion team has even shown that they can pull data off a computer protected by not only an air gap, but also a Faraday cage designed to block all radio signals.

An Exfiltration Game

"Everyone was talking about breaking the air gap to get in, but no one was talking about getting the information out," Guri says of his initial covert channel work, which he started at Ben-Gurion in 2014 as a PhD student. "That opened the gate to all this research, to break the paradigm that there's a hermetic seal around air-gapped networks."

Guri's research, in fact, has focused almost exclusively on siphoning data out of those supposedly sealed environments. His work also typically makes the unorthodox assumption that an air-gapped target has already been infected with malware by, say, a USB drive, or other temporary connection used to occasionally update software on the air-gapped computer or feed it new data. Which isn't necessarily too far a leap to make; that is, after all, how highly targeted malware like the NSA's Stuxnet and Flame penetrated air-gapped Iranian computers a decade ago, and how Russia's "agent.btz" malware infected classified Pentagon networks around the same time.

Mordechai Guri

Guri's work aims to show that once that infection has happened, hackers don't necessarily need to wait for another traditional connection to exfiltrate stolen data. Instead, they can use more insidious means to leak information to nearby computers—often to malware on a nearby smartphone, or another infected computer on the other side of the air gap.

Guri's team has "made a tour de force of demonstrating the myriad ways that malicious code deployed in a computer can manipulate physical environments to exfiltrate secrets," says Eran Tromer, a research scientist at Columbia. Tromer notes, however, that the team often tests their techniques on consumer hardware that's more vulnerable than stripped-down machines built for high security purposes. Still, they get impressive results. "Within this game, answering this question of whether you can form an effective air gap to prevent intentional exfiltration, they’ve made a resounding case for the negative."

A Magnetic Houdini

On Wednesday, Guri's Ben-Gurion team revealed a new technique they call MAGNETO, which Guri describes as the most dangerous yet of the dozen covert channels they've developed over the last four years. By carefully coordinating operations on a computer's processor cores to create certain frequencies of electrical signals, their malware can electrically generate a pattern of magnetic forces powerful enough to carry a small stream of information to nearby devices.