A security researcher has demonstrated that sensitive data could be exfiltrated from air-gapped computers via a novel technique that leverages Wi-Fi signals as a covert channel—surprisingly, without requiring the presence of Wi-Fi hardware on the targeted systems.
Dubbed “AIR-FI,” the attack hinges on deploying a specially designed malware in a compromised system that exploits “DDR SDRAM buses to generate electromagnetic emissions in the 2.4 GHz Wi-Fi bands” and transmitting information atop these frequencies that can then be intercepted and decoded by nearby Wi-Fi capable devices such as smartphones, laptops, and IoT devices before sending the data to remote servers controlled by an attacker.
The findings were published today in a paper titled “AIR-FI: Generating Covert Wi-Fi Signals from Air-Gapped Computers” by Dr. Mordechai Guri, the head of R&D at Ben-Gurion University of the Negev’s Cyber-Security Research Center, Israel.
“The AIR-FI attack […] does not require Wi-Fi related hardware in the air-gapped computers,” Dr. Guri outlined.
“Instead, an attacker can exploit the DDR SDRAM buses to generate electromagnetic emissions in the 2.4 GHz Wi-Fi bands and encode binary data on top of it.”
Dr. Guri, earlier this May, also demonstrated POWER-SUPPLaY, a separate mechanism that allows the malware to exploit a computer’s power supply unit (PSU) to play sounds and use it as an out-of-band, secondary speaker to leak data.
Air-gapped computers — machines with no network interfaces — are considered a necessity in environments where sensitive data is involved in an attempt to reduce the risk of data leakage.
Thus in order to carry out attacks against such systems, it is often essential that the transmitting and receiving machines be located in close physical proximity to one another and that they are infected with the appropriate malware to establish the communication link.
But AIR-FI is unique in that the method neither relies on a Wi-Fi transmitter to generate signals nor requires kernel drivers, special privileges such as root, or access to hardware resources to transmit the data.
What’s more, the covert channel works even from within an isolated virtual machine and has an endless list of Wi-Fi enabled devices that can be hacked by an attacker to act as a potential receiver.
The kill chain in itself consists of an air-gapped computer onto which the malware is deployed via social engineering lures, self-propagating worms such as Agent.BTZ, tampered USB flash drives, or even with the help of malicious insiders.
It also requires infecting Wi-Fi capable devices co-located in the air-gapped network by compromising the firmware of the Wi-Fi chips to install malware capable of detecting and decoding the AIR-FI transmission and exfiltrating the data over the Internet.
With this setup in place, the malware on the target system collects the relevant data (e.g., confidential documents, credentials, encryption keys), which is then encoded and transmitted in the Wi-Fi band at 2.4 GHz frequency using the electromagnetic emissions generated from the DDR SDRAM buses used to exchange data between the CPU and the memory, thus defeating air-gap isolation.
To generate the Wi-Fi signals, the attack makes use of the data bus (or memory bus) to emit electromagnetic radiation at a frequency correlated to the DDR memory module and the memory read/write operations executed by processes currently running in the system.
AIR-FI was evaluated using four types of workstations with different RAM and hardware configurations as well as a software-defined radio (SDR) and a USB Wi-Fi network adapter that functioned as the receiver, finding that the covert channel can be effectively maintained at distances up to several meters from air-gapped computers and achieving bit rates ranging from 1 to 100 bit/sec, depending on the type and mode of receiver used.
If anything, the new research is yet another reminder that electromagnetic, acoustic, thermal, and optical components continue to be lucrative vectors to mount sophisticated exfiltration attacks against air-gapped facilities.
As a countermeasure, Dr. Guri proposes zone protections to safeguard against electromagnetic attacks, enabling intrusion detection systems to monitor and inspect for processes that perform intensive memory transfer operations, jamming the signals, and using Faraday shields to block the covert channel.
The AIR-FI malware shows “how attackers can exfiltrate data from air-gapped computers to a nearby Wi-Fi receiver via Wi-Fi signals,” he added.
“Modern IT environments are equipped with many types of Wi-Fi capable devices: smartphones, laptops, IoT devices, sensors, embedded systems, and smart watches, and other wearables devices. The attacker can potentially hack such equipment to receive the AIR-FI transmissions from air-gapped computers.”