SATAn Turns Hard Drive Cable Into Antenna To Defeat Air-Gapped Security

It seems like [Mordechai Guri]’s lab at Ben-Gurion University is the place where air-gapped computers go to die, or at least to give up their secrets. And this hack using a computer’s SATA cable as an antenna to exfiltrate data is another example of just how many side-channel attacks the typical PC makes available.

The exploit, deliciously designated “SATAn,” relies on the fact that the SATA 3.0 interface used in many computers has a bandwidth of 6.0 Gb/s, meaning that manipulating the computer’s IO would make it possible to transmit data from an air-gapped machine at around 6 GHz. It’s a complicated exploit, of course, and involves placing a transmitting program on the target machine using the usual methods, such as phishing or zero-day exploits. Once in place, the transmitting program uses a combination of read and write operations on the SATA disk to generate RF signals that encode the data to be exfiltrated, with the data lines inside the SATA cable acting as antennae.

SATAn is shown in action in the video below. It takes a while to transmit just a few bytes of data, and the range is less than a meter, but that could be enough for the exploit to succeed. The test setup uses an SDR — specifically, an ADALM PLUTO — and a laptop, but you can easily imagine a much smaller package being built for a stealthy walk-by style attack. [Mordechai] also offers a potential countermeasure for SATAn, which basically thrashes the hard drive to generate RF noise to mask any generated signals.

While probably limited in its practical applications, SATAn is an interesting side-channel attack to add to [Dr. Guri]’s list of exploits. From optical exfiltration using security cameras to turning power supplies into speakers, the vulnerabilities just keep piling up.

Continue reading “SATAn Turns Hard Drive Cable Into Antenna To Defeat Air-Gapped Security”

Bringing Some Discipline To An SDR Transmitter

The proliferation of software-defined radio (SDR) technology has been a godsend for RF hobbyists. SDR-based receivers and transmitters have gotten so cheap that you’ve probably got a stick or two lying around your bench right now — we can see three from where we sit, in fact.

But cheap comes at a price, usually in the form of frequency stability, which can be prohibitive in some applications — especially amateur radio, where spectrum hygiene is of the utmost concern. So we were pleased to see [Tech Minds] tackle the SDR frequency stability problem by using a GPS-disciplined oscillator. The setup uses an ADALM-PLUTO SDR transceiver and a precision oscillator from Leo Bodnar Electronics. The oscillator can be programmed to output a rock-solid, GPS-disciplined signal over a wide range of frequencies. The Pluto has an external oscillator input that looks for 40 MHz, which is well within the range of the GPSDO.

Setup is as easy as plugging the oscillator’s output into the SDR’s external clock input using an SMA to UFL jumper, and tweaking the settings in the SDR and oscillator. Not all SDRs will have an external clock input, of course, so your mileage may vary. But if your gear is suitably equipped, this looks like a great way to get bang-on frequency — the video below shows just how much the undisciplined SDR can drift.

Like any good ham, [Tech Minds] is doing his bit to keep his signals clean and on target. His chief use case for this setup will be to work QO-100, amateur radio’s first geosynchronous satellite repeater. We’ve got to say that we hams living on the two-thirds of the globe not covered by this satellite are just dying to get a geosynchronous bird (or two) of our own to play with like this.

Continue reading “Bringing Some Discipline To An SDR Transmitter”

SDR Toolkit Bends Weather Station To Hacker’s Whims

We probably don’t have to tell most Hackaday readers why the current wave of low-cost software defined radios (SDRs) are such a big deal for hackers looking to explore the wide world of wireless signals. But if you do need a refresher as to what kind of SDR hardware and software should be in your bag of tricks, then this fantastically detailed account from [RK] about how he hacked his La Crosse WS-9611U-IT weather station is a perfect example.

Looking to brush up his radio hacking skills, [RK] set out to use the ADALM-PLUTO software defined radio from Analog Devices to intercept signals between the La Crosse base station and its assorted wireless sensors. He notes that a $20 USD RTL-SDR dongle could do just as well if you only wanted to receive, but since his ultimate goal was to spoof a temperature sensor and introduce spurious data into the system, he needed an SDR that had transmit capabilities.

No matter your hardware, Universal Radio Hacker (URH) is the software that’s going to be doing the heavy lifting. In his write-up, [RK] walks the reader through every step required to find, capture, and eventually decode the transmissions coming from a TX29U wireless temperature sensor. While the specifics will naturally change a bit depending on the device you’re personally looking to listen in on, the general workflow is going to be more or less the same.

In the end, [RK] is not only able to receive the data coming from the wireless sensors, but he can transmit his own spoofed data that the weather station accepts as legitimate. Getting there took some extra effort, as he had to figure out the proper CRC algorithm being used. But as luck would have it, he found a Hackaday article from a couple years back that talked about doing exactly that, which help put him on the right path. Now he can make the little animated guy on the weather station’s screen don a winter coat in the middle of July. Check out the video below for a demonstration of this particular piece of radio prestidigitation.

Continue reading “SDR Toolkit Bends Weather Station To Hacker’s Whims”