A security researcher has demonstrated a mechanism for attackers to steal data from an air-gapped computer, which is a computer that is completely disconnected from the network and has no wireless or wired connectivity to the internet. Dubbed SATAn, the attack involves repurposing serial ATA (SATA) cables inside most computers as a wireless antenna. “This is a good example of why there is a need for defense in depth,” Josh Lospinoso, CEO and co-founder of Shift5, told Lifewire in an email. “Simply air gapping computers is never enough since ingenious attackers will come up with novel techniques for defeating static defensive techniques once they possess the time and resources to do so.”

Been There Done That

For a SATAn attack to succeed, an attacker first needs to infect the target air-gapped system with malware that transforms the sensitive data inside the computer into broadcastable signals.  SATAn was discovered by Mordechai Guri, the Head of R&D of The Cyber Security Research Labs at Ben-Gurion University in Israel. In a demonstration, Guri was able to generate electromagnetic signals to deliver data from inside an air-gapped system to a nearby computer. Ray Canzanese, Threat Research Director at Netskope, asserts the SATAn attack helps highlight the fact that there’s no such thing as absolute security.  “Disconnecting a computer from the internet only mitigates the risk of that computer being attacked over the internet,” Canzanese told Lifewire over email. “The computer is still vulnerable to many other methods of attack.”  He said the SATAn attack helps demonstrate one such method, taking advantage of the fact that various components inside the computer emit electromagnetic radiation that can leak sensitive information.  Dr. Johannes Ullrich, Dean of Research, SANS Technology Institute, however, pointed out that attacks such as SATAn are well known and go back to the pre-network days.  “They used to be known as TEMPEST and have been recognized as a threat since at least 1981 when NATO created a certification to protect against them,” Ullrich told Lifewire via email. Talking about the TEMPEST standards, Canzanese said they prescribe how an environment should be configured to prevent the leakage of sensitive information through electromagnetic emissions. 

Comprehensive Security

David Rickard, CTO North America of Cipher, the cybersecurity division of Prosegur, agrees that while SATAn presents a worrisome prospect, there are practical limitations to this attack strategy that make it relatively easy to overcome.  For starters, he points to the range of SATA cables that are used as an antenna, saying the research showed that even at about four feet, the wireless transfer error rates are quite significant, with doors and walls further degrading the quality of the transmission.  “If you house sensitive information on your own premises, keep them locked away such that no other computer using wireless connections can come within 10 feet of the computer housing the data,” explained Rickard. All our experts also point to the fact that the TEMPEST specifications require using shielded cables and cases, along with other considerations, to ensure that computers that house sensitive data don’t emit data via such ingenious mechanisms.  “TEMPEST compliant hardware is available to the public through a variety of manufacturers and resellers,” shared Rickard. “If [you use] cloud-based resources, enquire with your provider regarding their TEMPEST compliance.” Canzanese asserts the SATAn attack highlights the importance of restricting physical access to computers that hold sensitive data.  “If they are able to connect arbitrary storage devices, like USB thumb drives, that computer can become infected with malware,” said  Canzanese. “Those same devices, if they can be written to, can also be used for data exfiltration.” Rickard agrees, saying that removable USB drives (and phishing) are much larger data exfiltration threats and more complicated and costly to solve.   “These days, these attacks are mostly theoretical, and defenders should not waste time and money on these attacks,” said Ullrich. “Researchers continue to rediscover these attacks, but they do not play a measurable role in current breaches, and effort is much better spent protecting against attacks that matter.”