The “SATAn” vulnerability turns SATA cables into antennas to defeat air gap security.
Mordechai Guri at Ben-Gurion University seems to be in the death zone of air-physically isolated encrypted computers, or at least giving up their secrets. This hacker exploits a computer’s SATA cable as an antenna to leak data, another example of how many side-channel attacks exist on personal computers.
This vulnerability, named “SATAn”, relies on the fact that many computers use the SATA 3.0 interface, which has a bandwidth of 6.0 Gb/s, which means manipulating a computer’s I/O could potentially transmit data from an air-surrounded machine at about 6 GHz. Of course, this is a complex vulnerability, which requires placing a transmission program on the target machine using common methods, such as phishing or zero-day exploits. Once in place, the transmission program uses a combination of read and write operations on the SATA disk to generate radio frequency signals, encoding the data to be leaked, with the data lines in the SATA cable acting as antennas.
The video below shows how SATAn operates. Transmitting just a few bytes of data takes some time, and the transmission range is less than a meter, but that might be enough for the vulnerability to succeed. The test setup used an SDR—specifically the ADALM PLUTO—and a laptop, but you can easily imagine a smaller package for covert mobile attacks.Mordechai Guri also provides a potential countermeasure for SATAn, which essentially generates radio frequency noise by stimulating the hard drive to mask any signals produced.
While it may be limited in practical applications, SATAn is an interesting side-channel attack that can be added to [Dr. Guri’s] list of vulnerabilities. From optical leakage using security cameras to turning power supplies into speakers, vulnerabilities keep piling up.
User Comments
cncFriend says:
The range and speed are very limited. But it’s quite interesting!
A commenter named Ren says:
I think governments and large corporations can only stop using computers to store and communicate secret information.
JohnElectric says:
I worked on NSA receivers back in the late 70s, before PCs came along. They were already listening in on terminals and word processors before we had personal computers.
It’s a big secret because it’s so easy to do. I could tell any HAM what we were doing, and they could have it up and running in a night. (Most engineers working on this are HAMs).
lwatcdr says:
Actually, there’s no vulnerability.
You have to first install your code on the physically isolated computer in some way, and then you have to get the SDR device within a meter of the above computer.
To make it even harder, just shield the SATA cable and ground the shield. Or just use a Faraday cage box. How to do it? Use a metal casing with no gaps larger than 5 cm and ground each panel. It’s not hard to arrange.
Do you think any government or large corporation would have an air-gapped system without physical security? This might apply to some commercial or local systems, but nothing would be considered compliant with government safety standards.
Henrik says:
So true! We spent a lot of time discussing vulnerabilities in avionics. In the end, I got management to accept that you have to carry a drill and devices through security and sneak into the electronic compartment under the kitchen of the airplane, cutting off communications. If you can do that, you can cause a lot of damage.
Discovering/developing these things is fascinating. But real-life applications….
When working in aerospace, all development must be done on a standalone network. Not connected to the internet. Because our IT department is in a different country, they can access it remotely. We raised this issue and were told it was impossible for there to be a problem.
Even did a POC to ping 5GB of source code from the “blue” network to the ordinary network (we had a PC just for checking emails next to the development PC), and they still claimed it was impossible……
The Truth says:
The problem is that this is just a basic proof of concept.
You could increase the range by adding more phase-coherent external antennas (the range roughly doubles for each additional antenna).
Cooling a special first LNA with 4.222K boiling liquid helium (instead of working at room temperature (300K)) should boost signal levels by nearly 8.5dB. (The University of Bremen in Germany achieved 38 picowatts in just 2 seconds in 2021, so at least theoretically, if an LNA could cool to this temperature and still operate, this would correspond to an additional 119 dB of signal).
Remember, every additional 3dB is double the range.
Then, you can also use two synchronized receivers, each receiving half of the signal bandwidth, which would double the effective range. Four synchronized receivers, each receiving a quarter of the bandwidth, would increase the range again by double. And so on, ad infinitum.
When money is no object, many tricks fall out of physics/mathematics. Yes, calibration, storage, and post-processing of the collected bits get a bit daunting, but if there’s enough money thrown at the problem, it’s possible.
[Quick News] Can a computer’s network cable leak RF radio signals when disconnected? Can it be received with a 30 yuan SDR device?
[Quick News] Afraid of leaks, simply cut the network | The US Navy returns to old communication methods from WWII with the bag system.
[Radio History] The CIA and KGB’s secret radio receivers during the Cold War.
[Radio History] Radio expert video reveals | Setup of the WWII British secret spy radio B2 3 Mk. II.
[Quick News] Where does the mysterious music interval signal on shortwave 14985 kHz come from? Veteran ham reveals.
