Israeli researchers use RAM as a small Wi-Fi transmitter to leak sensitive data from isolated...


Posts: 1,185   +20
Staff member
Why it matters: Air-gapped computers, usually found in government, banking, enterprise, industrial and military setups, operate in tightly controlled environments, cut-off from the internet and under strict supervision. You'd normally think they're safe from information leaks, however an Israeli security research team has proven once again that all it takes is some creativity.

Earlier this year, a group of Israeli security researchers at the Ben Gurion University revealed novel ways in which hackers can exploit physically isolated systems to leak sensitive information. One involved manipulating display brightness to alternate between two levels for sending zeroes and ones, another was about carefully tuning the speed of the cooling fans inside a PC to create tiny vibrations that could be picked up by the accelerometer on a smartphone.

In the meantime, the team headed by Mordechai Guri found yet another quirky technique dubbed AIR-FI, which is the latest in a string of tens of projects over the last five years. Interestingly, AIR-FI uses the system memory, specifically the DDR SDRAM bus, to generate 2.4 GHz Wi-Fi signals. Sensitive information can then be leaked at rates of up to 100 bits per second to Wi-Fi receivers within a range of a few meters.

Essentially, the attack can make it so that a system isolated from public networks can broadcast Wi-Fi signals to nearby compromised devices like laptops, smartphones, smartwatches, and other IoT devices. What's worrying about this method is how the code needed to exfiltrate the sensitive information requires no special privileges to be effective, meaning attackers wouldn't need to employ complicated methods to gain access to kernel drivers or hardware resources. The code will also work in a virtual machine environment.

To perform an AIR-FI attack, a malicious actor would have to either intercept the target system to load it with malware or compromise it during the manufacturing process. Researchers point out in the paper that the easiest way to do this is via a USB drive, similar to how the Stuxnet worm made its way into supervisory control and data acquisition (SCADA) systems at uranium enrichment facilities in Iran.

The good news is that some air-gapped systems are installed in places protected to some degree against TEMPEST (Telecommunications Electronics Materials Protected from Emanating Spurious Transmissions). As for countermeasures against AIR-FI, researchers suggest that organizations deploy signal jamming through either specialized hardware equipment or a software solution that performs random memory or CPU workloads.

Permalink to story.



Posts: 197   +179
This type of exploit isn't new news. I sometimes work in a building that was constructed in the 80s and the interior portions of the building work as a Faraday Cage. It was constructed this way to prevent any EMI emissions from the computers/printers/electronic devices and networks inside from escaping and being intercepted. Pretty much any digital component that processes/contains data is vulnerable unless it is properly shielded.


Posts: 748   +794
"Sensitive information can then be leaked at rates of up to 100 bits per second"

6 KB per minute.... now that's impressively slower than the slowest dial up modem ever invented!!


Posts: 290   +258
Its also about 35 years old. We could literally do this with our Atari computers to play songs we could hear on the radio.

I used to be able to hear my Amiga on the radio I had too, I always assumed it was the CPU I was listening to as you could hear it crash with two different alternating tones of white noise (IIRC)

Avro Arrow

Posts: 2,206   +2,615
TechSpot Elite
"Sensitive information can then be leaked at rates of up to 100 bits per second"

6 KB per minute.... now that's impressively slower than the slowest dial up modem ever invented!!
That's very true but remember that most sensitive forms of information are still text documents. They haven't really increased in size much over the decades so it still wouldn't be hard to get the information even at that relatively pedestrian speed. Now, of course, that 100bps is the theoretical limit so we're probably better using 80bps as a more realistic speed. It works better anyway because I hate math and a byte is 8 bits so 80bps is 10Bps.

Remember that 6kB per minute is 6000 characters per minute. If it's being done on the sly and nobody notices, that can easily steal entire documents in a relatively short amount of time.
Last edited: