A security researcher has demonstrated that sensitive data might be exfiltrated from air-gapped computers via a completely unique technique that leverages Wi-Fi signals as a covert channel—surprisingly, without requiring the presence of Wi-Fi hardware on the targeted systems.
Dubbed “AIR-FI,” the attack hinges on deploying a specially designed malware during a compromised system that exploits “DDR SDRAM buses to get electromagnetic emissions within the 2.4 GHz Wi-Fi bands” and transmitting information atop these frequencies which will then be intercepted and decoded by nearby Wi-Fi capable devices like smartphones, laptops, and IoT devices before sending the info to remote servers controlled by an attacker.
The findings were published today during a paper titled “AIR-FI: Generating Covert Wi-Fi Signals from Air-Gapped Computers” by Dr. Mordechai Guri, the top of R&D at Ben-Gurion University of the Negev’s Cyber-Security research facility , Israel.
“The AIR-FI attack […] doesn’t require Wi-Fi related hardware within the air-gapped computers,” Dr. Guri outlined.
“Instead, an attacker can exploit the DDR SDRAM buses to get electromagnetic emissions within the 2.4 GHz Wi-Fi bands and encode binary data on top of it.”
Dr. Guri, earlier this might , also demonstrated POWER-SUPPLaY, a separate mechanism that permits the malware to take advantage of a computer’s power supply unit (PSU) to play sounds and use it as an out-of-band, secondary speaker to leak data.
Air-gapped computers — machines with no network interfaces — are considered a necessity in environments where sensitive data is involved in an effort to scale back the danger of knowledge leakage.
Thus so as to hold out attacks against such systems, it’s often essential that the transmitting and receiving machines be located in close physical proximity to at least one another which they’re infected with the acceptable malware to determine the communication link.
But AIR-FI is exclusive therein the tactic neither relies on a Wi-Fi transmitter to get signals nor requires kernel drivers, special privileges like root, or access to hardware resources to transmit the info .
What’s more, the covert channel works even from within an isolated virtual machine and has an endless list of Wi-Fi enabled devices which will be hacked by an attacker to act as a possible receiver.
The kill chain in itself consists of an air-gapped computer onto which the malware is deployed via social engineering lures, self-propagating worms like Agent.BTZ, tampered
USB flash drives, or maybe with the assistance of malicious insiders.
It also requires infecting Wi-Fi capable devices co-located within the air-gapped network by compromising the firmware of the Wi-Fi chips to put in malware capable of detecting and decoding the AIR-FI transmission and exfiltrating the info over the web .
With this setup in situ , the malware on the target system collects the relevant data (e.g., confidential documents, credentials, encryption keys), which is then encoded and transmitted within the Wi-Fi band at 2.4 GHz frequency using the electromagnetic emissions generated from the DDR SDRAM buses wont to exchange data between the CPU and therefore the memory, thus defeating air-gap isolation.
To generate the Wi-Fi signals, the attack makes use of the info bus (or memory bus) to emit electromagnetic wave at a frequency correlated to the DDR memory module and therefore the memory read/write operations executed by processes currently running within the system.
AIR-FI was evaluated using four sorts of workstations with different RAM and hardware configurations also as a software-defined radio (SDR) and a USB Wi-Fi network adapter that functioned because the receiver, finding that the covert channel are often effectively maintained at distances up to many meters from air-gapped computers and achieving bit rates starting from 1 to 100 bit/sec, counting on the sort and mode of receiver used.
If anything, the new research is yet one more reminder that electromagnetic, acoustic, thermal, and optical components still be lucrative vectors to mount sophisticated exfiltration attacks against air-gapped facilities.
As a countermeasure, Dr. Guri proposes zone protections to safeguard against electromagnetic attacks, enabling intrusion detection systems to watch and inspect for processes that perform intensive memory transfer operations, jamming the signals, and using Faraday shields to dam the covert channel.
The AIR-FI malware shows “how attackers can exfiltrate data from air-gapped computers to a close-by Wi-Fi receiver via Wi-Fi signals,” he added.
“Modern IT environments are equipped with many sorts of Wi-Fi capable devices: smartphones, laptops, IoT devices, sensors, embedded systems, and smart watches, and other wearables devices. The attacker can potentially hack such equipment to receive the AIR-FI transmissions from air-gapped computers.”
