Air-Fi is another path to stealing data from an isolated computer

Computers don’t necessarily need a Wi-Fi module to transmit information over Wi-Fi, Israeli researchers have found.

To keep secret information beyond the reach of attackers, organizations place it on devices that are not connected to a local network, let alone the Internet — so-called air-gapped computers. However safe that may sound, infecting such a machine or a network segment is actually not that difficult (recall the Stuxnet story). Extracting the information obtained is much more difficult.

That’s where all sorts of clever methods come in, and Mordechai Guri, a researcher at Ben-Gurion University of the Negev, specializes in finding them. Dr. Guri is not the only one, of course, but in recent years, he’s been involved in the discovery of a few dozen such methods.

A new study describes yet another way to extract data from an isolated computer, this time using Wi-Fi technology (hence the name Air-Fi).

How Air-Fi works

The beauty of Air-Fi is that it works even if the target computer has no Wi-Fi equipment. Instead, it relies on malware already planted on the device that can use the DDR SDRAM memory bus to generate electromagnetic radiation at a 2.4 GHz frequency. The malware can encode the necessary data into variations of this radiation, and any device with a Wi-Fi receiver, including another compromised device, can pick up and intercept the generated signals. That other device could be a regular smartphone or even a smart lightbulb.

The Air-Fi method is especially unpleasant from a cybersecurity point of view. It doesn’t require administrator rights on the isolated computer; a regular user account can get the job done. Moreover, using a virtual machine provides no protection; VMs have access to memory modules.

Data transmission speed and range

The researchers transmitted data without noticeable distortions at a range of up to 2–3 meters (in one case, up to 8 meters) and a speed of up to 100 bits per second, depending on the hardware in the infected computer and the type of receiver. As with most similar methods, that isn’t very fast. Transferring a 20MB file, would take 466 hours, for example. That said, the lyrics to “Jingle Bells,” at 1,300 bytes, could be transferred in 90 seconds. In that light, stealing a user name and password using this technique seems entirely realistic.

How to combat Air-Fi

Using Air-Fi involves electromagnetic emissions. You can counter the strategy using the following measures:

  • Do not allow Wi-Fi-enabled devices near isolated systems for any reason;
  • Monitor isolated systems for suspicious processes;
  • Shield the computer in a Faraday cage;
  • Ban all outside devices, including push-button phones, in the enterprise.

The latter is the most radical approach, but it’s also the most effective.

Like all similar methods, Air-Fi is too slow and difficult to be used by ordinary cybercriminals for everyday attacks. It may be of interest to industrial spies and state actors because of its ability to work without administrator rights, though. The full text of the study provides more information about the method.