Professional Documents
Culture Documents
Air-Gapped Computers
Mordechai Guri
Ben-Gurion University of the Negev, Israel
Cyber-Security Research Center
gurim@post.bgu.ac.il
demo video: https://www.youtube.com/watch?v=vhNnc0ln63c
air-gap research page: http://www.covertchannels.com
arXiv:2012.06884v1 [cs.CR] 12 Dec 2020
Abstract—In this paper, we show that attackers can exfiltrate deceived insiders [20][5]. These techniques allow the attackers
data from air-gapped computers via Wi-Fi signals. Malware in to insert targeted malware into systems within the isolated
a compromised air-gapped computer can generate signals in the environment.
Wi-Fi frequency bands. The signals are generated through the
memory buses - no special hardware is required. Sensitive data One of the most famous incidents in which the air-gap
can be modulated and secretly exfiltrated on top of the signals. was breached involved the Stuxnet worm which targeted su-
We show that nearby Wi-Fi capable devices (e.g., smartphones, pervisory control and data acquisition (SCADA) systems and
laptops, IoT devices) can intercept these signals, decode them, destroyed an estimated 1,000 centrifuges at an Iranian uranium
and send them to the attacker over the Internet. To extract enrichment facility [53]. In 2018, the US Department of
the signals, we utilize the physical layer information exposed
by the Wi-Fi chips. We implement the transmitter and receiver Homeland Security accused Russian hackers of penetrating the
and discuss design considerations and implementation details. We internal network of America’s electric utilities [4]. In 2019, the
evaluate this covert channel in terms of bandwidth and distance media reported that the Kudankulam Nuclear Power Plant was
and present a set of countermeasures. Our evaluation shows that the target of a successful cyber attack earlier that year [21].
data can be exfiltrated from air-gapped computers to nearby In addition, sophisticated malware, such as SymonLoader [8]
Wi-Fi receivers located a distance of several meters away.
and other advanced persistent threats capable of compromising
I. I NTRODUCTION air-gapped networks, were found in the wild [14], [1], [15].
One of the initial phases in the kill chain of advanced C. Air-Gap Exfiltration
persistent threats (APTs) is infiltrating the network of the
target organization. To achieve this goal, adversaries may use Once the attacker has taken his/her its initial step into the
attack vectors, such phishing emails, compromised websites, air-gapped network, he/she moves on to the next phases of
malicious documents, exploit kits, and other types of online the kill chain. In these subsequent phases sensitive data is
attacks [15]. collected, including: documents, files, keylogging, credentials,
and biometric information. In the case of Internet connected
A. Isolated, Air-Gapped Networks networks the data is exfiltrated through covert channels within
When highly sensitive or confidential information is in- Internet protocols (e.g., HTTPS, FTP, SSH, and SMTP [61]).
volved, an organization may resort to air-gapped networks. However, in isolated air-gapped networks, the attacker must
Such networks are disconnected from the Internet logically use unconventional communication techniques to leak the data
and physically, with any type of wired or wireless connection out - methods which are referred to as air-gap covert channels
to the Internet strictly prohibited [3]. Certain sectors may [29]. Over the years, various types of air-gap covert channels
maintain their data within air-gapped networks, including have been introduced. For example, malware may exploit
financial, defense, and critical infrastructure sectors. In many electromagnetic radiation from various computer components
cases, operational technology (OT) networks are also kept to transmit data [32], [51], [52], [60], [31]. Acoustic [19],
isolated from the Internet to protect the physical processes and [40], optical [55], [44], [45], thermal [35], magnetic [27],
machinery used to carry them out [5]. Classified networks such and electric [42] air-gap covert channels have also been
as the Joint Worldwide Intelligence Communications System demonstrated over the past 20 years [18].
are also known to be air-gapped [7].
D. Our Contribution
B. Infecting Air-Gapped Networks In this paper we introduce a new type of covert channel
Despite the high degree of isolation, air-gapped networks that exploits Wi-Fi to leak data from air-gapped networks.
