Mordechai Guri, an Israeli cybersecurity researcher focusing on covert channel attacks, has devised another way to break air gapping - the practice of keeping computers disconnected from any external network for security reasons.
In a recently released document [PDF], “AIR-FI: Generating Covert Wi-Fi Signals from Air-Gapped ComputersGuri, head of research and development at Ben-Gurion University in the Negev, Israel's Cyber Security Research Center, describes a technique for converting DDR SDRAM channels to transmitters that can send sensitive data.
The technique is part of a complex chain of attacks required to breach highly secure systems isolated from public networks.
The first step in this process involves installing malware on the isolated hardware, during the process of manufacturing it or shipping it to the owner, or by adding the malware software via an infected peripheral such as a USB.
Without this step, the attack cannot be carried out. But such spying efforts, mostly in organizations operating critical systems, have succeeded in the past: For example, the paper cites the famous Stuxnet worm, which a decade ago breached systems at a uranium enrichment plant in Iran. The malware, it claims, was introduced into the affected systems via a USB.
Once a system disconnected from the network acquires malware, it should start sending data without anyone noticing. It turns out that there are some ways to carry out an attack also known as TEMPEST (Telecommunications Electronics Materials Protected by Emanating Spurious Transmissions). This attack involves a hidden signal sent through electromagnetic, audio, thermal, optical or vibrating channels.
Guri's paper lists several methods, but AIR-FI is the latest technique he devised. It is a method of sending data via Wi-Fi signals when the destination device does not have Wi-Fi capability.
"The AIR-FI attack presented in this article does not require Wi-Fi-related hardware on air-gapped computers," says Guri. "Instead, we show that an attacker could exploit DDR SDRAM channels to generate electromagnetic emissions in 2,4 GHz Wi-Fi bands and encrypt binary data on them."
AIR-FI works by transferring data on the data bus, which generates electromagnetic emissions. “Since the clock speed of memory modules is usually around frequency of 2,4 GHz, memory operations generate electromagnetic emissions around the IEEE 802.11b/g/n Wi-Fi frequency bands,” the document states.
For memory drives where this is not the case, the malware would have to overclock or mask the memory speed to produce transmissions at the frequency of the Wi-Fi bands. This should be possible with software or through the BIOS/UEFI configuration. Intel, according to the document, allows modification of the timing parameters of the installed memory using the Extreme Memory specification Profile (XMP).
Beyond that it is a matter of transmitting data in packets.
Guri's experimental tuning showed that these signals can be received several meters away from air gapped computers, although the transmission rate is quite low: 1-100 bit / sec. You can see it below.
The technique does not require special privileges and operates through a virtual machine. Requires a nearby Wi-Fi enabled camera. It could be done with any properly prepared mobile phone, computer or IoT device.
Guri suggests several possible defenses, such as disallowing Appliances network-capable near air gapped hardware, to implement Wi-Fi jamming by confusing any potential hidden Wi-Fi signal with a background process running random memory/CPU operations and Faraday shielding.
