New Air-Gap Attack Uses SATA Cable as an Antenna to Transfer Radio Signals

A new method devised to leak information and jump over air-gaps
takes advantage of Serial Advanced Technology Attachment (SATA^[1]) or Serial ATA cables as
a communication medium, adding to a long list^[2]
of electromagnetic, magnetic, electric, optical, and acoustic
methods already demonstrated to plunder data.

“Although air-gap computers have no wireless connectivity, we
show that attackers can use the SATA cable as a wireless antenna to
transfer radio signals at the 6GHz frequency band,” Dr. Mordechai
Guri, the head of R&D in the Cyber Security Research Center in
the Ben Gurion University of the Negev in Israel, wrote^[3] in a paper published
last week.

The technique, dubbed SATAn, takes advantage of
the prevalence of the computer bus interface, making it “highly
available to attackers in a wide range of computer systems and IT
environments.”

Put simply, the goal is to use the SATA cable as a covert
channel to emanate electromagnetic signals and transfer a brief
amount of sensitive information from highly secured, air-gapped
computers wirelessly to a nearby receiver more than 1m away.

An air-gapped network^[4]
is one that’s physically isolated from any other networks in order
to increase its security. Air-gapping is seen as an essential
mechanism to safeguard high-value systems that are of huge interest
to espionage-motivated threat actors.

That said, attacks targeting critical mission-control systems
have grown in number and sophistication in recent years, as
observed recently in the case of Industroyer 2^[5]
and PIPEDREAM^[6]
(aka INCONTROLLER).

Dr. Guri is no stranger to coming up with novel techniques to
extract sensitive data from offline networks, with the researcher
concocting four different approaches since the start of 2020 that
leverage various side-channels to surreptitiously siphon
information.

These include BRIGHTNESS^[7]
(LCD screen brightness), POWER-SUPPLaY^[8]
(power supply unit), AIR-FI^[9]
(Wi-Fi signals), and LANtenna^[10] (Ethernet cables). The
latest approach is no different, wherein it takes advantage of the
Serial ATA cable to achieve the same goals.

Serial ATA is a bus interface and an Integrated Drive
Electronics (IDE) standard that’s used to transfer data at higher
rates to mass storage devices. One of its chief uses is to connect
hard disk drives (HDD), solid-state drives (SSD), and optical
drives (CD/DVD) to the computer’s motherboard.

Unlike breaching a traditional network by means of
spear-phishing or watering holes, compromising an air-gapped
network requires more complex strategies such as a supply chain
attack, using removable media (e.g., USBStealer^[11] and USBFerry^[12]), or rogue insiders to
plant malware.

For an adversary whose aim is to steal confidential information,
financial data, and intellectual property, the initial penetration
is only the start of the attack chain that’s followed by
reconnaissance, data gathering, and data exfiltration through
workstations that contain active SATA interfaces.

In the final data reception phase, the transmitted data is
captured through a hidden receiver or relies on a malicious insider
in an organization to carry a radio receiver near the air-gapped
system. “The receiver monitors the 6GHz spectrum for a potential
transmission, demodulates the data, decodes it, and sends it to the
attacker,” Dr. Guri explained.

As countermeasures, it’s recommended to take steps to prevent
the threat actor from gaining an initial foothold, use an external
Radio frequency (RF) monitoring system to detect anomalies in the
6GHz frequency band from the air-gapped system, or alternatively
polluting the transmission with random read and write operations
when a suspicious covert channel activity is detected.