New Air-Gap Attack Uses SATA Cable as an Antenna to Transfer Radio Signals

source:  |  image:


A new method devised to leak information and jump over air-gaps takes advantage of Serial Advanced Technology Attachment (SATA) or Serial ATA cables as a communication medium, adding to a long list of electromagnetic, magnetic, electric, optical, and acoustic methods already demonstrated to plunder data.

“Although air-gap computers have no wireless connectivity, we show that attackers can use the SATA cable as a wireless antenna to transfer radio signals at the 6GHz frequency band,” Dr. Mordechai Guri, the head of R&D in the Cyber Security Research Center in the Ben Gurion University of the Negev in Israel, wrote in a paper published last week.

The technique, dubbed SATAn, takes advantage of the prevalence of the computer bus interface, making it “highly available to attackers in a wide range of computer systems and IT environments.”

Put simply, the goal is to use the SATA cable as a covert channel to emanate electromagnetic signals and transfer a brief amount of sensitive information from highly secured, air-gapped computers wirelessly to a nearby receiver more than 1m away.

An air-gapped network is one that’s physically isolated from any other networks in order to increase its security. Air-gapping is seen as an essential mechanism to safeguard high-value systems that are of huge interest to espionage-motivated threat actors.

That said, attacks targeting critical mission-control systems have grown in number and sophistication in recent years, as observed recently in the case of Industroyer 2 and PIPEDREAM (aka INCONTROLLER).

Dr. Guri is no stranger to coming up with novel techniques to extract sensitive data from offline networks, with the researcher concocting four different approaches since the start of 2020 that leverage various side-channels to surreptitiously siphon information.

These include BRIGHTNESS (LCD screen brightness), POWER-SUPPLaY (power supply unit), AIR-FI (Wi-Fi signals), and LANtenna (Ethernet cables). The latest approach is no different, wherein it takes advantage of the Serial ATA cable to achieve the same goals.

Serial ATA is a bus interface and an Integrated Drive Electronics (IDE) standard that’s used to transfer data at higher rates to mass storage devices. One of its chief uses is to connect hard disk drives (HDD), solid-state drives (SSD), and optical drives (CD/DVD) to the computer’s motherboard.

Unlike breaching a traditional network by means of spear-phishing or watering holes, compromising an air-gapped network requires more complex strategies such as a supply chain attack, using removable media (e.g., USBStealer and USBFerry), or rogue insiders to plant malware.

For an adversary whose aim is to steal confidential information, financial data, and intellectual property, the initial penetration is only the start of the attack chain that’s followed by reconnaissance, data gathering, and data exfiltration through workstations that contain active SATA interfaces.

In the final data reception phase, the transmitted data is captured through a hidden receiver or relies on a malicious insider in an organization to carry a radio receiver near the air-gapped system. “The receiver monitors the 6GHz spectrum for a potential transmission, demodulates the data, decodes it, and sends it to the attacker,” Dr. Guri explained.

As countermeasures, it’s recommended to take steps to prevent the threat actor from gaining an initial foothold, use an external Radio frequency (RF) monitoring system to detect anomalies in the 6GHz frequency band from the air-gapped system, or alternatively polluting the transmission with random read and write operations when a suspicious covert channel activity is detected.