are not immune to cyber attacks. To penetrate highly secure The AIR-FI attack introduced in this paper does not require
networks, motivated adversaries may employ complex attack Wi-Fi related hardware in the air-gapped computers. Instead,
vectors, such as sabotaging the supply chain, compromising a we show that an attacker can exploit the DDR SDRAM buses
third-party software, using malicious insiders, and exploiting to generate electromagnetic emissions in the 2.4 GHz Wi-Fi
bands and encode binary data on top of it. We also show TABLE I
that nearby Wi-Fi receivers, such smartphones, laptops, and S UMMARY OF EXISTING AIR - GAP COVERT CHANNELS
Internet of Things (IoT) devices, can receive and decode the Type Method
modulated data, and then send it to the attacker via the Internet. AirHopper (FM radio) [32], [34]
The AIR-FI covert channel has the following characteristics: GSMem (cellular frequencies) [31]
Electromagnetic
USBee (USB bus emission) [33]
• Requires no Wi-Fi transmitter. The method doesn’t AIR-FI (Wi-Fi frequencies)
require any type of Wi-Fi hardware in the air-gapped MAGNETO (CPU-generated magnetic fields) [27]
Magnetic
ODINI (Faraday shield bypass) [46]
computer. Instead, it uses the computer memory hardware Electric PowerHammer (power lines) [42]
(DDR SDRAM) to generate the signals. Fansmitter (computer fan noise) [40]
• Requires no special privileges. The transmitting code DiskFiltration (hard disk noise) [37]
Ultrasound [47]
does not require special privileges (e.g., root), kernel Acoustic
MOSQUITO (speaker-to-speaker) [38] [39]
drivers, or access to hardware resources. Furthermore, it POWER-SUPPLAY (Play sound from Power-Supply) [26]
can be initiated from an ordinary user space process. CD-LEAK (sound from CD/DVD drives) [25]
BitWhisper (CPU generated heat) [36]
• Works in virtual machines (VMs). The covert channel Thermal
HOTSPOT ( CPU generated heat received by a smartphone) [23]
works effectively, even from within an isolated virtual LED-it-GO (hard drive LED) [44]
machine. VisiSploit (invisible pixels) [30]
Optical Keyboard LEDs [55] [41]
• Has many potential receivers. Modern IT environments
Router LEDs [43]
are equipped with many types of Wi-Fi capable devices: aIR-Jumper (security cameras and infrared) [28]
smartphones, laptops, IoT devices, sensors, embedded Vibrations AiR-ViBeR (computer fan vibrations) [24]
systems and smart watches and other wearables devices.
The attacker can potentially hack such equipment to
receive the AIR-FI transmissions from air-gapped com- lines [42]. The data is modulated and conducted to the power
puters. lines and received by an adversary tapping the wires.
Several studies have proposed the use of optical emanations
The rest of this paper is organized as follows: Related work
from computers for covert communication. Loughry intro-
is presented in Section II. The attack model is discussed in
duced the use of keyboard LEDs [55]. Guri used the hard
Section III. Technical background on DDR SDRAM and Wi-
drive indicator LED [44], USB keyboard LEDs [41], router
Fi is provided in Section IV. Sections V and VI, respectively,
and switch LEDs [43], and security cameras and their IR LEDs
contain details on signal generation and modulation, and data
[28], in order to exfiltrate data from air-gapped computers.
transmission and reception. In Section VII we present the
Data can also be leaked optically through fast blinking images
evaluation and measurement results. A set of countermeasures
or low contrast bitmaps projected on the LCD screen [30].
is discussed in Section VIII, and we conclude in Section IX.
Hanspach [47] used inaudible sound to establish a covert
II. R ELATED W ORK channel between air-gapped laptops equipped with speakers
and microphones. Guri et al introduced Fansmitter [40], Disk-
Air-gap covert channels are classified into seven main cate- filtration [37], and CD-LEAK [25] malware which facilitates
gories: electromagnetic, magnetic, electric, acoustic, thermal, the exfiltration of data from an air-gapped computer via
optical and vibrational. noise intentionally generated from the PC fans, hard disk
Kuhn showed that it is possible to exploit the electromag- drives [37], and CD/DVD drives [25]. In these methods, the
netic emissions from the computer display unit to conceal transmitting computer does not need to be equipped with audio
data [51]. AirHopper, presented in 2014, is a new exfiltration hardware or an internal or external speaker. Researchers also
malware, capable of leaking data from air-gapped computers showed that the computer fans generate vibrations which can
to a nearby smartphone via FM radio waves emitted from be sensed by a nearby smartphone using the accelerometer
the screen cable [32], [34]. In 2015, Guri et al presented sensor [24]. Other papers presented malware that covertly turns
GSMem [31], malware that transmit data from air-gapped the speakers and earphones connected to a PC into a pair
computers to nearby mobile-phones using cellular frequencies. of eavesdropping microphones when a standard microphone
USBee is malware that uses the USB data buses to generate is muted, turned off, or not present [38] [39]. Recently,
electromagnetic signals [33]. researchers demonstrated how malware can turn the computer
In order to prevent electromagnetic leakage, Faraday cages power supply into out-of-band speaker in order to exfiltrate
can be used to shield sensitive systems. Guri et al presented information [26].
ODINI [46] and MAGNETO [27], two types of malware that Guri et al introduced BitWhisper [36] and HOTSPOT [23],
can exfiltrate data from Faraday-caged air-gapped computers thermal-based covert channels enabling bidirectional commu-
via magnetic fields generated by the computer’s CPU. With nication between air-gapped computers by hiding data in
MAGNETO the authors used the magnetic sensor integrated temperature changes. The heat which is generated by the
in smartphones to receive covert signals. CPU can be received by temperature sensors of computers
In 2019, researchers show how to leak data from air-gapped or smartphones, decoded, and sent to the attacker.
computers by modulating binary information on the power Table I summarizes the existing air-gap covert channels.
