Hackers can now steal data from isolated PCs via SATA cables
In May 2020, researchers were able to demonstrate how attackers can steal data from an isolated PC by turning RAM into a Wi-Fi card. Today at the University of the Negev, Israel, researchers have published a study titled “SATAn: Air-Gap Exfiltration Attack via Radio Signals From SATA Cables”, authored by Mordechai Guri, proving that hackers can extract data from a seemingly secure system by exploiting its SATA cable.
The attack was named SATAn. It should be noted that the SATA connection is used in hundreds of thousands of devices around the world to connect hard drives and SSDs to the PC.
SATAn Exploit Explained
The researchers demonstrated that an attacker could use the SATA cable as a wireless transmitter and intercept the data it carries in the form of radio signals in the 6 GHz band. This is a complex attack requiring the attacker to install specific malware on the target machine and use specially crafted shellcode to modify file system activity, which generates identifiable radio signals through SATA cables .
Once the malware is installed, it starts to encode the data to steal after getting different types of file system access such as read and write to generate a signal on the SATA cable.
The researcher noted that write or read operations can create correct signals more efficiently, but read operations do not require higher system-level permissions and generate stronger signals of up to 3 dB. The attacker receives this signal on a nearby device if the receiver is within one meter of the transmitter’s range.
In this case, the laptop used a software-defined radio receiver for signal reception. The researchers entered “Secret” on their targeted device, which the second machine retrieved.
Why does this technique work?
Isolated systems are where the world’s most sensitive data is typically stored. These systems are not connected to a network, the Internet or a connection to the outside world. Additionally, the air gap system does not rely on hardware to enable wireless communications such as Wi-Fi or Bluetooth hardware.
Therefore, stealing data from these systems involves advanced and highly sophisticated skills. This attack works by converting the standard SATA cable into a radio transmitter without physically modifying the hardware. The SATA bus creates electromagnetic interference during normal operation, and this interference is manipulated to transmit data.
According to the university report , the researcher used the cable as a wireless antenna operating on the 6 GHz frequency band to transmit a short message to a nearby laptop computer. However, attackers can use this technique with keyloggers to steal sensitive data, including passwords, files, and images.
Should you be worried?
Using this technique, an attacker can exfiltrate data from systems that aren’t even connected to the Internet and transmit the data to a receiver 1 meter away. And, they don’t need to physically modify the SATA cable or hardware since this is a pure software attack. The attacker can use a VM (virtual machine) to achieve this technique.
But, it is a complex method, and the attacker needs access to the target computer because he has to install the malware directly on an isolated system.
Additionally, SATA signal output is generally weak; therefore, it is not a flawless attack technique, and many countermeasures can help prevent it. For example, using network security protocols and technologies, enabling electromagnetic shielding, completely avoiding the use of SATA drives, and opting for M.2 drives.
More Air-Gapping PC Security News
- Hackers can steal data from an isolated PC using screen brightness
- Malware attack can trick biologists into producing dangerous toxins
- Latest WikiLeaks dump exposes CIA hacking tools for isolated PCs
- Malware can extract data from isolated PC via power supply
- Hackers Can Steal Data From Air-Gapped PCs With Microphones And Speakers