SATAn Turns Hard Drive Cable Into Antenna To Defeat Air-Gapped Security

It seems like [Mordechai Guri]’s lab at Ben-Gurion University is the place where air-gapped computers go to die, or at least to give up their secrets. And this hack using a computer’s SATA cable as an antenna to exfiltrate data is another example of just how many side-channel attacks the typical PC makes available.

The exploit, deliciously designated “SATAn,” relies on the fact that the SATA 3.0 interface used in many computers has a bandwidth of 6.0 Gb/s, meaning that manipulating the computer’s IO would make it possible to transmit data from an air-gapped machine at around 6 GHz. It’s a complicated exploit, of course, and involves placing a transmitting program on the target machine using the usual methods, such as phishing or zero-day exploits. Once in place, the transmitting program uses a combination of read and write operations on the SATA disk to generate RF signals that encode the data to be exfiltrated, with the data lines inside the SATA cable acting as antennae.

SATAn is shown in action in the video below. It takes a while to transmit just a few bytes of data, and the range is less than a meter, but that could be enough for the exploit to succeed. The test setup uses an SDR — specifically, an ADALM PLUTO — and a laptop, but you can easily imagine a much smaller package being built for a stealthy walk-by style attack. [Mordechai] also offers a potential countermeasure for SATAn, which basically thrashes the hard drive to generate RF noise to mask any generated signals.

While probably limited in its practical applications, SATAn is an interesting side-channel attack to add to [Dr. Guri]’s list of exploits. From optical exfiltration using security cameras to turning power supplies into speakers, the vulnerabilities just keep piling up.

Thanks to [chuckt] for the tip.

[via Bleeping Computer]

 

18 thoughts on “SATAn Turns Hard Drive Cable Into Antenna To Defeat Air-Gapped Security

  1. “SATAn is shown in action in the video below. It takes a while to transmit just a few bytes of data, and the range is less than a meter, but that could be enough for the exploit to succeed. ”

    I’m sure there’s a reason the crystal palace has a big Faraday cage around the whole place. Plus the move towards optical could cut down on the whole “antenna exploits”.

        1. Worked on NSA receivers for that back in the late 70’s before the PC came out. They were listening to terminals and word processors before we had PCs.

          It was such a big secret because it was so easy to do. I could have told any HAM what we were doing and they could have had it up and running in a night. (Most of the Engineers working on it were HAMs).

  2. Not really much of a vulnerability.
    You have to first somehow get your code on the air-gapped machine then you have to be within a meter of said air-gapped machine with an SDR.
    To make this even more difficult just shield the sata cable and ground the shield. Or just use a case that is a faraday cage. How? Use a case that does not have any gaps bigger than say 5cm made of metal and ground every panel. Not exactly hard to to arrange.
    Do you think any government or major corporation would have an air-gaped system without physical security? This might work on some commercial or local systems but nothing that would be considered secure to Government standards.

    1. SO true! We spent a LOT of time discussing s vulnerability in avionics.. Finally, I got management to accept, that you’d have to get a power drill and equipment through security, climb into the electronics bay below the kitchen on an aircraft unnoticed to cut off communication. If you are able to do that, you can already do so much damage

      These things are fun to find/develop.. but real life application….

  3. When working in Aerospace all development has to be done on a separate network. As in not connected to the Internet. Because our IT department was located in a different country, they had remote access to it. We raised this issue and were told, that there was NO way, that a problem could arise..

    Even having done a POC moving 5 GB source code from the “blue” network to the regular one (we had had a PC each only for checking email beside the development PC) using ping, they still claimed it was impossible…

  4. The thing is this is just a basic proof of concept.

    The range can be increased by adding more phase coherent external antennas (every time you double the number of antennas the range will approximately double).

    And cryogenically cooling the the special first LNA (lower the Johnson–Nyquist noise*) with say liquid helium boiling at 4.222 K instead of operating at room temperature (300K) that should increase the signal level by nearly 8.5 dB. (38 picokelvin was achieved in 2021 by the German University of Bremen for a total of only 2 seconds, so at least in theory if an LNA could be cooled to that and still actually function it would correspond to an extra 119 dB of signal). Keep in mind every additional 3dB is double the range.

    Then you can also use two synchronised receivers to receive half the bandwidth of the signal each and that would double the effective range. Four synchronised receivers, each receiving a quarter of the bandwidth double the range again. And so on and so on.

    Lots of tricks fall out of the physics/maths when money is no object. And yes the calibration, storage and post processing of the collected bits gets a bit scary, but it is possible if enough money is thrown at the problems.

    * https://en.wikipedia.org/wiki/Johnson%E2%80%93Nyquist_noise#Noise_power_in_decibels

      1. It nearly is always cheaper to spend more money and time securing a resource than illegally accessing them. But there is nearly always some new technology on the horizon that may change the imbalance “Rydberg receiver” might be one that beats the thermal Johnson–Nyquist noise limits. Then all the existing attenuation in place to protect airgapped systems needs to be re-evaluated.

Leave a Reply

Please be kind and respectful to help make the comments section excellent. (Comment Policy)

This site uses Akismet to reduce spam. Learn how your comment data is processed.