Air-gapped Systems’ SATA Cables Can Leak Data as Wi-Fi Antennas, Researcher Finds

A security researcher discovered that air-gapped systems could leak data through their serial ATA (SATA) cables by using them as wireless antennas. Attackers could, in theory, extract the data through radio signals.

The discovery, dubbed “SATAn” by the head of R&D of The Cyber Security Research Labs at Israel’s Ben-Gurion University, Mordechai Guri, could help threat actors steal sensitive information from air-gapped systems.

Air-gapping, also known as air-walling, is a security measure that involves physically isolating specific devices from unsecured networks such as unsecured LANs or the public Internet. Air-gapped systems are often used in sectors where confidentiality is key, such as nuclear, industrial, military or government organizations.

Guri’s discovery highlights that ordinary SATA 3.0 cables emit electromagnetic emissions of various frequencies, but the 5.9995 – 5.9996 GHz range is most relevant to the data transmission study.

To carry out a SATAn attack, perpetrators must first infect the targeted air-gapped system. Although challenging, physical breaches are not unheard of; Stuxnet, the most notorious, was discovered over a decade ago, in mid-June 2010.

After compromising the targeted system, the embedded malware can be used to modulate and encode sensitive data before exfiltrating it.

While performing read/write operations, the SATA interface emits specific radio signals that can be picked up by the malware and used to reveal the content of the stolen data. Guri demonstrated the concept by exfiltrating the word “SECRET” from an air-gapped system to a nearby PC.

The research also revealed that the distance between the air-gapped system and the receiving PC can’t be greater than 1.2 meters (3.9 feet) without compromising the integrity of the content.

Guri’s proposed method to counter SATAn attacks involves using a SATA jammer to monitor suspicious read/write operations and add noise to obfuscate the signal. However, there are a couple of drawbacks: first and foremost, jamming the electromagnetic emission would put excessive strain on the disk.

Furthermore, telling apart malicious and legitimate read/write operations could be a challenging task and would further increase the load on the system.