Air-Fi: attacking computers that are disconnected and without network hardware is possible
Estimated reading time: 5 minutes
To keep secret information out of reach of attackers, organizations place it on devices that are not connected to any network. This is to avoid any possibility of communication with the Internet. These machines are called air-gapped . As safe as it may seem, infecting such a machine or network segment isn’t actually that difficult. Extracting the information obtained is much more difficult, but it was still possible with the Air-Fi technique .
To study an exploit of this scenario, all kinds of clever methods come into play, and Mordechai Guri, a researcher at Ben-Gurion University of the Negev (Israel), specializes in finding them. Dr. Guri is not the only one, of course, but in recent years, he has been involved in the discovery of a few dozen of these methods. Un new study describes how to extract data from an isolated computer, this time using Wi-Fi technology (hence the name Air-Fi ).
How the Air-Fi method works
The beauty of Air-Fi is that it works even if the target computer has no Wi-Fi hardware. It relies on malware already installed on the device that can use the bus of DDR SDRAM memory to generate electromagnetic radiation at a frequency of 2.4 GHz . Malware can encode necessary data in variations of this radiation, and any device with a Wi-Fi receiver, including another compromised device, can collect and intercept the generated signals. This other device could be a regular smartphone or even a smart light bulb.
The Air-Fi method is particularly unpleasant from a cybersecurity point of view. It does not require administrator rights on the isolated computer; a normal user account can do the job. Also, using a virtual machine doesn’t provide any protection; VMs have access to memory modules.
Transmission range and speed
The researchers transmitted data without noteworthy distortion at a distance of up to 2-3 meters (in one case, up to 8 meters) and a speed of up to 100 bits per second , depending on the hardware of the infected computer and the type of receiver. Like most similar methods, it’s not very fast. Transferring a 20MB file would take 466 hours, for example. That said, the 1,300-byte “Jingle Bells” text could be transferred in 90 seconds. In this light, stealing a username and password with this technique seems entirely realistic.
How an attack could work
Infecting a air-gapped system with malware is not difficult. An attacker can easily do this by contaminating a USB drive, using social engineering or by tricking staff. Once done, the attacker would then have to infect a nearby WiFi-capable device to receive the leaked data. For this, the attacker can infect nearby desktops, laptops or even smartphones of personnel operating the target system with air-gapped .
To prevent this type of physical attack on the company, you may want to consider our service of physical test your company’s security !
After a successful infection, the malware steals data from the air-gapped system, leaking it into the air as Wi-Fi for the receiving device. As the researchers explained:
As part of the exfiltration phase, the attacker could collect data from compromised computers. The data can be documents, key records, credentials, encryption keys, etc. Once the data is collected, the malware starts the secret Air-Fi channel . It encodes the data and transmits it in the air (in the 2.4 GHz Wi-Fi band) using the electromagnetic emissions generated by the DDR SDRAM buses.
The following video shows a possible attack scenario.
The extraordinary absence of wi-fi hardware
As we have seen, the Air-Fi attack does not require specific Wi-Fi hardware to be installed on the target machines. How is it possible?
It is shown that the attack uses DDR SDRAM memory buses to generate electromagnetic emissions in the frequency band typical of the Wi-Fi protocol , ie 2.4 GHz Furthermore, it is also possible to encode data in binary code without specific privileges . Using a virtual machine doesn’t help, as they typically have access to hardware RAM anyway.
Communication between CPU and RAM modules takes place via a bus synchronized with the system clock . This generates electromagnetic radiation which will have a frequency related to the clock frequency. In the case of the DDR4 memory blocks it is around 2.4 GHz.
If the frequency of the modules is not the correct value, it is still possible to overclock or downclock the memory speed by adjusting it to the Wi-Fi frequency of 2.4 GHz.
In short, a machine that uses RAM blocks could still find a way to use them for data transmission. Of course, it all starts with a first compromise that installed malware on the machine.
How to defend yourself from Air-Fi
The use of Air-Fi involves electromagnetic emissions. It is possible to counter the strategy by using the following measures:
- Do not allow Wi-Fi enabled devices to approach air-gapped systems for any reason
- Monitor isolated systems for suspicious processes
- Shielding the computer in a Faraday cage
- Using SOCaaS to monitor networked machines
- Control operations and visits to the company in order to eliminate the possibility of infection via USB stick
Like all similar methods, Air-Fi is too slow and difficult for common cybercriminals to use for everyday attacks. However, if your company is using air-gapped machines for data storage, it is certainly better to take cover, given the recent data hunger of cyber crime < / em>.
