The idea is in the name. It is a "data diode". It lets data through in one direction and the data can't go in the other. Verifiably because it doesn't have the hardware for data to go the other direction.

I don't think this property can be guaranteed for the alternatives you proposed.

But surely malware is just "data", no? Or am I missing something.

The idea is that the malware could have infiltrated the system (probably) but couldn't have exfiltrated data from it.

So a data diode wouldn't stop a "stuxnet" scenairo where the malware is trying to sabotage the air-gapped. But it would prevent secret information being leaked out.

(Btw. I'm just explaining what a data diode is, and what guarantees it provides. I don't actually think that it would be useful in practice, because it feels to be too cumbersome to use it and therefore the users/IT would poke holes into the security it would provide otherwise.)

interesting, thank you.

There is a cheap way to test via the open source data diode workshop. Https://www.github.com/vrolijk/osdd

Love to read your findings!

Why light instead of electricity: tradition, and a bit of quality assurance. For RS232, cutting one line was fine. But modern devices are complex: Ethernet transceivers support auto-MDIX and your RX line might become TX one with a flip of a bit, or your GPIO becomes input instead of output. You can fix it with a buffer, but optocouplers are cheap and look nice in slides.

Why not USB or internet:

Transmitter is totally safe from compromised receiver. If you insert USB stick to upload file, it could maliciously pretend to be a keyboard. If you connect to Internet to upload a file, your network stack can be exploited (and if you have firewall, then firewall must be exploited first, not impossible). Only data diode lets you push the data to unsecure zone and not worry about getting infected in the process.

If receiver has to be secure, things are not as clear-cut, but there is still advantages from great reduction in complexity. None of existing protocols work, so vendor usually implement something minimally simple to allow file transfer and maybe mailbox-like messages. This system will always have some risks present - even if you securely sent PDF to airgapped site, it might still exploit the PDF viewer. But at least the malware won't be able to report status to C&C and exfiltrate the data.

So with this data diode I can install an application to use the PC speaker as an output device, and then record the sound for exfil? Nice.

exfil ideas are always interesting to think about! The PC speaker idea may work, assuming:

(1) protected computer has a built-in PC speaker (for example, the computer I am typing this message on does not)

(2) There is an insecure PC with sound card and a microphone (or at least headphones which can be used as microphone)

(3) Secure and insecure PCs are close to each other, as opposed to being in different rooms

(4) It's quiet enough, and no one will notice the sounds (because PC speakers are crappy and can't do infra/ultra sound)

Likelihood of this succeeding depends on a lot of factors, the biggest of them being "how good is the security team". Presumably if they are buying data diodes, they at least have some knowledge?

Other exfil ideas I've read were to emit sounds using HDD, emit sounds by changing fan speed, blink code messages on lights ("sleep mode" or caps/num lock), show special patterns on monitors to transmit RF, add hidden dots to printed pages, abuse wireless keyboard or mice.. There are many idea and most of them are pretty impractical outside of very limited circumstances.