A new theoretical exploit called Air-Fi can turn a secure, air-gapped computer into a wifi transmitter that can help a hacker exfiltrate secure data.
An air-gapped computer is a computer that is completely disconnected from any network. Many air-gapped machines have every possible network feature removed, from wifi to Bluetooth, but this exploit shows that hackers can use DDR SDRAM buses “to generate electromagnetic emissions in the 2.4 GHz Wi-Fi bands and encode binary data on top of it,” according to the researcher Mordechai Guri of the Ben-Gurion University of the Negev, Israel.
“This technique required high levels of skills from the attacker, in both design and implementation,” said Guri in an email. “However, there are simpler covert exfiltration channels for conventional IT environments in the wild. This one is focusing on leaking data from air-gapped computers where the traditional network-based covert channels fail.”
“Using the Wi-Fi medium in such a non-conventional way is something that I’ve been examining during the last year,” he said.
The transmissions are invisible to other devices and only the hacker can only pick them up with specially-prepared software and hardware.
As a part of the exfiltration phase, the attacker might collect data from the compromised computers. The data can be documents, key logging, credentials, encryption keys, etc. Once the data is collected, the malware initiates the AIR-FI covert channel. It encodes the data and transmits it to the air (in the Wi-Fi band at 2.4 GHz) using the electromagnetic emissions generated from the DDR SDRAM buses.
Guri is well-known in security circles for figuring out how to attack air-gapped machines. In 2019 he used screen brightness and power lines to transmit data from secure computers and in 2018 he was also able to transmit data via ultrasonic audio files using a simple computer speaker.
In this exploit, Guri was able to force the DDR SDRAM busses to transmit to compromised wifi-capable devices like laptops and smartphones. He hacked four workstations with the exploit, each outfitted with similar 4GB DIMM DDR4…