01-08-2022 | | By Robin Mitchell
Recently, a researcher from the University of Negev, Israel, demonstrated how a SATA cable inside a PC can be used to wirelessly transmit data from a machine entirely isolated from all networks. How are cyberattacks becoming more sophisticated, what did the researcher demonstrate, and is there any fix against such attacks?
Computer hacking has been around for almost as long as mainstream computers, and while computer security technologies have become incredibly advanced, many attacks (arguably most) are still based on trivial exploits. For example, a private network (such as WAN), can utilise complex passwords and integrate powerful firewalls to deny outside access, but if a device on that network uses a trivial default password, a hacker can use that device to gain access to the network (this was done at a Casino some years ago where an aquarium thermometer allowed hackers access to the high-security servers holding sensitive client information).
However, some attacks are becoming incredibly sophisticated that is in some cases impossible to defend against. One such attack involves exploiting preemptive execution in CPUs whereby a CPU loads instructions that they believe will be executed next. If a hacker makes a request for data in restricted memory space, the CPU may load the data into the target register but then deny the hacker access to the data upon arriving at the instruction. However, the data that was retrieved may linger in the target register or some memory buffer, and this can allow the hacker to view the contents of private memory that can include passwords and keys.
Another sophisticated attack recently demonstrated observes the energy consumption of a computer that is executing a quantum-safe encryption algorithm. As each bit being encrypted involves a large number of computations, but the number of computations is vastly different if the bit is a 1 or 0, simply observing the energy use against time reveals the value of the data being encrypted.
In what can only be described as pure brilliance, a researcher from the University of Negev recently demonstrated how an untouched SATA cable can be used to steal information from a desktop PC without any hardware modifications. The attack takes advantage that read and write operations at high speed over a SATA cable emit stray EM radiation, and this can be used to generate radio waves that are then picked up from a receiver.
Modern SATA cables operate at speeds of around 6Gbps, and this speed allows for the generation of radio waves with a frequency of around 6GHz. Large read and write operations as such will see fairly consistent emissions of 6GHz radio waves that can be picked up over short distances. Therefore, it is possible for an application to make timed read and write operations to files to modulate the data over the SATA cable to create a modulated radio wave, and thus, transmit data.
To make the attack more dangerous, it can be performed in both user space and from a virtual machine, and most systems (even with the strictest security) will allow read operations meaning that it is very difficult to prevent the attack. Furthermore, read operations have been discovered to produce stronger EM signal (up to 3dB) making it easier for malware to perform an attack. To put the final nail in the coffin, the researchers demonstrated the attack on an air-gapped PC that has no outside connections whatsoever (i.e. no Wi-Fi, Bluetooth, or Ethernet). Such PCs are found in secure locations that have access to extremely sensitive information.
Of course, in order for this attack to be successful, malware has to be installed on the target PC. For an air-gapped PC, this means that an attacker would have to get to the machine physically and transfer the malware across, but this can be easily done with the use of social engineering hacks by convincing an unsuspecting user to insert an infected USB drive. Furthermore, the signals are only readable over a distance of 1 meter, but it is possible for a miniature receiver to be stuck to the side of the PC that can then access a cellular network and stream data such as keystrokes and screenshots.
The most obvious solution to this attack is to prevent USB access or other methods of file transfer to prevent malware from reaching the target PC, but this is not always practical. As a secure PC would be entirely isolated from outside networks, it is likely that USB transfers are the most practical method for exchanging information.
Another potential solution to defend against the attack is to line the inside of the PC with a conductive foil. This would act as a faraday cage and significantly reduce the EM emissions from the SATA cable. This could also be achieved by wrapping the SATA cable in foil, but this shield would likely need to be grounded.
Finally, it is also possible to use laptops and other low-profile machines that do not use long SATA cables. This attack is only possible because long cables act as an antenna, and thus the use of a single board computer or laptop can reduce such emissions.
Overall, this attack demonstrates just how far cyberattacks have come, and how researchers are finding extremely unusual exploits to which are often hard to defend against.