Air-fi Rete locale Giacomo Lanzi

Air-Fi: attacking computers that are disconnected and without network hardware is possible

Estimated reading time: 5 minutes

To keep secret information out of reach of attackers, organizations place it on devices that are not connected to any network. This is to avoid any possibility of communication with the Internet. These machines are called air-gapped . As safe as it may seem, infecting such a machine or network segment isn’t actually that difficult. Extracting the information obtained is much more difficult, but it was still possible with the Air-Fi technique .

To study an exploit of this scenario, all kinds of clever methods come into play, and Mordechai Guri, a researcher at Ben-Gurion University of the Negev (Israel), specializes in finding them. Dr. Guri is not the only one, of course, but in recent years, he has been involved in the discovery of a few dozen of these methods. Un new study describes how to extract data from an isolated computer, this time using Wi-Fi technology (hence the name Air-Fi ).

Air-fi Local network

How the Air-Fi method works

The beauty of Air-Fi is that it works even if the target computer has no Wi-Fi hardware. It relies on malware already installed on the device that can use the bus of DDR SDRAM memory to generate electromagnetic radiation at a frequency of 2.4 GHz . Malware can encode necessary data in variations of this radiation, and any device with a Wi-Fi receiver, including another compromised device, can collect and intercept the generated signals. This other device could be a regular smartphone or even a smart light bulb.

The Air-Fi method is particularly unpleasant from a cybersecurity point of view. It does not require administrator rights on the isolated computer; a normal user account can do the job. Also, using a virtual machine doesn’t provide any protection; VMs have access to memory modules.

Transmission range and speed

The researchers transmitted data without noteworthy distortion at a distance of up to 2-3 meters (in one case, up to 8 meters) and a speed of up to 100 bits per second , depending on the hardware of the infected computer and the type of receiver. Like most similar methods, it’s not very fast. Transferring a 20MB file would take 466 hours, for example. That said, the 1,300-byte “Jingle Bells” text could be transferred in 90 seconds. In this light, stealing a username and password with this technique seems entirely realistic.

Air-Fi RAM

How an attack could work

Infecting a air-gapped system with malware is not difficult. An attacker can easily do this by contaminating a USB drive, using social engineering or by tricking staff. Once done, the attacker would then have to infect a nearby WiFi-capable device to receive the leaked data. For this, the attacker can infect nearby desktops, laptops or even smartphones of personnel operating the target system with air-gapped .

To prevent this type of physical attack on the company, you may want to consider our service of physical test your company’s security !

After a successful infection, the malware steals data from the air-gapped system, leaking it into the air as Wi-Fi for the receiving device. As the researchers explained:

As part of the exfiltration phase, the attacker could collect data from compromised computers. The data can be documents, key records, credentials, encryption keys, etc. Once the data is collected, the malware starts the secret Air-Fi channel . It encodes the data and transmits it in the air (in the 2.4 GHz Wi-Fi band) using the electromagnetic emissions generated by the DDR SDRAM buses.

The following video shows a possible attack scenario.

The extraordinary absence of wi-fi hardware

As we have seen, the Air-Fi attack does not require specific Wi-Fi hardware to be installed on the target machines. How is it possible?

It is shown that the attack uses DDR SDRAM memory buses to generate electromagnetic emissions in the frequency band typical of the Wi-Fi protocol , ie 2.4 GHz Furthermore, it is also possible to encode data in binary code without specific privileges . Using a virtual machine doesn’t help, as they typically have access to hardware RAM anyway.

Communication between CPU and RAM modules takes place via a bus synchronized with the system clock . This generates electromagnetic radiation which will have a frequency related to the clock frequency. In the case of the DDR4 memory blocks it is around 2.4 GHz.

If the frequency of the modules is not the correct value, it is still possible to overclock or downclock the memory speed by adjusting it to the Wi-Fi frequency of 2.4 GHz.

In short, a machine that uses RAM blocks could still find a way to use them for data transmission. Of course, it all starts with a first compromise that installed malware on the machine.

How to defend yourself from Air-Fi

The use of Air-Fi involves electromagnetic emissions. It is possible to counter the strategy by using the following measures:

  • Do not allow Wi-Fi enabled devices to approach air-gapped systems for any reason
  • Monitor isolated systems for suspicious processes
  • Shielding the computer in a Faraday cage
  • Using SOCaaS to monitor networked machines
  • Control operations and visits to the company in order to eliminate the possibility of infection via USB stick

Like all similar methods, Air-Fi is too slow and difficult for common cybercriminals to use for everyday attacks. However, if your company is using air-gapped machines for data storage, it is certainly better to take cover, given the recent data hunger of cyber crime < / em>.

We recommend that you consider adopting a SOCaaS to prevent the use of malware, run regular procedures for verifying corporate security, both virtual ( Vulnerability Assessment & amp; Penetration Test ) and physical, as previously suggested, through our dedicated test service .

Contact us to find out how we can help you and how our services can secure your company data, we will be happy to answer any questions.

