A New Type of Attack Uses Signals Generated by RAM to Steal Data From Systems Without Wi-Fi Cards
Keeping secrets is easier said than done. The measures required to safeguard a secret are usually proportional to its importance. If we’re talking about a bit of juicy gossip that you don’t want the neighbors to hear, then you’re probably safe with simply not telling the wrong people. For data that’s a bit more important, like your bank account login or your email account, there’s things like SSL/TLS certificates. But for the highest level of security, in the event that you’re dealing with state secrets or mission-critical, proprietary company information, you’ll want to go with an air-gapped system.
Air gapping refers to there being a physical barrier (or “air”) between the data-repository and the outside world. Basically, it means that the storage machine has no way to access any sort of networks or means of communication. And considering the day and age we’re living in, where even a coffee pot can fall victim to a ransomware attack, a total disconnect seems like the only way to 100% security. So air gapping – sounds good, right?
Not so fast, my friend. Researchers from Israel’s Ben-Gurion University of the Negev would like to have a word with you. In their recently published paper, AIR-FI: Generating Covert Wi-Fi Signals from Air-Gapped Computers, they explain a method they’ve discovered that allows one to essentially convert a RAM card into a wireless emitter. That said emitter is able to send sensitive data from an air-gapped computer that doesn’t even have a Wi-Fi card on board.
Noted air-gap researcher Mordechai Guri spearheaded the project, dubbed “AIR-FI”, and came up with the idea of exploiting the electromagnetic waves that are produced by an air-gapped system. The way the attack is carried out is via malware that has been loaded onto the machine. As Dr. Guri explains,
Malware in a compromised air-gapped computer can generate signals in the Wi-Fi frequency bands. The signals are generated through the memory buses — no special hardware is required.
An attacker would then use a Wi-Fi capable receiving device to grab the data as it’s being sent out.
So what lead the researchers down this path? How exactly does the exploit work? And how can air-gapped systems be protected from such an attack?
Let’s hash it out.
A History of Air Gap Research
AIR-FI isn’t the first air-gap attack method to come from Guri’s group. Guri, who is head of R&D at the Ben-Gurion University of the Negev in Israel, has spent the last five years working on projects that aim to find new vulnerabilities in air-gapped systems.
Some of the other notable air-gap attack vectors discovered by Dr. Guri and his team include:
- LED-it-Go – uses an HDD’s activity LED to extract data.
- USBee – steals data by instructing a USB connector’s data bus to emit electromagnetic emissions that can be measured.
- aIR-Jumper – takes advantage of the infrared capabilities of security cameras.
- MOSQUITO – uses headphones and speakers as the means of attack.
- AiR-ViBeR – looks at the fan vibrations of a user’s machine
Why Do It?
Dr. Guri focuses his research on methods that are referred to as “covert data exfiltration channels.” These aren’t the conventional attack types that we usually see from hackers (which are usually more straightforward, with the goal of simply gaining access to a particular computer), but rather unusual, unconventional, and unexpected ways to steal data that defenders aren’t anticipating. It’s not the typical thing that average users like you or I would worry about, but at the same time it’s a constant worry for the keepers of air-gapped networks.
Since air-gapped systems usually hold the highest of the high-value information, even the tiniest vulnerability could lead to a breach and a catastrophic chain of events. Those that depend on air-gapped systems, like government, military, or corporate entities, rely on research like Dr. Guri’s to continuously keep their secrets safe against a litany of ever-emerging new attack vectors. Studies like these force organizations to (hopefully) reexamine their system architecture and ensure the optimal level of protection can be maintained.
How It Works
The Theory Behind It
It all starts with electromagnetic waves. Every electronic component generates them as long as there is current flow present. Wi-Fi signals are a type of radio wave, which are in turn a type of electromagnetic wave. The theory behind AIR-FI is that a piece of code can theoretically play with the amount of current a RAM card is using in order to generate a wave whose frequency is within the normal Wi-Fi signal spectrum of 2.4 GHz. As Guri explains,
Since the clock speed of memory modules is typically around the frequency of 2.4 GHz or its harmonics, the memory operations generate electromagnetic emissions around the IEEE 802.11b/g/n Wi-Fi frequency bands.
