Security researchers from the Department of Software and Information Systems Engineering, Ben-Gurion University of the Negev, Israel have published a paper illustrating how a hacker can steal data and sensitive information from an “air-gapped system” via a serial ATA (SATA ) cable and transfer it from a compromised PC to a nearby receiver.
For those who don’t know, the “air-gapped system” specifically refers to independent physical devices deployed in any network that is completely isolated from any connection such as a network or the Internet. It also does not have any hardware that can communicate wirelessly, such as wireless Bluetooth or Wi-Fi hardware.
According to the investigation, the attackers are using the SATA cable itself as a wireless transmitter to transmit radio signals on the 6GHz frequency band where transmission via SATA cables is most effective. The attack is known as “SATAn”.
The researchers successfully demonstrated the SATAn attack method, which can work from user space or through a virtual machine (VM), as seen in the short video below.
“Although air-gap computers do not have a wireless connection, we show that attackers can use the SATA cable as a wireless antenna to transmit radio signals on the 6 GHz frequency band.
Serial ATA (SATA) is a bus interface commonly used in modern computers, connecting the host bus to mass storage devices such as hard drives, optical drives, and solid-state drives. The prevalence of the SATA interface makes this attack highly accessible to attackers in a wide variety of computer systems and IT environments,” researchers wrote about their findings on SATAn.
The experiments conducted by the researchers showed that SATA 3.0 (6 Gbps) cables emit electromagnetic waves in several frequency bands – including 1 GHz, 2.5 GHz, 3.9 GHz and +6 GHz. However, the main correlation with data transfer occurs between 5.9995 GHz and 5.9996 GHz.
The idea behind the hidden channel is to use the SATA cable as an antenna and control the electromagnetic emission.
“The results showed that an attacker could wirelessly transmit a small amount of sensitive information from a highly secure air-gapped computer to a nearby receiver using a SATA cable,” the researchers continued.
To make matters worse, additional testing has shown that reads on SATA are more efficient at producing stronger signals than writes (on average 3 dB stronger). It means that it is preferable to use the read operation for the secret channel, which makes the full attack situation easier to succeed.
But according to the researchers, the attack is only more successful at reading data for now, because reads require lower permissions than writes. However, the method is enough to collect sensitive information from systems that would otherwise be completely isolated, she added.
Through their research, researchers have shown that attackers can exploit the SATA cable as an antenna to transmit radio signals in the 6 GHz frequency band by using non-privileged read() and write() operations. In particular, the SATA interface is highly available to attackers in many computers, devices, and network environments.
While there are several ways to mitigate these types of attacks, the article suggests that the first line of defense is to use multiple layers of security in the network, including firewalls, intrusion detection and prevention systems, network traffic analysis, and access control mechanisms. . Another approach is to use an external RF monitoring system to detect anomalies in the 6 GHz near the transmitting computer.
Another common type of countermeasure can be jamming, which can be done from within the operating system by performing random reads and writes when a suspicious secret channel activity is detected.
You can check out the full details about SATAn here.