How a Memory Card Can Be Used to Steal Data
How a Memory Card Can Be Used to Steal Data
December 16, 2020
Homeland & Cyber Security, Uncategorized
ZDNet — Academics from BGU’s Cyber Security Research Center have published new research today detailing a technique to convert a RAM card [a memory module that is plugged into a computer’s motherboard that stores the data being used by the computer] into an impromptu wireless emitter and transmit sensitive data from inside a non-networked air-gapped computer that has no Wi-Fi card.
Named AIR-FI, the technique is the work of Dr. Mordechai Guri, head of research and development for the Cyber Security Research Center at Ben-Gurion University.
AIR-FI now joins a long list of covert data exfiltration channels discovered by Dr. Guri and his team.
Over the last half-decade, Dr. Guri has led tens of research projects that investigated stealing data through unconventional methods from air-gapped systems.
These types of techniques are what security researchers call “covert data exfiltration channels.” They are not techniques to break into computers, but techniques that can be used to steal data in ways defenders aren’t expecting.
Such data exfiltration channels are not a danger for normal users, but they are a constant threat for the administrators of air-gapped networks.
As a countermeasure, Dr. Guri proposes zone protections to safeguard against electromagnetic attacks, enabling intrusion detection systems to monitor and inspect for processes that perform intensive memory transfer operations, jamming the signals, and using Faraday shields to block the covert channel.
“Modern IT environments are equipped with many types of Wi-Fi capable devices: smartphones, laptops, IoT devices, sensors, embedded systems, and smart watches, and other wearables devices,” says Dr. Guri. “The attacker can potentially hack such equipment to receive the AIR-FI transmissions from air-gapped computers.”
Dr. Guri says he tested the AIR-FI technique with different air-gapped computer rigs where the Wi-Fi card was removed and was able to leak data at speeds of up to 100 b/s to devices up to several meters away.
According to Dr. Guri, the AIR-FI attack is one of the easiest to pull off as the attacker doesn’t need to obtain root/admin privileges before running an exploit.
“[AIR-FI] can be initiated from an ordinary user-space process,” he says.
This allows the attack to work across any operating system and even from inside virtual machines (VMs).
Air-gapped systems are computers isolated on local networks with no external internet access. Air-gapped systems are often used on government, military, or corporate networks to store sensitive data, such as classified files or intellectual property.
While AIR-FI would be considered a “stunt hack” in the threat model of normal users, it is, however, the type of attack that forces many companies to reconsider the architecture of their air-gapped systems that store high-value assets.