Academics turn RAM into Wi-Fi cards to steal data from air-gapped systems

AIR-FI technique can send stolen data at speeds of up to 100 b/s to Wi-Fi receivers at a distance of a few meters.

RAM memory

Image: Harrison Broadbent

Academics from an Israeli university have published new research today detailing a technique to convert a RAM card into an impromptu wireless emitter and transmit sensitive data from inside a non-networked air-gapped computer that has no Wi-Fi card.

ZDNet Recommends

The best smart displays

We've hand-picked 11 smart displays that will satisfy a range of wants and needs.

Read More

Named AIR-FI, the technique is the work of Mordechai Guri, the head of R&D at the Ben-Gurion University of the Negev, in Israel.

Over the last half-decade, Guri has led tens of research projects that investigated stealing data through unconventional methods from air-gapped systems.

Also: Best VPN services

These types of techniques are what security researchers call "covert data exfiltration channels." They are not techniques to break into computers, but techniques that can be used to steal data in ways defenders aren't expecting.

Such data exfiltration channels are not a danger for normal users, but they are a constant threat for the administrators of air-gapped networks.

Air-gapped systems are computers isolated on local networks with no external internet access. Air-gapped systems are often used on government, military, or corporate networks to store sensitive data, such as classified files or intellectual property.

While AIR-FI would be considered a "stunt hack" in the threat model of normal users, it is, however, the type of attack that forces many companies to reconsider the architecture of their air-gapped systems that store high-value assets.

How AIR-FI works

At the core of the AIR-FI technique is the fact that any electronic component generates electromagnetic waves as electric current passes through.

Since Wi-Fi signals are radio waves and radio is basically electromagnetic waves, Guri argues that malicious code planted on an air-gapped system by attackers could manipulate the electrical current inside the RAM card in order to generate electromagnetic waves with the frequency consistent with the normal Wi-Fi signal spectrum (2,400 GHz).

In his research paper, titled "AIR-FI: Generating Covert WiFi Signals from Air-Gapped Computers," Guri shows that perfectly timed read-write operations to a computer's RAM card can make the card's memory bus emit electromagnetic waves consistent with a weak Wi-Fi signal.

This signal can then be picked up by anything with a Wi-Fi antenna in the proximity of an air-gapped system, such as smartphones, laptops, IoT devices, smartwatches, and more.

Guri says he tested the technique with different air-gapped computer rigs where the Wi-Fi card was removed and was able to leak data at speeds of up to 100 b/s to devices up to several meters away.

Guri, who has investigated tens of other covert data exfiltration channels in the past, said the AIR-FI attack is one of the easiest to pull off as the attacker doesn't need to obtain root/admin privileges before running an exploit.

"[AIR-FI] can be initiated from an ordinary user-space process," Guri said.

This allows the attack to work across any OS and even from inside virtual machines (VMs).

Furthermore, while most modern RAM cards will be able to emit signals in the 2,400 GHz range, Guri says that older RAM cards can be overclocked to reach the desired output.

In his research paper, shared with ZDNet, Guri suggested various countermeasures that companies can take to protect air-gapped systems, such as the deployment of signal jamming to prevent the transmission of any Wi-Fi signals in an air-gapped network's physical area.

AIR-FI now joins a long list of covert data exfiltration channels discovered by Guri and his team:

  • LED-it-Go - exfiltrate data from air-gapped systems via an HDD's activity LED
  • USBee - force a USB connector's data bus give out electromagnetic emissions that can be used to exfiltrate data
  • AirHopper - use the local GPU card to emit electromagnetic signals to a nearby mobile phone, also used to steal data
  • Fansmitter - steal data from air-gapped PCs using sounds emanated by a computer's GPU fan
  • DiskFiltration - use controlled read/write HDD operations to steal data via sound waves
  • BitWhisper - exfiltrate data from non-networked computers using heat emanations
  • Unnamed attack - uses flatbed scanners to relay commands to malware infested PCs or to exfiltrate data from compromised systems
  • GSMem - steal data from air-gapped systems using GSM cellular frequencies
  • xLED - use router or switch LEDs to exfiltrate data
  • aIR-Jumper - use a security camera's infrared capabilities to steal data from air-gapped networks
  • HVACKer - use HVAC systems to control malware on air-gapped systems
  • MAGNETO & ODINI - steal data from Faraday cage-protected systems
  • MOSQUITO - steal data from PCs using attached speakers and headphones
  • PowerHammer - steal data from air-gapped systems using power lines
  • CTRL-ALT-LED - steal data from air-gapped systems using keyboard LEDs
  • BRIGHTNESS - steal data from air-gapped systems using screen brightness variations
  • AiR-ViBeR - steal data using a computer's fan vibrations
  • POWER-SUPPLaY - steal data by turning the power supply into a speaker

Categorized based on the exfiltration channels, these look like:

air-fi-similar-attacks.png