Mordechai Guri, an Israeli cybersecurity researcher focusing on covert channel attacks, has devised another way to break air gapping - the practice of keeping computers disconnected from any external network for security reasons.
In a recently released document [PDF], “AIR-FI: Generating Covert Wi-Fi Signals from Air-Gapped ComputersGuri, head of research and development at Ben-Gurion University in the Negev, Israel's Cyber Security Research Center, describes a technique for converting DDR SDRAM channels to transmitters that can send sensitive data.
The technique is part of a complex chain of attacks required to breach highly secure systems isolated from public networks.
The first step in this procedure it involves installing malware on the isolated hardware, during the process of manufacturing it or shipping it to the owner, or by adding the malware via an infected peripheral such as a USB.
Without this step, the attack cannot take place. But such espionage efforts, especially in organizations operating critical systems, have been successful in the past: For example, the document mentions the famous Stuxnet worm, which a decade ago breached systems at a uranium enrichment plant in Iran. The malware, it claims, was introduced into the affected systems via a USB.
Once a system disconnected from the network acquires the malware, it should start sending data without anyone noticing. It turns out there are a few ways to carry out an attack also known as TEMPEST (Telecommunications Electronics Materials Protected from Emanating Spurious Transmissions). This attack involves a covert signaling sent via electromagnetic, headphones, thermal, optical or vibrational channels.
Guri's paper lists several methods, but AIR-FI is the latest technique he devised. It is a method of sending data via Wi-Fi signals when the destination device does not have Wi-Fi capability.
"The AIR-FI attack presented in this article does not require Wi-Fi-related hardware on air-gapped computers," says Guri. "Instead, we show that an attacker could exploit DDR SDRAM channels to generate electromagnetic emissions in 2,4 GHz Wi-Fi bands and encrypt binary data on them."
AIR-FI works by transferring data to the data bus, which generates electromagnetic emissions. "Since the clock speed of the memory modules is usually around 2,4 GHz, the memory functions generate electromagnetic emissions around the IEEE 802.11b / g / n Wi-Fi bands," the document states.
For memory modules where this is not the case, the malware will need to overclock or override the memory speed to generate frequency bands in the Wi-Fi zones. This should be possible with software or through the BIOS / UEFI configuration. According to the document, Intel allows you to modify the timing parameters of the installed memory using the Extreme Memory Profile (XMP) specifications.
Beyond that it is a matter of transmitting data in packets.
Guri's experimental tuning showed that these signals can be received several meters away from air gapped computers, although the transmission rate is quite low: 1-100 bit / sec. You can see it below.
The technique requires no special privileges and works through one virtual machine. Requires a nearby Wi-Fi enabled download device. It could also be done with any properly prepared mobile phone, computer or IoT device.
Guri suggests several possible defenses, such as disallowing Appliances network-capable near air gapped hardware, to implement Wi-Fi jamming by confusing any potential hidden Wi-Fi signal with a background process running random memory/CPU operations and Faraday shielding.
