Now on Demand: Threat Detection and Incident Response (TDIR) Summit - All Sessions Available
Connect with us

Hi, what are you looking for?


Data Protection

RAM-Generated Wi-Fi Signals Allow Data Exfiltration From Air-Gapped Systems

Covert Wi-Fi signals generated by DDR SDRAM hardware can be leveraged to exfiltrate data from air-gapped computers, a researcher claims.

Covert Wi-Fi signals generated by DDR SDRAM hardware can be leveraged to exfiltrate data from air-gapped computers, a researcher claims.

In a newly published paper, Mordechai Guri from the Ben-Gurion University of the Negev in Israel details AIR-FI, a new data exfiltration technique in which malware installed on a compromised air-gapped system can generate Wi-Fi signals that a nearby device intercepts and sends to the attacker, over the Internet.

The technique leverages memory buses for the generation of covert signals, thus eliminating the need of Wi-Fi hardware. For the interception of these signals, Wi-Fi capable devices such as smartphones, IoT devices, and laptops are used.

Disconnected form the internet, air-gapped networks and computers are used for storing sensitive data or applications, but motivated cyber-attackers are constantly searching for new ways to breach these isolated systems, either through targeting the supply chain, using malicious insiders, or tricking unsuspecting insiders into carrying out nefarious actions.

Over the past years, numerous new data exfiltration techniques aimed at air-gapped computers have been disclosed, and threat actors were observed increasingly targeting air-gapped systems in their attacks.

The newly detailed method assumes that the adversary was able to compromise the air-gapped system and has already collected data of interest, including biometric information, credentials, documents, and files. Wi-Fi frequency bands are used as a channel for data exfiltration.

The AIR-FI attack relies on DDR SDRAM buses for emitting electromagnetic signals on the 2.4 GHz Wi-Fi band and for encoding data on top of these signals. A nearby Wi-Fi-capable device that has been infected with malware is used to intercept these signals, decode them, and then transmit them to the attacker, over the Internet.

According to the researcher, the attack works on virtual machines (VMs) too, does not require a Wi-Fi transmitter or special privileges, and can leverage a broad range of devices as receivers. The low-level physical layer information exposed by Wi-Fi chips to the application layers is used for signal extraction.

Advertisement. Scroll to continue reading.

Proposed countermeasures include the zone separation that U.S. and NATO telecommunication security standards propose as protection against TEMPEST (Telecommunications Electronics Materials Protected from Emanating Spurious Transmissions) threats; runtime detection; jamming the Wi-Fi frequency bands; interfering with the execution of the malicious process; and Faraday shielding (which blocks or limits electromagnetic fields).

“Our results show that the covert channel can be effective at distances up to several meters from air-gapped computers. We achieved effective bit rates ranging from 1 to 100 bit/sec, depending on the type and mode of receiver used,” the researcher concludes.

Related: Chinese Hackers Target Air-Gapped Systems With Custom USB Malware

Related: Chinese Hackers Target Air-Gapped Military Networks

Related: Hackers Can Steal Data From Air-Gapped Computers Via Screen Brightness

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment


Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join the session as we discuss the challenges and best practices for cybersecurity leaders managing cloud identities.


SecurityWeek’s Ransomware Resilience and Recovery Summit helps businesses to plan, prepare, and recover from a ransomware incident.


People on the Move

Wendy Zheng named as CFO and Joe Diamond as CMO at cyber asset management firm Axonius.

Intelligent document processing company ABBYY has hired Clayton C. Peddy as CISO.

Digital executive protection services provider BlackCloak has appointed Ryan Black as CISO.

More People On The Move

Expert Insights