For those unaware, the “air-gapped system” refers specifically to independent physical devices deployed in any network that is entirely isolated from any connection like a network or the internet. It also does not have any hardware that can communicate wirelessly, like wireless Bluetooth or Wi-Fi hardware. According to the study, the attackers use the SATA cable itself as a wireless transmitter to transfer radio signals at the 6GHz frequency band where the transmission via SATA cables is the most effective. The attack is known as “SATAn”. The researchers have successfully demonstrated the SATAn attack method, which can work from user space or through a virtual machine (VM), as seen in the short video below.
“Although air-gap computers have no wireless connectivity, we show that attackers can use the SATA cable as a wireless antenna to transfer radio signals at the 6 GHz frequency band. The Serial ATA (SATA) is a bus interface widely used in modern computers and connects the host bus to mass storage devices such as hard disk drives, optical drives, and solid-state drives. The prevalence of the SATA interface makes this attack highly available to attackers in a wide range of computer systems and IT environments,” researchers wrote regarding their findings about SATAn. The experiments carried out by the researchers showed that SATA 3.0 (6 Gbps) cables emit electromagnetic waves in various frequency bands – including 1 GHz, 2.5 GHz, 3.9 GHz, and +6 GHz. However, the most important correlation with the data transmission occurs between 5.9995 GHz and 5.9996 GHz. The idea behind the concealed channel is to use the SATA cable as an antenna and control the electromagnetic emission. “The results showed that an attacker could wirelessly transmit a small amount of sensitive information from a highly secure air-gapped computer to a nearby receiver using a SATA cable,” the researchers continued. To make matters worse, additional testing has shown that read actions on SATA are more efficient in producing stronger signals than write operations (3 dB stronger on average). It means that it is preferable to use read operation for the covert channel making the complete attack situation easier to succeed. But, according to the researchers, the attack, for now, is more successful only in reading data, as read operations require lower permissions than write operations. However, the method is enough to collect sensitive information from systems that would otherwise be completely isolated, they added. Through their study, researchers have shown that attackers can exploit the SATA cable as an antenna to transfer radio signals in the 6 GHz frequency band by using non-privileged read() and write() operations. Notably, the SATA interface is highly available to attackers in many computers, devices, and networking environments. While there are several ways to lessen these types of attacks, the paper suggests that the first line of defense is to use multiple layers of security in the network, including firewalls, intrusion detection, and prevention systems, network traffic analysis, and access control mechanisms. Another approach is to use an external RF monitoring system to detect anomalies in the 6 GHz nearby the transmitting computer. Other preventing type of countermeasure could be jamming, which can be done from the operating system by carrying out random read and write operations when a suspicious covert channel activity is detected. You can check out complete details on SATAn here.