One way to protect computer networks from malicious attacks is to disconnect them from the internet. This method, known as air-gapping, creates a physical barrier between the network and the malicious world of malicious attackers ahead.
But airborne computers are not completely safe. Hackers have developed different ways to infect them using portable devices such as USB drives. The famous 2010 Stuxnet attack used this method of infection to inject malware capable of disabling centrifuge equipment in the Iranian nuclear program.
But getting malware in is only one part of the challenge. Another is to find a way to get information from an air-bound network. Cybersecurity researchers are studying different techniques, such as using computer keyboard lights to transmit data, or for example noise from fans.
Now Mordechai Guri, a cybersecurity researcher at Ben-Gurion University in Israel has found another way — the use of SATA cables inside the computer as wireless aerials to broadcast information through radio waves.
The SATA cable connects the motherboard data bus to a mass storage device such as a solid-state drive, optical drive or hard disc drive. The cables are a few centimeters long and most operate at a frequency of 6 Gb/sec.
Guri’s idea is to modulate the transmission of information along the cable in such a way as to generate radio signals that can be picked up nearby by monitoring equipment on the 6Ghz radio frequency. “The SATA interface is very useful to attackers in many computers, devices, and networking environments,” he said.
To test the idea, Guri wrote the code capable of generating these signals and uploaded them to a desktop PC with air. This code causes the computer’s SATA cable to transmit data at a rate of about 1 bit/sec.
He then used a laptop placed about a meter away to monitor transmissions in the 6Ghz band, decoding the word “SECRET” from the prohibited broadcasts. “We have shown that attackers can exploit the SATA cable as an antenna to transmit radio signals in the 6 GHz frequency band,” Guri said.
Guri also demonstrated that the attack can be performed from within a guest virtual machine, making it more capable.
He went on to outline various measures to prevent this type of attack. “Preventing initial entry is the first step that should be taken as a preventative measure,” he said.
Ensuring that there are no nearby devices capable of recording signals is also a reasonable measure currently used in secure NATO and US facilities.
It should also be possible to create code that monitors any unusual activity related to SATA cables. Another option is to monitor the 6Ghz frequency, look for unexpected broadcasts or even jam those frequencies.
Guri doesn’t mention any evidence that attacks like this are used in the real world (although that doesn’t guarantee they don’t exist). However, cybersecurity researchers regularly publish new exploits like this one so that countermeasures can be easily applied to potentially vulnerable facilities (although the publication also reveals how the exploit is carried out in the first place).
Ref: SATAn: Air-Gap Exfiltration Attack via Radio Signals From SATA Cables : arxiv.org/abs/2207.07413