Ghost Tunnel: Covert Data Exfiltration Channel to Circumvent Air Gapping


In recent years, attacking air gapped networks through HID devices is becoming popular. The HID attack uses the USB interface to forge the user’s keystrokes or mouse movement to modify the system settings and run malware.

In 2009, NSA’s Office of Tailored Access Operations (TAO) developed the COTTON-MOUTH – a USB hardware implant which provides a wireless bridge into a target network as well as the ability to load exploit software onto a target machine. Unlike COTTON-MOUTH, Ghost Tunnel attacks the target through the HID device only to release the payload, and it can be removed after the payload is released.


  • Covertness
  • HID attack device is only required to release the payload and it can be removed after that.
  • No interference with the target’s existing connection status and communications.
  • Can bypass firewalls.
  • Can be used to attack strictly isolated networks
  • Communication channel does not depend on the target’s existing network connection.
  • Cross-Platform Support
  • Can be used to attack any device with wireless communication module, we tested this attack on Window 7 up to Windows 10, and OSX.

Location: Track 1 Date: April 12, 2018 Time: 2:00 pm - 3:00 pm Jun Li Kunzhe Chai Hongjian Cao