Security Experts:

Connect with us

Hi, what are you looking for?


Data Protection

RAM-Generated Wi-Fi Signals Allow Data Exfiltration From Air-Gapped Systems

Covert Wi-Fi signals generated by DDR SDRAM hardware can be leveraged to exfiltrate data from air-gapped computers, a researcher claims.

Covert Wi-Fi signals generated by DDR SDRAM hardware can be leveraged to exfiltrate data from air-gapped computers, a researcher claims.

In a newly published paper, Mordechai Guri from the Ben-Gurion University of the Negev in Israel details AIR-FI, a new data exfiltration technique in which malware installed on a compromised air-gapped system can generate Wi-Fi signals that a nearby device intercepts and sends to the attacker, over the Internet.

The technique leverages memory buses for the generation of covert signals, thus eliminating the need of Wi-Fi hardware. For the interception of these signals, Wi-Fi capable devices such as smartphones, IoT devices, and laptops are used.

Disconnected form the internet, air-gapped networks and computers are used for storing sensitive data or applications, but motivated cyber-attackers are constantly searching for new ways to breach these isolated systems, either through targeting the supply chain, using malicious insiders, or tricking unsuspecting insiders into carrying out nefarious actions.

Over the past years, numerous new data exfiltration techniques aimed at air-gapped computers have been disclosed, and threat actors were observed increasingly targeting air-gapped systems in their attacks.

The newly detailed method assumes that the adversary was able to compromise the air-gapped system and has already collected data of interest, including biometric information, credentials, documents, and files. Wi-Fi frequency bands are used as a channel for data exfiltration.

The AIR-FI attack relies on DDR SDRAM buses for emitting electromagnetic signals on the 2.4 GHz Wi-Fi band and for encoding data on top of these signals. A nearby Wi-Fi-capable device that has been infected with malware is used to intercept these signals, decode them, and then transmit them to the attacker, over the Internet.

According to the researcher, the attack works on virtual machines (VMs) too, does not require a Wi-Fi transmitter or special privileges, and can leverage a broad range of devices as receivers. The low-level physical layer information exposed by Wi-Fi chips to the application layers is used for signal extraction.

Proposed countermeasures include the zone separation that U.S. and NATO telecommunication security standards propose as protection against TEMPEST (Telecommunications Electronics Materials Protected from Emanating Spurious Transmissions) threats; runtime detection; jamming the Wi-Fi frequency bands; interfering with the execution of the malicious process; and Faraday shielding (which blocks or limits electromagnetic fields).

“Our results show that the covert channel can be effective at distances up to several meters from air-gapped computers. We achieved effective bit rates ranging from 1 to 100 bit/sec, depending on the type and mode of receiver used,” the researcher concludes.

Related: Chinese Hackers Target Air-Gapped Systems With Custom USB Malware

Related: Chinese Hackers Target Air-Gapped Military Networks

Related: Hackers Can Steal Data From Air-Gapped Computers Via Screen Brightness

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Expert Insights

Related Content

Application Security

Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.

Cloud Security

VMware vRealize Log Insight vulnerability allows an unauthenticated attacker to take full control of a target system.

IoT Security

Lexmark warns of a remote code execution (RCE) vulnerability impacting over 120 printer models, for which PoC code has been published.

Mobile & Wireless

Apple rolled out iOS 16.3 and macOS Ventura 13.2 to cover serious security vulnerabilities.

Email Security

Microsoft is urging customers to install the latest Exchange Server updates and harden their environments to prevent malicious attacks.

Mobile & Wireless

Technical details published for an Arm Mali GPU flaw leading to arbitrary kernel code execution and root on Pixel 6.


Security researchers have observed an uptick in attacks targeting CVE-2021-35394, an RCE vulnerability in Realtek Jungle SDK.


Google has awarded more than $25,000 to the researchers who reported the vulnerabilities patched with the release of the latest Chrome update.