Mar 23, 2015 · 2 minutes

There's no such thing as total security. You can download all the fancy operating systems you want, or make sure a device is never connected to the Internet, and still run the risk of someone hacking your shit.

That's the takeaway from new reports about how researchers are recreating capabilities previously limited to the National Security Agency and finding their way around tools thought to be the best in class for securing devices.

Some researchers have focused on showing that Tails, the operating system used by NSA whistleblower Edward Snowden and the people to whom he sent the files detailing mass surveillance programs, isn't as secure as it claims.

As Forbes says in its recent report on the researchers' work:

'Tails isn’t keeping you safe from our agent,' [Corey Kallenberg] added. 'We have exploits that can get past any BIOS protection that’s there so that’s not a problem either.'

He claimed that even other Tails protections, such as the memory wiper and offline mode, would not save it from the malware he and [Xeno Kovah] created. 'We can just write the secrets you scrape to non-volatile storage and just wait until we have access to the internet to exfiltrate that data to the attacker.

'If an attacker has remote software access to your system, Tails can’t keep you safe if someone really sophisticated is coming after you.' Okay, so it looks like you can't trust software to keep you safe. But what about making sure a device has never been connected to the Internet, or had hardware relations (yuck) with other devices which have? Surely that must make a device impregnable!

Nope. Wired reports that researchers have found a way to steal information from an air-gapped device using its heat management system:

[S]ecurity researchers at Ben Gurion University in Israel have found a way to retrieve data from an air-gapped computer using only heat emissions and a computer’s built-in thermal sensors. The method would allow attackers to surreptitiously siphon passwords or security keys from a protected system and transmit the data to an internet-connected system that’s in close proximity and that the attackers control. They could also use the internet-connected system to send malicious commands to the air-gapped system using the same heat and sensor technique.
Setting up this exploit takes some work, as it requires an air-gapped computer to be in close proximity with an Internet-connected device, and for both of them to be infected with malware. But it can be done, and Wired notes that the rise of the Internet of Things could make it easier to exploit the vulnerability.

The bottom line from these latest reports? Security is a myth.