How Data Can Be Stolen from Air-Gapped Machines Using SATA Cables

By Riley ThompsonTechnology News

Researchers Demonstrate Data Theft from Air-Gapped Machines via SATA Cables

Experts from Israel’s Ben-Gurion University have developed a new method for extracting data from machines that are physically isolated from any networks and potentially dangerous peripherals. This time, the researchers proposed using Serial Advanced Technology Attachment (SATA) cables, turning them into wireless antennas.

Air-gapped machines, which are isolated from external influences, are often found in government, military, and corporate networks. These systems typically store classified documents and confidential information. For years, researchers have devised various methods to extract data from such protected devices, using everything from LEDs to fan speeds (a list of studies is provided at the end of the article).

The new attack is called SATAn because it uses Serial ATA (SATA) cables. As is often the case with such attacks, for a SATA-based attack to succeed, an attacker must first infect the target machine with malware that collects and prepares the necessary data for transmission. Although this is a challenging task, the researchers focus solely on the data extraction process, leaving the infection method outside the scope of their study.

SATAn is based on the fact that SATA cables can transmit electromagnetic signals at frequencies between 5.9995 and 5.9996 GHz, which can correspond to specific symbols. The SATA interface is capable of generating radio signals during certain read and write operations. The malware developed by the researchers intercepts legitimate software processes to perform read/write operations in a specific sequence, allowing it to transmit stolen data.

During their research, the experts successfully transmitted the word “SECRET” from an air-gapped machine to a nearby computer using electromagnetic signals. The receiver in this scenario can be either a process on a neighboring computer or a dedicated hardware solution.

A demonstration of the successful attack can be seen in the video below.

The researchers note that experiments with different systems and configurations showed that the maximum distance from the air-gapped computer to the receiver cannot exceed 120 centimeters (about 4 feet); otherwise, the error rate becomes too high (over 15%) to ensure data integrity.

The distance between the transmitter and receiver affects the time required to send data. Depending on the distance, transmitting a three-bit sequence took between 0.2 and 1.2 seconds. On average, data was transmitted at a rate of 1 bit per second.

Additionally, it was observed that the signal quality on the SATA cable drops significantly if virtual machines are used to perform read/write operations.

Protection Against Such Attacks

As a defense against these types of attacks, the researchers suggest using a SATA jammer, which could monitor suspicious read/write operations and intentionally add noise to the resulting signal. However, they acknowledge that in practice, distinguishing between legitimate and malicious operations can be difficult.

Other Data Exfiltration Methods from Ben-Gurion University Researchers

  • USBee: Turns almost any USB device into an RF transmitter for data exfiltration from a secured PC.
  • DiskFiltration: Captures information by recording the sounds made by a computer’s hard drive during operation.
  • AirHopper: Uses the FM receiver in a mobile phone to analyze electromagnetic emissions from a computer’s video card and convert them into data.
  • Fansmitter: Adjusts the fan speed on an infected machine, changing the fan’s tone, which can be listened to and recorded to extract data.
  • GSMem: Transfers data from an infected PC to any GSM phone, even the oldest models, using GSM frequencies.
  • BitWhisper: Uses thermal sensors and fluctuations in heat energy.
  • Unnamed attack: Uses flatbed scanners and smart bulbs to transmit information.
  • HVACKer and aIR-Jumper: Steals data using surveillance cameras equipped with IR LEDs (infrared light-emitting diodes) and by using HVAC systems as a bridge to air-gapped networks.
  • MOSQUITO: Proposes extracting data using ordinary headphones or speakers.
  • PowerHammer: Suggests using standard power cables for data exfiltration.
  • CTRL-ALT-LED: Uses the Caps Lock, Num Lock, and Scroll Lock LEDs to extract information.
  • BRIGHTNESS: Extracts data by changing the brightness of the monitor screen.
  • AIR-FI: Uses RAM as an improvised wireless transmitter for data transfer.

A more comprehensive list of the researchers’ studies on compromising air-gapped machines can be found here.

Leave a Reply