When Air Gaps Fail: Covert Channels in Isolated Networks

Air-gapped networks look like castles with moats, set apart from the web of cybersecurity & cyberdefense. The catch is that physics never signed your policy document, so signals wander, flicker, and hum their way past isolation. This article explains how covert channels weaken the myth of perfect separation and how to counter them today.

Why Air Gaps Are Not Absolute

Air gaps promise containment. No uplinks, no shared networks, no path for an attacker to send or receive. In practice, systems still have clocks, fans, power supplies, ports, and people. Each one becomes a tiny bridge. Remove a bridge and smaller ones appear behind it. The gap is not a moat full of sharks. 

It is a field of tall grass where something can slither through if you do not watch carefully. Accept that isolation is a spectrum, then build controls that keep the spectrum tilted in your favor. Good engineering accepts leaky edges, measures them with care, and stacks small barriers until the attacker's patience, equipment, and courage run dry completely.

What a Covert Channel Is

A covert channel is any unintended path that carries information between two domains that are supposed to be isolated. The key word is unintended. This is not an approved interface. It is a side effect, a byproduct of how computers leak energy. 

Imagine a room where everyone agrees to be silent, then someone taps a radiator pipe. The rules are quiet about pipes, so messages flow. Computers do the same through tiny changes in timing, sound, light, heat, electromagnetic fields, and power draw.

The practical ceiling is bandwidth and error rate. Attackers compress and encode, then repeat and vote to push past noise. You rarely get megabits per second across an air gap, yet a few bytes can be decisive. A short beacon, a one time code, or a key fragment can turn a hard problem into an easy one. Low and slow is not glamorous, but it is enough.

Families of Covert Channels

Covert channels obey the laws of physics. None are magical. Each asks a simple question. What can I change inside the room that can be sensed outside the room, then decoded into bits? Once you think that way, the list writes itself. Panic is optional. Planning is not.

Acoustic and Ultrasonic Whispers

Fans spin, coils sing, and speakers click even when muted. Malware can modulate fan speed, CPU load, or tiny buzzers to emit tones above human hearing. A nearby phone or laptop microphone becomes the ear. The rate is modest, yet keys and beacons fit comfortably into those gentle whistles. Thick walls help, and so does distance, but vents and doors carry sound farther than you expect.

Light Leaks and Visual Morse

Monitors, status LEDs, and keyboard backlights can blink in patterns that look boring to a person and obvious to a camera. The camera need not stare directly. Reflections from glass or glossy paint can betray signals that seem invisible. Tiny flickers ride under normal behavior and pass casual inspection. Window shades, LED covers, and screen blanking reduce exposure without turning the room into a cave.

Electromagnetic and Radio Bleed

Every wire is an antenna at some frequency. Power lines and data traces throw small fields that a nearby receiver can sniff. Processor and bus fingerprints shift with load, which makes them controllable beacons. Shielding helps, so do careful routing and grounding choices, but no build is perfect. The goal is not zero emission. It is an emission that is noisy, low power, and hard to shape deliberately.

Thermal and Power Side Chatter

Heat spreads slowly but predictably. If systems are temperature coupled through air or chassis, they can encode bits by warming and cooling. Power draw is a quicker lever. Sudden load changes ripple into power rails where sensors can notice. Even without smart gear, nearby devices can watch voltage droop and recover. Ordinary component behavior becomes an accidental telegraph.

How Attackers Work the Problem

Placement comes first. They need code inside and a sensor outside. Code arrives through removable media, vendor quirks, maintenance windows, or social engineering that persuades a person to ferry bits. The outside sensor can be a phone, a camera, a dongle near a wall, or a forgotten IoT widget.

Once placed, the inside code chooses a channel that fits the room, then waits for a quiet moment. Patience pays. Much of the work is waiting for stillness and the instant when nobody is watching the blinking light that has always blinked.

Measuring Risk with Clear Eyes

Risk lives on two axes, feasibility and payoff. Feasibility depends on distance, materials, layout, workload, and the presence of receivers. Payoff depends on the value of the bytes that could escape and how fresh they must be. A plant diagram printed last year is not worth heroic effort. A one time code that changes every hour certainly is. 

Think about rates. If a channel moves a few bits per second with a ten percent error rate at three meters, hide the crown jewels behind short lived keys and per machine secrets. Force the adversary to stream for minutes instead of seconds so exposure becomes risky.

Defensive Principles that Actually Help

Defending an air gap is about physics, hygiene, and humility. You are not chasing perfection. You are making the room unfriendly to controllable side effects and unfriendly to unnoticed receivers. Do the obvious things, then do the quiet things, then keep doing both. People roll their eyes at this advice until it works, and then they claim it was obvious. That is fine. Quiet victories rarely get a parade.

Distance, Shielding, and Layout

Place sensitive systems away from exterior walls and windows. Keep them off shared desks. Arrange power so that key equipment does not share outlets with untrusted gear. Position monitors and LEDs so that cameras have a bad angle. When a room feels like a box inside a box, you are getting close.

Hardware Hardening and Device Hygiene

Disable speakers in firmware where possible. Set fan curves that are less controllable. Choose devices with fewer ornamental lights. Prefer power supplies with clean regulation. Inventory adapters and dongles, then buy less of them. Lock unused ports and require signed firmware updates.

Monitoring for Side Effects

Add small sensors that watch temperature, power quality, light levels, and unexpected audio. Baseline them, then alert on deviations that look encodable. Pair that with asset tracking that notices strange radios and unfamiliar Bluetooth names. Log the boring details, such as when a screen that should be off suddenly glows at midnight.

Procedural Friction and Failsafes

Rotate staff who touch the gap so that no single person becomes a universal courier. Scan removable media on a staging machine that never meets production. Bag phones before entry and provide lockers so the rule is not a hassle. Use data diodes for transfers that truly must be one way. Favor pull flows that expire over push flows that linger. Keep kill switches simple, like lights that cut to black when a door opens when tested in drills.

Conclusion

Air gaps still matter. They buy time, reduce pathways, and make sloppy mistakes less disastrous. They also invite complacency if you treat isolation like a spell. Covert channels are not magic tricks. They are physics, patience, and a little creativity nudging signals through the cracks. The fix is not a silver device or a single policy. It is a stack of small choices that make the room inconvenient for signals and inconvenient for spies. Favor distance. 

Simplify hardware. Watch for side effects. Add gentle friction so risky actions feel inconvenient, then practice responses until they are boring. If your story ends with nothing escaping and no one noticing anything unusual, congratulations. In this line of work, quiet is the headline you were hoping for.