Researchers today unveiled a new “SATAn” attack that can turn a SATA cable into a radio transmitter, allowing a hacker to filter data from a system not connected to a network and send it to a receiver 1m away transfer – all without the physical effort of changing the SATA cable or hardware. The software-based technique can work from user space or via a virtual machine (VM), and you can see a short demo in the embedded video below.
The ubiquitous SATA connection is used in billions of devices worldwide to connect hard drives and SSDs in a PC, making it the perfect target for hackers looking for a sophisticated, long-range attack.
Some of the world’s most sensitive data is stored in air-gap systems. These systems are completely isolated from any connection to the outside world, such as a network or the Internet, nor do they have any hardware that can communicate wirelessly, such as Bluetooth or Wi-Fi wireless hardware. Hence, it requires sophisticated techniques to steal data from them. Researcher Mordechai Guri from the University of the Negev, Israel, accomplished the feat by converting a standard SATA cable into a radio transmitter, but without making any physical changes to the hardware.
Like all computer interfaces, the SATA bus generates electromagnetic interference during normal operation, and when used properly, this interference can be manipulated and then used to transfer data. In this case, the researcher used the SATA cable as a radio antenna, operating in the 6 GHz frequency band, sending a short message to the nearby laptop. This attack can be used in conjunction with keyloggers to steal passwords or other sensitive data, or attackers can use other mechanisms to steal other important data such as files and images.
Of course, the attacker would first have to install malicious software on the target computer, but as we’ve seen with Stuxnet and other attacks, USB devices with malicious code can spread malware inside protected systems. Otherwise, the attacker needs physical access to install the attack payload.
After installation, the malware first encrypts the data to be stolen. It then performs certain types of file system accesses, such as reads and writes, in a controlled manner to generate a signal on the cable. While either reads or writes can effectively produce the right signals, the researcher notes that reads typically don’t require higher system-level privileges and produce stronger signals (up to 3dB) than writes. The researchers also found that background operations that cause other traffic to the storage device are generally fine. Still, intense driving activity can pollute the broadcast, so it’s best to pause or stop the broadcast when there’s heavy background activity.
The attacker can then pick up the signal from a nearby device, but range is limited. In this case, the receiver must be within 1 m of the transmitter due to increased bit error rates at greater distances. The receiving device, in this case a laptop, uses a Software Defined Radio (SDR) receiver to pick up the signal.
These types of attacks aren’t new — researchers have previously shown they could manipulate the clock speeds of an AMD Radeon graphics card to create a radio transmitter that an attacker could pick up through a wall 50 feet away — but they’re getting more sophisticated, ever more researchers discover new things to exploit interfaces.
There are several ways to mitigate these types of attacks, but they’re not foolproof. The paper suggests that the first line of defense is to implement policies that prevent initial intrusion, along with other tactics such as banning radio receivers from the secured facility. Of course, spooks can also use their own monitoring hardware to detect if any nefarious transfers are in progress, or install software on secured machines that monitors abnormal file usage, such as: B. Unusual reading and writing activity to temporary files. However, these tend to be powerful detection methods because the transmissions and drive activity are easy to obfuscate.
Of course, the most direct method of protection would be additional electromagnetic shielding either on the SATA cable or on the PC case. But on the other hand, maybe the complexity of the attack itself is the best protection for us normal people. Building the receiver is surprisingly simple, but developing the necessary software and encryption techniques would require a great deal of sophistication, meaning these types of attacks are most likely limited to nation-state espionage. That means the average user doesn’t have to worry unless they have nuclear launch codes stored on their system.