Mordechai Guri, an Israeli cybersecurity researcher focusing on covert channel attacks, has devised another way to break air gapping - the practice of keeping computers disconnected from any external network for security reasons.
In a recently released document [PDF], “AIR-FI: Generating Covert Wi-Fi Signals from Air-Gapped ComputersGuri, head of research and development at Ben-Gurion University in the Negev, Israel's Cyber Security Research Center, describes a technique for converting DDR SDRAM channels to transmitters that can send sensitive data.
The technique is part of a complex chain of attacks required to breach highly secure systems isolated from public networks.
The first step in this process involves installing malware on the isolated hardware, in the process of building it or sending it to the owner, or adding the malware via an infected peripheral such as a USB.
Without this step, the attack cannot take place. But such espionage efforts, especially in organizations operating critical systems, have been successful in the past: For example, the document mentions the famous Stuxnet worm, which a decade ago breached systems at a uranium enrichment plant in Iran. The malware, it claims, was introduced into the affected systems via a USB.
Once a system disconnected from the network acquires malware, it should start sending data without anyone noticing. It turns out that there are some ways to carry out an attack also known as TEMPEST (Telecommunications Electronics Materials Protected by Emanating Spurious Transmissions). This attack involves a hidden signal sent through electromagnetic, audio, thermal, optical or vibrating channels.
Guri's paper lists several methods, but AIR-FI is the latest technique he devised. It is a method of sending data via Wi-Fi signals when the destination device does not have Wi-Fi capability.
"The AIR-FI attack presented in this article does not require Wi-Fi-related hardware on air-gapped computers," says Guri. "Instead, we show that an attacker could exploit DDR SDRAM channels to generate electromagnetic emissions in 2,4 GHz Wi-Fi bands and encrypt binary data on them."
AIR-FI works by transferring data to the data bus, which generates electromagnetic emissions. "Since the clock speed of the memory modules is usually around 2,4 GHz, the memory functions generate electromagnetic emissions around the IEEE 802.11b / g / n Wi-Fi bands," the document states.
For memory modules where this is not the case, the malware will need to overclock or override the memory speed to generate frequency bands in the Wi-Fi zones. This should be possible with software or through the BIOS / UEFI configuration. According to the document, Intel allows you to modify the timing parameters of the installed memory using the Extreme Memory Profile (XMP) specifications.
Beyond that it is a matter of transmitting data in packets.
Guri's experimental tuning showed that these signals can be received several meters away from air gapped computers, although the transmission rate is quite low: 1-100 bit / sec. You can see it below.
The technique does not require special privileges and operates through a virtual machine. Requires a nearby Wi-Fi enabled camera. It could be done with any properly prepared mobile phone, computer or IoT device.
Guri suggests a number of possible defenses, such as not allowing networked devices near air gapped hardware, to implement Wi-Fi blocking, confusing any possible hidden Wi-Fi signal with a background process that performs random memory / CPU operations and Faraday shielding .