Covert Wi-Fi signals generated by DDR SDRAM hardware can be leveraged to exfiltrate data from air-gapped computers, a researcher claims.
In a newly published paper, Mordechai Guri from the Ben-Gurion University of the Negev in Israel details AIR-FI, a new data exfiltration technique in which malware installed on a compromised air-gapped system can generate Wi-Fi signals that a nearby device intercepts and sends to the attacker, over the Internet.
The technique leverages memory buses for the generation of covert signals, thus eliminating the need of Wi-Fi hardware. For the interception of these signals, Wi-Fi capable devices such as smartphones, IoT devices, and laptops are used.
Disconnected form the internet, air-gapped networks and computers are used for storing sensitive data or applications, but motivated cyber-attackers are constantly searching for new ways to breach these isolated systems, either through targeting the supply chain, using malicious insiders, or tricking unsuspecting insiders into carrying out nefarious actions.
Over the past years, numerous new data exfiltration techniques aimed at air-gapped computers have been disclosed, and threat actors were observed increasingly targeting air-gapped systems in their attacks.
The newly detailed method assumes that the adversary was able to compromise the air-gapped system and has already collected data of interest, including biometric information, credentials, documents, and files. Wi-Fi frequency bands are used as a channel for data exfiltration.
The AIR-FI attack relies on DDR SDRAM buses for emitting electromagnetic signals on the 2.4 GHz Wi-Fi band and for encoding data on top of these signals. A nearby Wi-Fi-capable device that has been infected with malware is used to intercept these signals, decode them, and then transmit them to the attacker, over the Internet.
According to the researcher, the attack works on virtual machines (VMs) too, does not require a Wi-Fi transmitter or special privileges, and can leverage a broad range of devices as receivers. The low-level physical layer information exposed by Wi-Fi chips to the application layers is used for signal extraction.
Proposed countermeasures include the zone separation that U.S. and NATO telecommunication security standards propose as protection against TEMPEST (Telecommunications Electronics Materials Protected from Emanating Spurious Transmissions) threats; runtime detection; jamming the Wi-Fi frequency bands; interfering with the execution of the malicious process; and Faraday shielding (which blocks or limits electromagnetic fields).
“Our results show that the covert channel can be effective at distances up to several meters from air-gapped computers. We achieved effective bit rates ranging from 1 to 100 bit/sec, depending on the type and mode of receiver used,” the researcher concludes.