Useful links:

Share


RSS

More Articles…

Categories …

Tags

RSS Dark Reading

RSS Full Disclosure

  • APPLE-SA-2021-09-23-1 iOS 12.5.5 September 24, 2021
    Posted by Apple Product Security via Fulldisclosure on Sep 24APPLE-SA-2021-09-23-1 iOS 12.5.5 iOS 12.5.5 addresses the following issues. Information about the security content is also available at https://support.apple.com/HT212824. CoreGraphics Available for: iPhone 5s, iPhone 6, iPhone 6 Plus, iPad Air, iPad mini 2, iPad mini 3, and iPod touch (6th generation) Impact: Processing a maliciously […]
  • APPLE-SA-2021-09-23-2 Security Update 2021-006 Catalina September 24, 2021
    Posted by Apple Product Security via Fulldisclosure on Sep 24APPLE-SA-2021-09-23-2 Security Update 2021-006 Catalina Security Update 2021-006 Catalina addresses the following issues. Information about the security content is also available at https://support.apple.com/HT212825. XNU Available for: macOS Catalina Impact: A malicious application may be able to execute arbitrary code with kernel privileges. Apple is aware of […]
  • openvpn-monitor Cross-Site Request Forgery (CSRF) September 24, 2021
    Posted by Advisories on Sep 24############################################################# # # COMPASS SECURITY ADVISORY # https://www.compass-security.com/research/advisories/ # ############################################################# # # Product: openvpn-monitor # Vendor: https://github.com/furlongm/openvpn-monitor # CSNC ID: CSNC-2021-011 # CVE ID: CVE-2021-31604 # Subject: Cross-Site Request Forgery (CSRF) # Severity: Medium # Effect: Denial of Service #...
  • openvpn-monitor OpenVPN Management Socket Command Injection September 24, 2021
    Posted by Advisories on Sep 24############################################################# # # COMPASS SECURITY ADVISORY # https://www.compass-security.com/research/advisories/ # ############################################################# # # Product: openvpn-monitor # Vendor: https://github.com/furlongm/openvpn-monitor # CSNC ID: CSNC-2021-010 # CVE ID: CVE-2021-31605 # Subject: OpenVPN Management Socket Command Injection # Severity: High # Effect: Denial of...
  • openvpn-monitor Authorization Bypass September 24, 2021
    Posted by Advisories on Sep 24############################################################# # # COMPASS SECURITY ADVISORY # https://www.compass-security.com/research/advisories/ # ############################################################# # # Product: openvpn-monitor # Vendor: https://github.com/furlongm/openvpn-monitor # CSNC ID: CSNC-2021-009 # CVE ID: CVE-2021-31606 # Subject: Authorization Bypass # Severity: Medium # Effect: Denial of Service # Author:...
  • Backdoor.Win32.Minilash.10.b / Remote Denial of Service (UDP Datagram) September 21, 2021
    Posted by malvuln on Sep 21Discovery / credits: Malvuln - malvuln.com (c) 2021 Original source: https://malvuln.com/advisory/3c407448a00b2d53b2418f53b66d5b6b.txt Contact: malvuln13 () gmail com Media: twitter.com/malvuln Threat: Backdoor.Win32.Minilash.10.b Vulnerability: Remote Denial of Service (UDP Datagram) Description: The Minilash malware listens on TCP 6711 and UDP port 60000. Third-party attackers who can reach infected systems can send a specially […]
  • Backdoor.Win32.Hupigon.asqx / Unauthenticated Open Proxy September 21, 2021
    Posted by malvuln on Sep 21Discovery / credits: Malvuln - malvuln.com (c) 2021 Original source: https://malvuln.com/advisory/a344b767d58b6c83b92bb868727e021c.txt Contact: malvuln13 () gmail com Media: twitter.com/malvuln Threat: Backdoor.Win32.Hupigon.asqx Vulnerability: Unauthenticated Open Proxy Description: The malware listens on TCP port 8080. Third-party attackers who can connect to the infected system can relay requests from the original connection to the...
  • Trojan.Win32.Agent.xaamkd / Insecure Permissions September 21, 2021
    Posted by malvuln on Sep 21Discovery / credits: Malvuln - malvuln.com (c) 2021 Original source: https://malvuln.com/advisory/095651e1704b501123b41ea2e9736820.txt Contact: malvuln13 () gmail com Media: twitter.com/malvuln Threat: Trojan.Win32.Agent.xaamkd Vulnerability: Insecure Permissions Description: The malware creates an dir with insecure permissions under c:\ drive and grants change (C) permissions to the authenticated user group. Standard users can rename the...
  • APPLE-SA-2021-09-20-10 iTunes 12.12 for Windows September 21, 2021
    Posted by product-security-noreply--- via Fulldisclosure on Sep 21APPLE-SA-2021-09-20-10 iTunes 12.12 for Windows iTunes 12.12 for Windows addresses the following issues. Information about the security content is also available at https://support.apple.com/HT212817. ImageIO Available for: Windows 10 and later Impact: Processing a maliciously crafted image may lead to arbitrary code execution Description: This issue was addressed with […]
  • APPLE-SA-2021-09-20-9 iTunes U 3.8.3 September 21, 2021
    Posted by product-security-noreply--- via Fulldisclosure on Sep 21APPLE-SA-2021-09-20-9 iTunes U 3.8.3 iTunes U 3.8.3 addresses the following issues. Information about the security content is also available at https://support.apple.com/HT212809. iTunes U Available for: iOS 12.4 and later or iPadOS 12.4 and later Impact: Processing a maliciously crafted URL may lead to arbitrary javascript code execution Description: […]

Customers

Newsletter