Researchers today revealed a new 'SATAn' attack that can turn a SATA cable into a radio transmitter, thus allowing a hacker to exfiltrate data from a system that isn't connected to a network and transmit it to a receiver 1m away — all without physically modifying the SATA cable or hardware. The software-based technique can work from user space or through a virtual machine (VM), and you can see a short demo in the embedded video below.
The ubiquitous SATA connection is used in billions of devices worldwide to connect hard drives and SSDs inside a PC, making it the perfect target for hackers looking for a sophisticated attack with a wide footprint.
Some of the most sensitive data on the planet is stored in air-gapped systems. These systems are entirely isolated from any connection to the outside world, like a network or the internet, and also don't have any hardware that can communicate wirelessly, like wireless Bluetooth or Wi-Fi hardware. As such, it requires ultra-sophisticated techniques to steal data from them. Researcher Mordechai Guri at the University of the Negev, Israel, has accomplished the feat by converting a standard SATA cable into a radio transmitter, but without actually making any physical modifications to the hardware.
As with all computer interfaces, the SATA bus generates electromagnetic interference during normal operation, and if used correctly, that interference can be manipulated and then used to transmit data. In this case, the researcher used the SATA cable as a wireless antenna that operated on the 6 GHz frequency band, thus transmitting a short message to the nearby laptop. This attack can be used in concert with keyloggers to steal passwords or other sensitive data. Likewise, attackers can employ other mechanisms to steal important data, like files and images.
Naturally, the attacker would first have to install malicious software onto the targeted machine, but as we've seen with Stuxnet and other attacks, USB devices with malicious code can spread malware inside protected systems. Otherwise, the attacker would need physical access to install the attack payload.
Once installed, the malicious software first encodes the data to be stolen. Then it conducts certain types of file system access, like reads and writes, in a controlled manner to generate a signal on the cable. While either read or write operations can effectively create the correct signals, the researcher notes that read operations typically don't require higher permissions at the system level and generate stronger signals (up to 3 dB) than write operations. The researchers also noted that background operations that incur other traffic to the storage device are generally fine. Still, intense drive activity can muddy the transmissions, so it's best to pause or stop the transmission when heavy background activities occur.
The attacker can then receive the signal from a nearby device, but the reach is limited. In this case, the receiver has to be within 1m of the transmitter due to increased bit error rates associated with longer distances. The receiving device, in this case, a laptop, uses a Software Defined Radio (SDR) receiver to receive the signal.
The philosophy behind this type of attack isn't new — researchers have previously demonstrated manipulating the clock rates of an AMD Radeon graphics card to create a radio transmitter that generated a signal that an attacker could receive through a wall 50 feet away — but the hacks are becoming increasingly sophisticated as researchers find new interfaces to exploit.
There are several ways to mitigate these types of attacks, but they aren't foolproof. The paper suggests that the first line of defense is to implement policies that prevent the initial penetration, along with other tactics, like forbidding radio receivers in the secured facility. Naturally, spooks can also use monitoring hardware of their own to detect if any nefarious transmissions are underway, or install software on secured machines that monitors abnormal file usage, like odd read and write activity to temporary files. These tend to be low-yield methods of detection, though, because the transmissions and drive activity are easy to disguise.
The most direct method of protection would be to add extra electromagnetic shielding either on the SATA cable or to the PC's case. But then again, perhaps the complexity of the attack itself is the best protection for us normal folks. Building the receiver is surprisingly simple, but developing the requisite software and encoding techniques would require a high level of sophistication, meaning that these types of attacks are most likely relegated to nation-states engaging in espionage, meaning the average user has nothing to worry about.
