A One-Way Ticket to Computer Security
Nelop Systems built a Raspberry Pi data diode using an optoisolator to safely send limited, one-way system data from air-gapped networks.
The most secure computer systems in the world are on air-gapped networks that make access via the internet, or other external networks, impossible. This leaves remote attackers without a means to interact with the machines that they want to compromise. Sure, obscure and difficult to implement side-channel attacks may still be possible, but they are extremely unlikely to succeed in most cases.
But what can be done when limited remote access to these machines needs to be granted? The team at Nelop Systems recently had a request from a client to allow one of their air-gapped systems to have a one-way communications channel that could transmit syslog messages and performance data. They came up with an interesting Raspberry Pi-powered solution that works something like a diode for data, allowing read-only, one-way access to specific data.
Air-gapped networks are common in industries where security cannot be compromised, such as in finance, healthcare, and critical infrastructure. These networks operate entirely offline, which is great for safety but problematic when administrators need data for monitoring performance or checking security logs. Extracting information without exposing the network is a delicate balance, and the challenge for Nelop Systems was to maintain that airtight separation while still allowing insight into system health.
Their solution was a bespoke data diode built using a pair of Raspberry Pi boards linked through an optoisolator, which is a component that transmits signals using light instead of direct electrical contact. This ensures information flows in a single direction only, meaning there’s no return path for data that could potentially carry malware or enable intrusion attempts. One Pi sits inside the protected network as the sender, while the second lives on the outside as the receiver. Together, they form a controlled, secure bridge that leaks nothing but the intended logs.
The engineers developed custom scripts focused on stability over speed, prioritizing reliability so no log entry is lost. While bandwidth is modest, the diode isn’t meant to transfer bulk data — its job is to safely drip out operational intelligence. Early prototypes experimented with conventional serial connections, but ultimately UART proved to be the cleaner, more dependable approach.
The result is a simple yet useful system that preserves the integrity of an air-gapped network while still supplying valuable telemetry to monitoring teams. It’s a clever example of applying practical engineering to a high-stakes problem.