Two never-before-seen tools, from same group, infect air-gapped devices

Original Article ↗ Hacker News Discussion ↗

Meaning and Value of “Air-Gapped”

  • Several commenters argue that if you’re plugging in USB drives, the system is not meaningfully air‑gapped; “sneakernet is still a network.”
  • Others note real high-security deployments still use air gaps, but combine them with strict physical security, media control, and TEMPEST/SCIF practices.
  • Some think air-gapping is overrated because patching and maintenance via offline channels are hard, often leaving systems less secure.

USB as a Vector

  • USB is seen as a “known bad” channel: BadUSB-style firmware attacks, HID emulation (fake keyboards), and large attack surface in host stacks.
  • A few point out that in this specific campaign USB acted mostly as dumb storage; the main weakness was user workflow and Windows UX.

Windows UX, Social Engineering, and This Attack

  • Key mechanism discussed: compromised online machines rewrite USB contents so:
    • The legitimate folder is hidden.
    • A malware executable with a folder icon and same name (.exe hidden by default) is created.
  • On the air‑gapped machine, users double-click what they think is a folder. This is described as social engineering made possible by:
    • Hidden file extensions.
    • Custom icons.
    • GUI file-browsing on high‑security systems.
  • Some suggest “air‑gapped builds” of Windows should always show extensions, show hidden files, and visually emphasize executables.

Alternative Transfer Channels

  • Multiple ideas for “inspectable,” low‑bandwidth channels:
    • QR codes between machines (including animated/multi‑frame QR).
    • A dedicated “secure slate” device (camera + e‑ink) that only relays QR data.
    • Paper-based schemes (printed barcodes, paper tape, punch cards, film).
  • Supporters see low bandwidth and manual interaction as security features; skeptics see these as crypto‑fetish “recreational paranoia.”

OS and Hardware Mitigations

  • Proposed mitigations:
    • Strong prompting or forbidding execution from removable media.
    • USB-class whitelisting (only input devices, or only storage via a mediating device).
    • Application allowlists, signed binaries only, and sandboxing (Qubes OS mentioned).
    • Physically disabling or gluing USB ports; using PS/2, VGA, or SD cards instead.
  • Others warn that users strongly resist friction (e.g., UAC, antivirus scans), so many protections are disabled or never made defaults.

Human and Organizational Factors

  • Recurrent theme: insiders, misconfigured “offline” systems, and convenience-driven workarounds often defeat technical controls.
  • Some argue security monoculture can be dangerous; others think large institutions underinvest in genuinely secure, usable OS designs.