- Researchers reveal how hackers are now able to penetrate supposedly unhackable air-gapped computers used by corporations, government agencies and the military to secure their most sensitive data.
- Shielded from the internet and IT networks, these off-grid servers require manual updates — but skilled hackers can zero in on their power supply to identify the brief moments when their guard is down.
- With lightning-fast quantum computers now available to buy on the internet, cybercriminals could use them to place undetectable malware on the UK’s most secure servers
Quantum computing will light the way for hackers to identify and attack air-gapped servers — high-security computers once thought immune to data theft — new analysis by the cybersecurity consultants Cystel has revealed.
Large businesses and government agencies typically store their most valuable and confidential information, such as files relating to research and development or intellectual property, on servers that are disconnected — or air-gapped — from the main network.
As a result the organisation’s most sensitive data is protected from direct cyberattacks and viruses that might spread through the rest of its IT system and, off-grid, the air-gapped server is hard for hackers to locate.
However, according to cybersecurity expert Dr Meera Sarma, CEO of Cystel, a criminal armed with a quantum computer, accessible via the cloud, would now be capable of sniffing out these hidden data goldmines through the organisation’s electricity supply.
Long seen as the stuff of science fiction, quantum computers harness the power of quantum mechanics to solve complex problems far faster than a conventional computer.
Dr Sarma explains: “Electronic devices all have distinct energy consumption patterns and even an off-grid server will have a unique signature, a sound frequency that can be identified and measured using a quantum scanner.
“In order to find it, a cybercriminal would just need to perform a couple of quick scans, the first an IP scan to reveal the networked servers within a company, followed by a power consumption scan. Any air-gapped server, which will be power-hungry, will then stick out like a sore thumb.”
A window in their schedule
But if this server is offline, and the hackers aren’t planning a physical break-in, how can they get their hands on the data? The answer lies in the company’s own security protocols.
Dr Sarma explains: “There are a limited number of server manufacturers and each server produces a distinct noise signature. Through monitoring the power readings a skilled hacker will be able to work out the make and model of the air–gapped server, and this will help them to build a picture of its update schedule.
“Off-grid servers rely on updates and applications to be downloaded manually, and this job will likely fall to a system administrator with a high level of security clearance. Crucially the air-gapped server will need to be manually updated — or ungapped — for these updates to take place, and for many big companies this process will be as regular as clockwork.”
By biding their time a cybercriminal could pounce during this update window, but the smartest hackers are likely to go one step further, notes Dr Sarma.
“Attacking at the moment of upload is too much of a giveaway, especially when the most profitable data hacks are done slowly and surreptitiously,” she says.
“Instead, through knowledge of the update schedule and energy consumption scanning, hackers will be able to target the production server that supplies the latest versions of the applications the air-gapped version uses.
“By striking this networked server with quantum malware just after it has been updated, they can just wait for the system administrator to transfer it physically over to the air-gapped server using a portable USB stick or flash drive.”
The perfect crime
So far, so Ocean’s Eleven, but surely a virus or malicious software would be spotted quickly?
“This is the genius — and danger — of quantum malware,” reveals Dr Sarma. “At the moment it is untraceable by traditional antivirus tools as it does not have an identifiable signature they can pick up on. So with a successful infection, the target organisation may never even realise they have been hacked. In addition, quantum malware is not a virus and it can transform itself.
“Also, because the number of people with clearance to access an air-gapped server is small, if and when a data hack is spotted, they will be the prime suspects.”
Facing the future
While quantum computing is not yet commonplace, the power of this technology guarantees it will be a game-changer for cybercrime. Dr Sarma believes businesses need to sit up and take notice, before it’s too late.
“Quantum-based attacks are a real threat and could wreak far greater havoc than established cyberattacks, lingering for longer before being discovered, if at all.
“The financial impact and loss of data from such attacks are likely to be on a scale we have not witnessed before. While there are arguments that such a scenario is a while away, such complacency poses severe risks, especially with quantum computers now accessible via the cloud.
“The Government and sectors critical to the UK economy, such as banking, healthcare and utilities, need to assess quantum-based risks as a matter of urgency and develop policies to secure against future attacks that could have devastating economic implications for the UK.”
Dr Meera Sarma is a cybersecurity researcher and the CEO of cybersecurity consultancy Cystel