We recommend that you consider adopting a SOCaaS to prevent the use of malware, run regular procedures for verifying corporate security, both virtual ( Vulnerability Assessment & amp; Penetration Test ) and physical, as previously suggested, through our dedicated test service .
Contact us to find out how we can help you and how our services can secure your company data, we will be happy to answer any questions.
- Hadoop Open Data Model: “open” data collection
- Pass the Ticket: how to mitigate it with a SOCaaS
- Use cases of a SOCaaS for companies part 2
- Use cases of a SOCaaS for companies part 1
- NIST Cybersecurity Framework
- “Left of boom” and “right of boom”: having a winning strategy
- Smishing: a fraud similar to phishing
- Network Traffic Analyzer: an extra gear for the Next Gen SIEM
- Backup as a Service (17)
- Cloud Conference (3)
- Cloud CRM (1)
- Cloud Server/VPS (20)
- Conferenza Cloud (4)
- ICT Monitoring (4)
- Log Management (2)
- News (18)
- ownCloud (4)
- Privacy (7)
- Secure Online Desktop (14)
- Security (148)
- Web Hosting (15)
- Russia Takes Down REvil Ransomware Operation, Arrests Key Members January 14, 2022Timing of the move has evoked at least some skepticism from security experts about the country's true motives.
- The Cybersecurity Measures CTOs Are Actually Implementing January 14, 2022Companies look to multifactor authentication and identity and access management to block attacks, but hedge their bets with disaster recovery.
- Maryland Dept. of Health Responds to Ransomware Attack January 14, 2022An attack discovered on Dec. 4, 2021 forced the Maryland Department of Health to take some of its systems offline.
- White House Meets With Software Firms and Open Source Orgs on Security January 14, 2022The Log4j vulnerability is only the latest security flaw to have global impact, prompting the Biden administration and software developers to pledge to produce more secure software.
- What's Next for Patch Management: Automation January 14, 2022The next five years will bring the widespread use of hyperautomation in patch management. Part 3 of 3.
- BlueNoroff Threat Group Targets Cryptocurrency Startups January 13, 2022A series of attacks against small and medium-sized businesses has led to major cryptocurrency losses for the victims.
- Fighting Back Against Pegasus, Other Advanced Mobile Malware January 13, 2022Detecting infection traces from Pegasus and other APTs can be tricky, complicated by iOS and Android security features.
- How to Protect Your Phone from Pegasus and Other APTs January 13, 2022The good news is that you can take steps to avoid advanced persistent threats. The bad news is that it might cost you iMessage. And FaceTime.
- New Vulnerabilities Highlight Risks of Trust in Public Cloud January 13, 2022Major cloud providers are vulnerable to exploitation because a single flaw can be turned into a global attack using trusted core services.
- How Cybercriminals Are Cashing in on the Culture of 'Yes' January 13, 2022The reward is always front of mind, while the potential harm of giving out a phone number doesn't immediately reveal itself.
- Win32.MarsStealer Web Panel / Unauthenticated Remote Data Deletion January 16, 2022Posted by malvuln on Jan 16Discovery / credits: Malvuln - malvuln.com (c) 2022 Original source: https://malvuln.com/advisory/8abb41f6e7010d70c90f65fd9a740faa_C.txt Contact: malvuln13 () gmail com Media: twitter.com/malvuln Threat: Win32.MarsStealer Web Panel Vulnerability: Unauthenticated Remote Data Deletion Description: The Mars-Stealer web interface has a "Grab Rules" component area that lets a user specify which type of files to collect from […]
- Win32.MarsStealer Web Panel / Unauthenticated Remote Persistent XSS January 16, 2022Posted by malvuln on Jan 16Discovery / credits: Malvuln - malvuln.com (c) 2022 Original source: https://malvuln.com/advisory/8abb41f6e7010d70c90f65fd9a740faa_B.txt Contact: malvuln13 () gmail com Media: twitter.com/malvuln Threat: Win32.MarsStealer Web Panel Vulnerability: Unauthenticated Remote Persistent XSS Description: The Mars-Stealer web interface has a "Marker Rules" component area. Third-party attackers who can reach the Mars-Stealer server can send HTTP...
- Win32.MarsStealer Web Panel / Unauthenticated Remote Information Disclosure January 16, 2022Posted by malvuln on Jan 16Discovery / credits: Malvuln - malvuln.com (c) 2022 Original source: https://malvuln.com/advisory/8abb41f6e7010d70c90f65fd9a740faa.txt Contact: malvuln13 () gmail com Media: twitter.com/malvuln Threat: Win32.MarsStealer Web Panel Vulnerability: Unauthenticated Remote Information Disclosure Description: The malware web interface stores screen captures named "screenshot.jpg" in the panel directory, ZIP archived. Third-party attackers who...
