Academics from an Israeli university have published new research today detailing a technique to convert a RAM card into an impromptu wireless emitter and transmit sensitive data from inside a non-networked air-gapped computer that has no Wi-Fi card.
Named AIR-FI, the technique is the work of Mordechai Guri, the head of R&D at the Ben-Gurion University of the Negev, in Israel.
Over the last half-decade, Guri has led tens of research projects that investigated stealing data through unconventional methods from air-gapped systems.
Also: Best VPN services
These types of techniques are what security researchers call "covert data exfiltration channels." They are not techniques to break into computers, but techniques that can be used to steal data in ways defenders aren't expecting.
Such data exfiltration channels are not a danger for normal users, but they are a constant threat for the administrators of air-gapped networks.
Air-gapped systems are computers isolated on local networks with no external internet access. Air-gapped systems are often used on government, military, or corporate networks to store sensitive data, such as classified files or intellectual property.
While AIR-FI would be considered a "stunt hack" in the threat model of normal users, it is, however, the type of attack that forces many companies to reconsider the architecture of their air-gapped systems that store high-value assets.
At the core of the AIR-FI technique is the fact that any electronic component generates electromagnetic waves as electric current passes through.
Since Wi-Fi signals are radio waves and radio is basically electromagnetic waves, Guri argues that malicious code planted on an air-gapped system by attackers could manipulate the electrical current inside the RAM card in order to generate electromagnetic waves with the frequency consistent with the normal Wi-Fi signal spectrum (2,400 GHz).
In his research paper, titled "AIR-FI: Generating Covert WiFi Signals from Air-Gapped Computers," Guri shows that perfectly timed read-write operations to a computer's RAM card can make the card's memory bus emit electromagnetic waves consistent with a weak Wi-Fi signal.
This signal can then be picked up by anything with a Wi-Fi antenna in the proximity of an air-gapped system, such as smartphones, laptops, IoT devices, smartwatches, and more.
Guri says he tested the technique with different air-gapped computer rigs where the Wi-Fi card was removed and was able to leak data at speeds of up to 100 b/s to devices up to several meters away.
Guri, who has investigated tens of other covert data exfiltration channels in the past, said the AIR-FI attack is one of the easiest to pull off as the attacker doesn't need to obtain root/admin privileges before running an exploit.
"[AIR-FI] can be initiated from an ordinary user-space process," Guri said.
This allows the attack to work across any OS and even from inside virtual machines (VMs).
Furthermore, while most modern RAM cards will be able to emit signals in the 2,400 GHz range, Guri says that older RAM cards can be overclocked to reach the desired output.
In his research paper, shared with ZDNet, Guri suggested various countermeasures that companies can take to protect air-gapped systems, such as the deployment of signal jamming to prevent the transmission of any Wi-Fi signals in an air-gapped network's physical area.
AIR-FI now joins a long list of covert data exfiltration channels discovered by Guri and his team:
Categorized based on the exfiltration channels, these look like: