[LINK] Academics turn RAM into Wi-Fi cards to steal data from stand-alone IT systems
StephenLoosley at outlook.com
Wed Dec 16 21:11:06 AEDT 2020
Academics turn RAM into Wi-Fi cards to steal data from air-gapped systems
AIR-FI technique can send stolen data at speeds of up to 100 b/s to Wi-Fi receivers at a distance of a few meters.
By Catalin Cimpanu for Zero Day | December 15, 2020 -- 13:35 GMT (00:35 AEDT) | Topic: Security
Academics from an Israeli university have published new research today detailing a technique to convert a RAM card into an impromptu wireless emitter and transmit sensitive data from inside a non-networked and air-gapped computer that has no Wi-Fi card.
Named AIR-FI, the technique is the work of Mordechai Guri, the head of R&D at the Ben-Gurion University of the Negev, in Israel.
Over the last half-decade, Guri has led tens of research projects that investigated stealing data through unconventional methods from air-gapped (non-internet-connected) systems.
These types of techniques are what security researchers call "covert data exfiltration channels." They are not techniques to break into computers, but techniques that can be used to steal data in ways defenders aren't expecting.
Such data exfiltration channels are not a danger for normal users, but they are a constant threat for the administrators of air-gapped networks.
Air-gapped systems are computers isolated on local networks with no external internet access. Air-gapped systems are often used on government, military, or corporate networks to store sensitive data, such as classified files or intellectual property.
While AIR-FI would be considered a "stunt hack" in the threat model of normal users, it is, however, the type of attack that forces many companies to reconsider the architecture of their air-gapped systems that store high-value assets.
HOW AIR-FI WORKS
At the core of the AIR-FI technique is the fact that any electronic component generates electromagnetic waves as electric current passes through.
Since Wi-Fi signals are radio waves and radio is basically electromagnetic waves, Guri argues that malicious code planted on an air-gapped system by attackers could manipulate the electrical current inside the RAM card in order to generate electromagnetic waves with the frequency consistent with the normal Wi-Fi signal spectrum (2,400 GHz).
In his research paper, titled "AIR-FI: Generating Covert WiFi Signals from Air-Gapped Computers," Guri shows that perfectly timed read-write operations to a computer's RAM card can make the card's memory bus emit electromagnetic waves consistent with a weak Wi-Fi signal.
This signal can then be picked up by anything with a Wi-Fi antenna in the proximity of an air-gapped system, such as smartphones, laptops, IoT devices, smartwatches, and more.
Guri says he tested the technique with different air-gapped computer rigs where the Wi-Fi card was removed and was able to leak data at speeds of up to 100 b/s to devices up to several meters away.
Guri, who has investigated tens of other covert data exfiltration channels in the past, said the AIR-FI attack is one of the easiest to pull off as the attacker doesn't need to obtain root/admin privileges before running an exploit.
"[AIR-FI] can be initiated from an ordinary user-space process," Guri said.
This allows the attack to work across any OS and even from inside virtual machines (VMs).
Furthermore, while most modern RAM cards will be able to emit signals in the 2,400 GHz range, Guri says that older RAM cards can be overclocked to reach the desired output.
In his research paper, shared with ZDNet, Guri suggested various countermeasures that companies can take to protect air-gapped systems, such as the deployment of signal jamming to prevent the transmission of any Wi-Fi signals in an air-gapped network's physical area.
AIR-FI now joins a long list of covert data exfiltration channels discovered by Guri and his team:
(See zdnet article for web links for each hack method mentioned below)
LED-it-Go - exfiltrate data from air-gapped systems via an HDD's activity LED
USBee - force a USB connector's data bus give out electromagnetic emissions that can be used to exfiltrate data
AirHopper - use the local GPU card to emit electromagnetic signals to a nearby mobile phone, also used to steal data
Fansmitter - steal data from air-gapped PCs using sounds emanated by a computer's GPU fan
DiskFiltration - use controlled read/write HDD operations to steal data via sound waves
BitWhisper - exfiltrate data from non-networked computers using heat emanations
Unnamed attack - uses flatbed scanners to relay commands to malware infested PCs or to exfiltrate data from compromised systems
GSMem - steal data from air-gapped systems using GSM cellular frequencies
xLED - use router or switch LEDs to exfiltrate data
aIR-Jumper - use a security camera's infrared capabilities to steal data from air-gapped networks
HVACKer - use HVAC systems to control malware on air-gapped systems
MAGNETO & ODINI - steal data from Faraday cage-protected systems
MOSQUITO - steal data from PCs using attached speakers and headphones
PowerHammer - steal data from air-gapped systems using power lines
CTRL-ALT-LED - steal data from air-gapped systems using keyboard LEDs
BRIGHTNESS - steal data from air-gapped systems using screen brightness variations
AiR-ViBeR - steal data using a computer's fan vibrations
POWER-SUPPLaY - steal data by turning the power supply into a speaker
More information about the Link