Instead of waiting for the malware to initiate a scan, attackers could also wait until a person in the office scans a document with the lid open and then run their attack. In that case, the lines would appear on the sides of the scanned document because of the scanner's larger surface that leave an uncovered border.
The researchers also found a way for the malware to send data back to the attackers by using the light produced by the scanner itself. Since the malware can initiate and cancel scanning operations, attackers can derive information from the amount of time the scanner's light is on and reflects off the opened lid.
This is not as efficient as receiving commands, but can be used to exfiltrate a few bits of data at a time. The operation can be repeated to eventually exfiltrate critical information, like encryption keys, Shamir said.
Detecting the light generated by the scanner from far away would require very sensitive equipment and if the computer is located in an office on a higher floor, the attacker would have a hard time getting good visibility. This can be solved by using a quadcopter drone to get closer and observing the scanner from a better angle, Shamir said.
The technique is similar to the so-called side-channel attacks that can be used to derive cryptographic keys by analyzing a computer system's power consumption, electromagnetic leaks or even sound during a cryptographic operation.
There are other examples of air-gapped systems being infected. The Stuxnet cybersabotage worm which is believed to have been developed by the U.S. and Israeli intelligence services, was introduced on air-gapped computers at Iran's nuclear facility in Natanz through USB drives, possibly by insiders.
Sign up for CIO Asia eNewsletters.