Attack turns SDRAM buses into a Wi-Fi radio to leak data from air-gapped computers.
Super-secure air-gapped computers are vulnerable to a new type of attack that can turn a PC’s memory module into a modified Wi-Fi radio, which can then transmit sensitive data at 100 bits-per-second wirelessly to nearly six feet away.
Noted air-gap researcher Mordechai Guri created the proof-of-concept (PoC) attack and described it in a research paper released earlier this month under the auspices of Ben-Gurion University of the Negev, Israel’s cybersecurity research center.
“Malware in a compromised air-gapped computer can generate signals in the Wi-Fi frequency bands. The signals are generated through the memory buses — no special hardware is required,” Guri wrote (PDF).
A memory bus is made up of a set of wires and conductors that connect and transfer data from a computer’s main memory to a system’s central processing unit or a memory controller.
Wireless Wonder Hack
In his proof-of-concept attack, Guri showed how an adversary could manipulate the electrical current on a system’s DDR SDRAM bus in order to generate electromagnetic waves and transmit a weak Wi-Fi signal (2,400 GHz). It’s not a quick attack though: At a top speed of 100 bps, it would take 22 hours and 13 minutes to send 1MB of data to a receiving device no more than 69 inches away.
“Since the clock speed of memory modules is typically around the frequency of 2.4 GHz or its harmonics, the memory operations generate electromagnetic emissions around the IEEE 802.11b/g/n Wi-Fi frequency bands,” Guri wrote.
The hack requires perfectly timed read-write operations, which would be driven by malware installed on the targeted computer. The principle behind this type of attack is, electronic components generate electromagnetic waves. Similarly, radio frequency transmitters, such as routers, are also based on a type of electromagnetic radiation. Ergo what Guri calls his AIR-FI hack, based on electromagnetic manipulation.
This air-gap attack vector skips one important detail – how to sneak the malicious code onto the targeted system to begin and how to collect the data once pried from the target.
Guri explains planting malware could be done by a nation-state adversary at the time of manufacturing, during the shipping of equipment or simply via an infected USB drive plugged into the targeted computer. As for collecting the data, researchers say a nearby Wi-Fi capable device such as a smartphone, laptop or internet-of-things (IoT) device could work.
An attacker could “intercept these signals, decode them and send them to the attacker over the internet,” he wrote. In previous research, Guri showed how a wide range of IoT devices, such as smart bulbs and smart locks, could be used as part of the export chain of data.
Speeds and Feeds
Wireless transmission error rates, speeds and proximity varied widely based on systems used in the PoC attacks. For example, specially crafted malware running on a relatively robust air-gapped PC with a ASRock ATX motherboard, Intel Core i7 3.2Ghz CPU sporting 4GB of Crucial 2.4GHz DDR4 SRAM on the Ubuntu operating system delivered the best results.
“We transmitted the data at a bit rate of 100 bps and maintained a bit error rate (BER) of 8.75 percent for a distance up to 180 cm from the transmitter. Note that due to the local ramifications and interference, the signal quality may vary with the distance and location of the receiver,” he wrote.
Researchers said they were able to manipulate the ambient electromagnetic signals of the memory modules by using a feature introduced by chipmaker Intel designed to allow gamers to overclock their systems for better performance. The feature, Extreme Memory Profile (XMP), allows anyone to manipulate the latency of the read command delivered between the processor and the DDR SDRAM hardware.
“The memory buses generate electromagnetic radiation at a frequency correlated to its clock frequency and harmonics. For example, DDR4-2400 emits electromagnetic radiation at around 2400 MHz,” researchers wrote.
Guri said there are many ways to protect against such attacks, such banning network-connected phones, laptops or IoT gear near air-gapped hardware. Wi-Fi jamming would also thwart a potential attack of this nature.
Further air-gap research authored by the Guri can be found at his Air-Gap Research Page.
Download our exclusive FREE Threatpost Insider eBook Healthcare Security Woes Balloon in a Covid-Era World , sponsored by ZeroNorth, to learn more about what these security risks mean for hospitals at the day-to-day level and how healthcare security teams can implement best practices to protect providers and patients. Get the whole story and DOWNLOAD the eBook now – on us!