The signal, which is a result of precisely timed read and write operations to RAM, can thus be received by any device with a Wi-Fi antenna that’s in relatively close physical proximity to an air-gapped system. This includes things like smartphones, laptops, smartwatches, and IoT devices. To achieve this end, the researchers made use of a feature designed by Intel, Extreme Memory Profile (XMP), that was created to let gamers overclock their PC’s for increased performance.
What’s even scarier is that root or admin privileges aren’t needed beforehand, so this is a pretty easy exploit to pull off if the other pieces of the puzzle are in place. Since AIR-FI can be deployed from a regular user process, it allows the attack to work on any OS as well as virtual machines.
The Infection Process
One major thing to note is that there are prerequisites for a hacker to carry out this type of attack successfully. It isn’t enough to just get physically close to an air-gapped system – they must first get malicious code onto the targeting machine. This could be achieved by a nefarious party while the device is being manufactured, during the testing or shipping process, or by a compromised USB storage drive inserted into the air-gapped computer. Social engineering and staff deception are oft-effective means to this end, and unfortunately no piece of code can fully protect against human error.
There also needs to be a method of extraction. As we discussed earlier, there’s no shortage of capable devices that have Wi-Fi capability including phones, laptops, tablets, and IoT machines. Smart devices aren’t safe either, and Guri has previously shown that IoT devices like smart locks and light bulbs could be used as part of the export process. Whatever the method, the basic steps are the same:
- Load malware onto air-gapped system.
- The malware steals data from the system.
- The malware uses the RAM to emit the data as a wireless signal that can be read by the receiving device.
- The receiving device collects the emitted data.
As the research paper explains,
As a part of the exfiltration phase, the attacker might collect data from the compromised computers. The data can be documents, key logging, credentials, encryption keys, etc. Once the data is collected, the malware initiates the AIR-FI covert channel. It encodes the data and transmits it to the air (in the Wi-Fi band at 2.4 GHz) using the electromagnetic emissions generated from the DDR SDRAM buses.
The Test Setup & Results
Now let’s take a look at the nitty gritty details of Dr. Guri’s test setup. Four workstations were used/hacked with the exploit. Each one was outfitted with 4GB DIMM DDR4 or DDR3 RAM memory sticks. No special hardware was used, just normal PC’s that were running on the Ubuntu operating system.
It’s important to remember that the wireless signals being emitted by the RAM don’t have a very long range. An attacker would need to be no more than a few feet away from an air-gapped system in order to be able to pull it off.
As for the specifics of the RAM’s signal output, researchers were able to reach a maximum transfer rate of about 100 bytes per second. If you’re looking to transmit a 1MB file, then hopefully you have a safe hiding spot set up because it would take roughly 22 hours to complete. Oh, and you also shouldn’t be more than 69 inches away.
Transmission speeds and error rates also depend greatly on the equipment used. Dr. Guri’s team found their best results with a system consisting of an ASRock ATX motherboard, Intel Core i7 3.2Ghz CPU, 4GB of Crucial 2.4GHz DDR4 SRAM, and the Ubuntu OS.
It’s not the most practical means of attack, but pretty much anything is possible, especially as the stakes get higher and higher.
Guri wrote about the results,
We transmitted the data at a bit rate of 100 bps and maintained a bit error rate (BER) of 8.75 percent for a distance up to 180 cm from the transmitter. Note that due to the local ramifications and interference, the signal quality may vary with the distance and location of the receiver.
It’s very likely that one could improve upon those numbers if they were able to test a wider range of components and configurations, however.
Protecting Your Air Gap
The research paper also suggests different countermeasures that can be used safeguard air-gapped systems from these sorts of unconventional attacks. Organizations can:
- Deploy signal-jamming equipment in the physical proximity of air-gapped systems to prevent the use of wireless signals.
- Ban all network-connected phones, laptops, tablets, and other devices so they can’t be used as a receiver.
- Use the zone separation measures suggested by the U.S. and NATO telecommunication security standards to reduce the risk of TEMPEST (Telecommunications Electronics Materials Protected from Emanating Spurious Transmissions) dangers.
- Employ runtime detection.
- Outfit machines with Faraday shielding to block electromagnetic waves.
Besides implementing these technical measures, organizations should also be sure to limit access to systems. No matter what type of data you’re trying to protect, whether it’s state secrets and air-gapped systems or simply the server you use for your website, it’s critical to be comprehensive because you never know where a breach could originate. And in the meantime, researchers like Dr. Guri will keep trying to find new ways in.