Mordechai Guri, an Israeli researcher in her field better safetys cyberspace focused on covert channel attacks, invented yet another way to breach air gapping – the practice of keeping computers disconnected from any external network for security reasons.
In a recently released document [PDF], “AIR-FI: Generating Covert Wi-Fi Signals from Air-Gapped ComputersGuri, head of research and development at Ben-Gurion University in the Negev, Israel's Cyber Security Research Center, describes a technique for converting DDR SDRAM channels to transmitters that can send sensitive data.
The technique is part of a complex chainof attacks required to breach highly secure systems that are isolated from public networks.
The first step in this procedure it involves installing malware on the isolated hardware, during the process of manufacturing it or shipping it to the owner, or by adding the malware via an infected peripheral such as a USB.
Without this step, the attack cannot take place. But such espionage efforts, especially in organizations operating critical systems, have been successful in the past: For example, the document mentions the famous Stuxnet worm, which a decade ago breached systems at a uranium enrichment plant in Iran. The malware, it claims, was introduced into the affected systems via a USB.
Once a system disconnected from the network acquires malware, it should start sending data without anyone noticing. It turns out that there are some ways to carry out an attack also known as TEMPEST (Telecommunications Electronics Materials Protected by Emanating Spurious Transmissions). This attack involves a hidden signal sent through electromagnetic, audio, thermal, optical or vibrating channels.
Guri's paper lists several methods, but AIR-FI is the latest technique he devised. It is a method of sending data via Wi-Fi signals when the destination device does not have Wi-Fi capability.
"The AIR-FI attack presented in this article does not require Wi-Fi-related hardware on air-gapped computers," says Guri. "Instead, we show that an attacker could exploit DDR SDRAM channels to generate electromagnetic emissions in 2,4 GHz Wi-Fi bands and encrypt binary data on them."
AIR-FI works by transferring data to the data bus, which generates electromagnetic emissions. "Since the clock speed of the memory modules is usually around 2,4 GHz, the memory functions generate electromagnetic emissions around the IEEE 802.11b / g / n Wi-Fi bands," the document states.
For memory modules where this is not the case, the malware will need to overclock or override the memory speed to generate frequency bands in the Wi-Fi zones. This should be possible with software or through the BIOS / UEFI configuration. According to the document, Intel allows you to modify the timing parameters of the installed memory using the Extreme Memory Profile (XMP) specifications.
Beyond that it is a matter of transmitting data in packets.
Guri's experimental tuning showed that these signals can be received several meters away from air gapped computers, although the transmission rate is quite low: 1-100 bit / sec. You can see it below.
Η τεχνική δεν απαιτεί ειδικά προνόμια και λειτουργεί μέσα από μια εικονική μηχανή. Απαιτεί μια κοντινή συσκευή λήψης με δυνατότητα Wi-Fi. Θα μπορούσε να γίνει και με οποιοδήποτε κατάλληλα προετοιμασμένο κινητό τηλέφωνο, computer or IoT device.
Guri suggests a number of possible defenses, such as not allowing networked devices near air gapped hardware, to implement Wi-Fi blocking, confusing any possible hidden Wi-Fi signal with a background process that performs random memory / CPU operations and Faraday shielding .