- Ab Stealer Web Panel / Unauthenticated Remote Persistent XSS January 16, 2022Posted by malvuln on Jan 16Discovery / credits: Malvuln - malvuln.com (c) 2022 Original source: https://malvuln.com/advisory/9e44c10307aa8194753896ecf8102167.txt Contact: malvuln13 () gmail com Media: twitter.com/malvuln Threat: Ab Stealer Web Panel Vulnerability: Unauthenticated Remote Persistent XSS Description: The "Ab Stealer" web Panel By KingDomSc for "AbBuild v.1.0.exe" is used to browse victim information "Get All Victims Passwords, With...
- SEC Consult SA-20220113-0 :: Cleartext Storage of Phone Password in Cisco IP Phones January 14, 2022Posted by SEC Consult Vulnerability Lab, Research on Jan 14SEC Consult Vulnerability Lab Security Advisory < 20220113-0 > ======================================================================= title: Cleartext Storage of Phone Password product: Cisco IP Phone Series 78x1, 88x5, 88x1, 7832, 8832, 8821 and 3905 vulnerable version: Firmware
- 🐞 Call for Papers for Hardwear.io USA 2022 is OPEN! January 14, 2022Posted by Andrea Simonca on Jan 14Hello, We are happy to announce that the CFP for Hardwear.io USA 2022 is OPEN! If you have a groundbreaking embedded research or an awesome open-source tool you’d like to showcase before the global hardware security community, this is your chance. Send in your ideas on various hardware subjects, […]
- APPLE-SA-2022-01-12-1 iOS 15.2.1 and iPadOS 15.2.1 January 12, 2022Posted by Apple Product Security via Fulldisclosure on Jan 12APPLE-SA-2022-01-12-1 iOS 15.2.1 and iPadOS 15.2.1 iOS 15.2.1 and iPadOS 15.2.1 addresses the following issues. Information about the security content is also available at https://support.apple.com/HT213043. HomeKit Available for: iPhone 6s and later, iPad Pro (all models), iPad Air 2 and later, iPad 5th generation and later, […]
- Reprise License Manager 14.2 - Reflected Cross-Site Scripting January 12, 2022Posted by Gionathan Reale via Fulldisclosure on Jan 12# Product: RLM 14.2 # Vendor: Reprise Software # CVE ID: CVE-2021-45422 # Vulnerability Title: Reflected Cross-Site Scripting # Severity: Medium # Author(s): Giulia Melotti Garibaldi # Date: 2022-01-11 # ############################################################# Introduction: An issue was discovered in Reprise License Manager 14.2, Reprise License Manager 14.2 is affected […]
- [RT-SA-2021-009] Credential Disclosure in Web Interface of Crestron Device January 12, 2022Posted by RedTeam Pentesting GmbH on Jan 12Advisory: Credential Disclosure in Web Interface of Crestron Device When the administrative web interface of the Crestron HDMI switcher is accessed unauthenticated, user credentials are disclosed which are valid to authenticate to the web interface. Details ======= Product: Crestron HD-MD4X2-4K-E Affected Versions: 220.127.116.119 Fixed Versions: - Vulnerability Type: […]
- Backdoor.Win32.Controlit.10 / Unauthenticated Remote Command Execution January 11, 2022Posted by malvuln on Jan 11Discovery / credits: Malvuln - malvuln.com (c) 2022 Original source: https://malvuln.com/advisory/859aab793a42868343346163bd42f485.txt Contact: malvuln13 () gmail com Media: twitter.com/malvuln Threat: Backdoor.Win32.Controlit.10 Vulnerability: Unauthenticated Remote Command Execution Description: The malware listens on TCP port 3347. Third-party attackers who can reach an infected system can run any OS commands made available by the […]
Tempo di lettura: 5 minUtilizzo del Machine Learning per proteggere i dati Introdotto nel gennaio 2017, Acronis Act… https://t.co/mhqalBxm8D
Gli attacchi informatici sono numerosi e non fanno distinzione tra aziende e singoli individui quando prendono di m… https://t.co/uOucUWZf7W
Estimated reading time: 5 minutes SNYPR è uno strumento di analisi della sicurezza in grado di trasformare i Big… https://t.co/oies7e0nYY
Estimated reading time: 5 minutes Con l’avvento delle piattaforme di big data, le aziende che si occupano di sicu… https://t.co/MSvA0dPgiE