Computers are sometimes kept disconnected from the internet, or “air gapped”, to avoid remote hackers gaining access to steal data, but now there is a way to use a hard drive cable to transmit information via radio waves
26 July 2022
Hackers can covertly turn a cable inside a computer into a makeshift antenna that can secretly transmit sensitive data, even from “air-gapped” devices that are deliberately not connected to the internet.
Air-gapped computers are commonly used by government security services and key infrastructure control systems to prevent remote hackers from gaining access, but that doesn’t mean it is impossible to get data out.
Mordechai Guri at Ben-Gurion University of the Negev, Israel, has worked for years to develop a series of proof of concept attacks that use different components within computers as unusual transmitters. In the past he has managed to extract information by encoding it in rapid adjustments of screen brightness, deliberate temperature changes within a machine or flickering power LEDs.
Guri’s latest attack focuses on the Serial Advanced Technology Attachment (SATA) cables that connect CD, DVD and hard disc drives to the motherboard of most computers. He found that by deliberately creating a very specific series of superfluous data reads or writes from or to the drives, the cables can be made to create a radio wave at around 6 gigahertz. This wave can be used to encode and transmit data to a waiting hacker several metres away.
Forcing a computer to create these radio wave signals would involve installing a piece of malware, which Guri calls SATAn, on the air-gapped machine. This might seem like a challenge, but it is possible. A report published in 2021 by security company ESET says that at least 17 pieces of malware are known to exist that target air-gapped machines, but that they rely heavily on USB drives to infect machines. They also use USB drives for subsequent removal of data, which is transmitted back to the attacker once the drive is plugged into an internet-connected machine.
The report says that only one piece of malware, known as BadBIOS, has ever been claimed to use covert channels similar to SATAn to transmit data – but that its existence is hotly debated by researchers. The Stuxnet worm that targeted Iranian nuclear centrifuges and gave them commands that deliberately caused damage was thought to have been introduced to air-gapped networks via a USB drive, but wasn’t designed to remove data.
Guri says he doesn’t know if similar attacks to SATAn are actually taking place, but says that they are entirely plausible. “This attack is highly available since hard drives exist in all systems such as workstations and servers,” he says. “In addition, the malware uses legitimate read and write hard drive operations which are very challenging to detect and identify as malicious.”
He says that a Faraday cage around the computer that stops all electromagnetic signals would prevent this kind of attack, but for most applications this simply isn’t practical. Another potential measure would be to constantly create noise by reading and writing superfluous data to the hard disc, but that this comes with the downside that it places undue wear and tear on the component.
More on these topics: