feature article
Subscribe Now

Hacking a Secure Air-Gapped Computer

Research Team Finds Novel Ways to Bypass Security

Some security weaknesses would be hilarious if they weren’t so serious. And one man and his crack research team have found dozens of surprising ways to crack seemingly impenetrable computers. You’ve got to give them points for originality. 

There are a lot of ways to secure a computer, depending on what you’re trying to prevent. Do you want to keep secure information inside? Do you want to prevent outside malware from getting in? Do you want to limit access to only the right people? The list goes on. 

“Air gapping” is the gold standard for trapping sensitive information inside a computer and making sure it can’t be shared, transmitted, or go walkabout. An air-gapped computer has no CD-ROM burner, no floppy disk drive, no SD card interface, no USB slots, and no network interface of any kind. That means no Ethernet, no Wi-Fi, no Bluetooth – nothing that could potentially be used to send data outside the machine. 

Seems pretty secure, right? With no network and no place to stick removable media, there is physically no way to get data off of the computer. Or so you’d think. But Mordechai Guri and his merry band of helpers at Ben-Gurion University of the Negev in Israel has found a way. Many ways, in fact, and some are truly surprising. Or demoralizing, depending on your job description. 

The latest installment in their oeuvre is nicknamed Air-Fi, and it MacGyvers a Wi-Fi interface out of hardware that’s already in your PC. It relies on the underlying electromagnetic radiation that results from any signal transmitted over a wire. Specifically, it subverts your computer’s DRAM into wiggling the memory bus at 2.4 GHz – exactly the frequency range of the 802.11b/g/n Wi-Fi standards. And, since most computers today use standard DIMMs, the hardware is readily available, and you’re pretty much hosed. 

If you want to know how it works, or even to try it out for yourself, the detailed description is in his research paper. It even provides pseudocode. 

Since Air-Fi mimics Wi-Fi, anything in the area with a Wi-Fi interface can pick up the exfiltrated data, including cellphones, wireless routers, access points, harmless IoT gadgets, or other computers. 

If you’ve assembled a new PC lately, you know that DDR4-2400 memory sticks are common. As the name suggests, these operate at a constant 2400 MHz, with memory addresses and data synchronized to the edges of the clock. That frequency sits right on top of the Wi-Fi band, so Guri and his team used this convenient (inconvenient?) parallel as the basis for their hack. The DRAM clock provides the carrier frequency, and data transactions modulate it to encode data. 

To transmit a “1” bit, the software performs a flurry of memory transactions by moving a few megabytes of arbitrary data in order to generate sufficient activity on the SDRAM bus. (CPU-to-memory transactions are a lot faster than Wi-Fi bit times, hence the large block size.) To send a “0” the software does nothing and waits. Timing loops space out the transactions to match the timing specified by Wi-Fi standard. 

Clever, but what if your computer doesn’t use DDR4-2400 memory? Surely Air-Fi won’t work with faster or slower memories, will it? Turns out, it does. 

Guri and his team experimented with both DDR3-2133 and DDR3-1600 DIMMs and successfully compromised them as well. In both cases, they overclocked the memory interface, which is very doable on most systems. Once they got the slower DIMMs running at the correct 2400-MHz rate, the rest was cake. 

For extra credit, Guri and his team also tried single-core versus multicore versions of the attack. Although Air-Fi works just fine as a single thread on a single-core system, going multicore works even better. By synchronizing the individual program threads, they were able to boost the signal strength, increase range, and lower the error rate. 

And the error rate is already pretty good, considering this isn’t even a real Wi-Fi interface. Guri’s team measured bit error rates (BER) of zero out to a range of a meter or two (depending on the computer), increasing into single-digit percentages at longer range. Signal-to-noise ratio (SNR) varied from 3 dB up to 20 dB. Not bad for a fake transmitter that’s not supposed to be there. 

At about 100 bits/sec, Air-Fi isn’t fast, but it is effective. It requires nothing unusual in terms of hardware, although it does require malware on the transmitting side. But once inside, such malware would be hard to identify because all it’s doing is memory transactions, and what’s suspicious about that? How would you detect it? Guri suggests hardware fixes like radio jamming, shielding, or physical distance from any and all potential Wi-Fi receivers.  

As inventive as Air-Fi is, I’m more impressed by some of the team’s other discoveries/inventions. For example, they’ve found ways to toggle the LEDs on your computer’s keyboard, disk drives, or network gear to exfiltrate data. Or to use the speaker. Or the fans. Or even heat. We might as well give up now. 

featured blogs
Nov 24, 2021
The need for automatic mesh generation has never been clearer. The CFD Vision 2030 Study called most applied CFD 'onerous' and cited meshing's inability to generate complex meshes on the first... [[ Click on the title to access the full blog on the Cadence Community site. ]]...
Nov 24, 2021
I just saw an amazing video showing Mick Jagger and the Rolling Stones from 2021 mixed with Spot robot dogs from Boston Dynamics....
Nov 23, 2021
We explain clock domain crossing & common challenges faced during the ASIC design flow as chip designers scale up CDC verification for multi-billion-gate ASICs. The post Integration Challenges for Multi-Billion-Gate ASICs: Part 1 – Clock Domain Crossing appeared f...
Nov 8, 2021
Intel® FPGA Technology Day (IFTD) is a free four-day event that will be hosted virtually across the globe in North America, China, Japan, EMEA, and Asia Pacific from December 6-9, 2021. The theme of IFTD 2021 is 'Accelerating a Smart and Connected World.' This virtual event ...

featured video

Imagination Uses Cadence Digital Full Flow for GPU Development

Sponsored by Cadence Design Systems

Learn how Imagination Technologies uses the latest Cadence digital design and simulation solutions to deliver leading-edge GPU technology for automotive, mobile, and data center products.

Click here to learn more about Cadence’s digital design and signoff solutions

featured paper

3D-IC Design Challenges and Requirements

Sponsored by Cadence Design Systems

3D-ICs are expected to have a broad impact on networking, graphics, AI/ML, and high-performance computing. While there’s interest in 3D-ICs, it’s still in its early phases. Standard definitions are lacking, the supply chain ecosystem is in flux, and design, analysis, verification, and test challenges need to be resolved. Read this white paper to learn about 3D integration and packaging of multiple stacked dies, design challenges, ecosystem requirements, and needed solutions.

Click here to read more

featured chalk talk

Single Pair Ethernet

Sponsored by Mouser Electronics and Phoenix Contact

Single-pair Ethernet is revolutionizing industrial system design, with new levels of performance and simplicity. But, before you make the jump, you need to understand the options for cables, connectors, and other infrastructure. In this episode of Chalk Talk, Amelia Dalton chats with Lyndsey Walling of Phoenix Contact about the latest in single-pair Ethernet for industrial applications.

Click here for more information about Phoenix Contact Single Pair Ethernet (SPE) Connectors