Where’s a Faraday cage when you need one?

Air-Fi attack renders air-gapped computers open to data exfiltration

Attackers can compromise computers that have no internet connectivity and steal their data through memory operations and WiFi receivers, a security researcher at Ben-Gurion University of the Negev, Israel, has found.

In his latest research, Mordechai Guri, who has a long history of exposing the security shortcomings of air-gapped systems, shows that memory buses on most computers emit signals that can be picked up by WiFi-capable devices.

This can enable attackers to steal information from air-gapped systems without requiring special hardware or network connectivity.

Codenamed ‘Air-Fi’ and published on the arXiv preprint server, the research has been in the works for a year, Guri told The Daily Swig.

Infecting air-gapped computers

Air-gapping is a security measure employed to ensure that a secure computer network is physically isolated from unsecured networks, such as the public internet or insecure local area network (LAN).

One of the key challenges of attacking air-gapped systems is the initial compromise: that is, infecting the network’s computers with malware.

While difficult, this is not impossible and has happened on numerous occasions through supply-chain attacks, compromising third-party software, and malicious or unsuspecting insiders.

In the case of the Air-Fi attack, the requirements are minimal. The target computer does not need to have a WiFi transmitter, nor does the malware require special privileges such as access to kernel drivers or hardware resources. The attack also works on virtual machines.

A proof-of-concept video shows the Air-Fi attack in action:

Exfiltrating the data

Once the device is infected, the malware uses electromagnetic emissions generated from DDR SDRAM buses to exfiltrate sensitive data.

“The memory buses generate electromagnetic radiation at a frequency correlated to its clock frequency and harmonics,” Guri writes in the paper. “For example, DDR4-2400 emits electromagnetic radiation at around 2400 MHz.”

These emissions fall within the range of WiFi frequency bands and can be received by any device that has a WiFi network interface.

Therefore, by triggering a series of well-timed memory operations on the infected device, the malware modulates the stolen data into WiFi signals.

Receiving the stolen data

On the receiving side, the attacker needs to infect a device with a WiFi interface in the vicinity of the air-gapped target.

“Air-Fi is unique in that it uses a very common WiFi receiver which exists in many types of devices today, from computers to IoT devices,” Guri says.

To receive the data transmitted on the Air-Fi channel, the receiving malware installation needs access to the WiFi-capable device at the kernel driver or firmware level.

Read more of the latest cybersecurity research

Obtaining low-level access to WiFi hardware is difficult and requires malware that is tailored to the targeted WiFi chip. But it doesn’t necessarily require physical access to the device, Guri says.

“For example, the recent TrickBot malware compromise the UEFI which is actually firmware level. There are many types of rootkits which can be implanted at the kernel level, and it can be done remotely by using zero-day exploits,” he says.

At 1-100 bits per second, data transmission on the Air-Fi channel is slow and badly suited for exfiltrating large volumes of data.

Guri says it can be used for sensitive information such as credentials, keystrokes, small files, and biometric data.

Side-channel defenses

In the paper, Guri suggests several defense methods against potential Air-Fi attacks.

Physical separation policies, where WiFi transceivers are not allowed in the vicinity of air-gapped systems, can prevent infected devices from stealing sensitive information through the Air-Fi channel.

Runtime monitoring of memory access, signal jamming, and Faraday shielding can also prevent signals emitted from infected air-gapped computers from reaching WiFi receivers.

“Security measures such as firewalls, AVs, IDS, IPS, DLP as well as air gaps, are not hermetic. Motivated attackers are continuously finding new ways of breaching secured networks and evading security lines,” Guri warns.

RECOMMENDED TinyCheck privacy project turns your Raspberry Pi into a stalkerware detection unit