Hackers Can Now Steal Data from Air-Gapped PCs via SATA Cables

In May 2020, researchers were able to demonstrate how attackers can steal data from air-gapped PC by turning RAM into Wi-Fi Card. Now, the University of the Negev, Israel, researchers have published a study titled “SATAn: Air-Gap Exfiltration Attack via Radio Signals From SATA Cables,” authored by Mordechai Guri, proving that hackers can extract data from a seemingly secure system by exploiting its SATA cable.

The attack has been named SATAn. It is worth noting that the SATA connection is used in hundreds of thousands of devices globally to connect hard drives and SSDs in the PC.

SATAn Exploitation Explained

Researchers demonstrated that an attacker could use the SATA cable as a wireless transmitter and intercept the data it carries as radio signals in the 6GHz band. It is a complex attack requiring the attacker to install specific malware on the target machine and use a specially designed shellcode to modify file system activity, which generates identifiable radio signals through SATA cables.

After the malicious software is installed, it starts encoding the data to be stolen after obtaining different types of file system access, such as read and write to generate a signal on the SATA cable.

The researcher noted that write or read operations can create correct signals more effectively but read operations don’t require higher permissions at a system level and generate stronger signals of up to 3 dB. The attacker receives this signal on a nearby device if the receiver is located within one meter of the transmitter range.

In this case, the laptop used a Software Defined Radio receiver for signal reception. The researchers entered ‘Secret’ on their targeted device, which the second machine picked up.

Why Does This Technique Work?

Air-gapped systems are where the world’s most sensitive data is usually stored. These systems aren’t connected to a network, internet, or any connection to the outside world. Moreover, the air-gapped system doesn’t rely on hardware to enable wireless communications such as Wi-Fi hardware or Bluetooth.

Therefore, stealing data from these systems involves advanced and highly sophisticated skills. This attack works by converting the standard SATA cable into a radio transmitter without physically modifying the hardware. The SATA bus creates electromagnetic interference when performing its regular operation, and this interference is manipulated to transmit data.

According to the university’s report , the researcher used the cable as a wireless antenna operating on the 6 GHz frequency band to transmit a short message to a nearby laptop. However, attackers can use this technique with keyloggers to steal sensitive data, including passwords, files, and images.

Should You Be Concerned?

Using this technique, an attacker can exfiltrate data from systems that aren’t even connected to the internet and transmit the data to a receiver located 1meter away. And, they don’t need to physically modify the SATA cable or hardware since it is a purely software-based attack. The attacker can utilize a VM (virtual machine) to make this technique successful.

Should You Be Concerned?

Using this technique, an attacker can exfiltrate data from systems that aren’t even connected to the internet and transmit the data to a receiver located 1meter away. And, they don’t need to physically modify the SATA cable or hardware since it is a purely software-based attack. The attacker can utilize a VM (virtual machine) to make this technique successful.

But, it is a complex method, and the attacker needs access to the target computer since they have to install the malware on an air-gapped system directly.

Moreover, SATA signal emission is generally weak; hence, this isn’t a flawless attack technique, and many countermeasures can help prevent it. Such as using network security protocols and technologies, enabling electromagnetic shielding, avoiding using SATA drives altogether, and opting for M.2 drives.

Total
0
Shares
Related Posts