One way to protect computer networks from malicious attack is to disconnect them from the internet. This approach, known as air-gapping, creates a physical barrier between the network and the nasty world of malicious attackers beyond.
But air-gapped computers are not perfectly secure. Hackers have developed various ways of infecting them using portable devices such as USB drives. The famous 2010 Stuxnet attack used this method of infection to inject malware capable of disabling centrifuge equipment in the Iranian nuclear program.
But getting malware in is just one part of the challenge. Another is to find a way to get information out of an air-gapped network. Cybersecurity researchers have studied various techniques, such as using lights on a computer keyboard to transmit data, or the noise from fans for example.
Airgap Attack
Now Mordechai Guri, a cybersecurity researcher at Ben-Gurion University in Israel has found another way — to use the SATA cables inside a computer as wireless aerials to broadcast information via radio waves.
A SATA cable connects a motherboard data bus to a mass storage device such as a solid-state drive, optical drive or hard disc drive. The cables are a few centimeters long and most operate at a frequency of 6 Gb/sec.
Guri’s idea is to modulate the transmission of information along the cable in a way that generates radio signals that can be picked up nearby by equipment monitoring 6Ghz radio frequencies. “The SATA interface is highly available to attackers in many computers, devices, and networking environments,” he says.
To test the idea, Guri wrote the code a capable of creating these signals and uploaded it to an air-gapped desktop PC. This code caused the computer’s SATA cable to broadcast data at a rate of about 1 bit/ sec.
He then used a laptop placed about a meter away to monitor transmissions in the 6Ghz band, decoding the word “SECRET” from the illicit broadcasts. “We show that attackers can exploit the SATA cable as an antenna to transfer radio signals in the 6 GHz frequency band,” says Guri.
Guri also showed that the attack can be carried out from within a guest virtual machine, making it much more capable.
Preventive Countermeasures
He goes on to outline various countermeasures to prevent this kind of attack. “Preventing the initial penetration is the first step that should be taken as a preventive countermeasure,” he says.
Ensuring there are no devices nearby capable of recording signals is also a sensible measure that is currently used in NATO and US secure facilities.
It should also be possible to create code that monitors any unusual activity related to the SATA cables. Another option is to monitor the 6Ghz frequency, looking for unexpected broadcasts or even to jam those frequencies.
Guri does not mention any evidence that attacks like this have been used in the real world (although that doesn’t guarantee they haven’t). However, cybersecurity researchers often publish new exploits like this so that countermeasures can be quickly adopted in facilities that might be vulnerable (even though publication also reveals how to conduct the exploit in the first place).
Ref: SATAn: Air-Gap Exfiltration Attack via Radio Signals From SATA Cables : arxiv.org/abs/2207.07413