III. ATTACK M ODEL
A. Infecting the Air-Gapped Network
In a preliminary stage, the air-gapped network is infected
with an APT. In a typical APT kill chain, the attackers
research their targets and carefully plan the attacks [15]. After
defining the initial target, attackers might install malware on
the network via various infection vectors: supply chain attacks,
contaminated USB drives, social engineering techniques, or
by using malicious insiders or deceived employees. Note
that infecting air-gapped networks can be accomplished, as
demonstrated by the attacks involving Stuxnet [54], Agent.Btz
[22], and other malware [13], [6], [14]. At that point, the APT Fig. 1. illustration of the AIR-FI attack. Malware in the air-gapped computer
might exploit vulnerabilities to spread in the network in order (A) uses the DDR memory to generate signals in the 2.4 GHz Wi-Fi frequency
to strengthen its foothold. band. Binary information is modulated on top of the signals and received by
a nearby Wi-Fi receivers (e.g., laptop (B) and smartphone (C)).
B. Infecting Wi-Fi Devices
Memory
The attacker must infect Wi-Fi capable devices in the area modules (DDR)
of the air-gapped network. Such devices might be smartphones
of visitors or employees, desktop and laptop computers with
wireless networking, or IoT devices with Wi-Fi transceivers.
Since the devices use wireless networking they can be infected Data buses
through Wi-Fi. Compromising the devices can be done by Memory
exploiting vulnerabilities in the Wi-Fi hardware/software or …
controller
via flaws in the network protocols. Such attacks were demon- Addresses/
strated on smartphones [59], laptops with Wi-Fi network Processor
Commands
interface cards (NICs) [16], and a wide range of IoT devices
such as smart bulbs [57], smart locks [48], and more [58],
[56].
The compromised Wi-Fi capable devices are installed with Fig. 2. DDR SDRAM memory buses.
the receiver side of the malware. In most cases, the malicious
code will be executed within the kernel driver or the firmware
which drive the Wi-Fi hardware. The malware collects the Wi- the rising and falling edges of the memory bus clock. In
Fi signals, detects the covert AIR-FI transmission, decodes the DDR SDRAM the bus bandwidth is referred to in megabits
information, and sends it to the attacker over the Internet. per second. The bandwidth B is calculated by the formula
B = (f ∗ 2 ∗ l)/8, where f is the memory bus clock rate and l
C. Data Exfiltration is the width of the line transfer. Another important parameter
As a part of the exfiltration phase, the attacker might of memory modules is the Column Address Strobe (CAS)
collect data from the compromised computers. The data can latency, also known as the CL. This is the time delay between
be documents, key logging, credentials, encryption keys, etc. when the read command is delivered to the memory and the
Once the data is collected, the malware initiates the AIR-FI beginning of the data response.
covert channel. It encodes the data and transmits it to the
air (in the Wi-Fi band at 2.4 GHz) using the electromagnetic B. DDR Memory Bus
emissions generated from the DDR SDRAM buses. The attack Data is exchanged between the CPU and the memory
is illustrated in Figure 1. Malware in the air-gapped computer over dedicated buses (Figure 2). The memory buses maintain
(A) uses the memory to generate signals in the 2.4 GHz Wi-Fi two types of signals: (1) the address bus which transfers
frequency band. Binary information is modulated on top of the addresses and commands, and (2) the data bus (DQ bus) which
signals and received by a nearby Wi-Fi receivers (e.g., laptop transfers the actual data. The address bus sends commands and
(B) and smartphone (C)). instructions from the controller to the SDRAM. The bus is
IV. T ECHNICAL BACKGROUND synchronized to the clock (CLK) signals, with the signals on
the address bus being sampled by the SDRAMs on the rising
A. DDR SDRAM edge of the CLK signal.
The double data rate (DDR) synchronous dynamic random- The memory buses generate electromagnetic radiation at a
access memory (SDRAM) is the type of memory modules frequency correlated to its clock frequency and harmonics.
integrated into modern motherboards. The DDR technology For example, DDR4-2400 emits electromagnetic radiation at
doubles the bus bandwidth by transferring data on both around 2400 MHz.
TABLE II A. Electromagnetic Emission
L IST OF THE REGULATED W I -F I CHANNELS (802.11 B / G / N )
There are two types of electromagnetic emissions that
Range North emanate from memory buses.
Channel Center (MHz) Japan Others
(MHz) America • Persistent Emission. An electromagnetic emission con-
1 2412 2401-2423 Yes Yes Yes tinuously generated by the memory controller regardless
2 2417 2406-2428 Yes Yes Yes of the activity in the address/data buses. This radiation
3 2422 2411-2433 Yes Yes Yes
4 2427 2416-2438 Yes Yes Yes
spans the entire spectrum of the DDR SDRAM frequency
5 2432 2421-2443 Yes Yes Yes when the computer is turned on.
6 2437 2426-2448 Yes Yes Yes • Triggered Emission. An electromagnetic emission gen-
7 2442 2431-2453 Yes Yes Yes
8 2447 2436-2458 Yes Yes Yes
erated from the electronic activities (current flow) in the
9 2452 2441-2463 Yes Yes Yes data bus. This emission is correlated to the memory
10 2457 2446-2468 Yes Yes Yes read/write operations executed by processes currently
11 2462 2451-2473 Yes Yes Yes
12 2467 2456-2478 Canada only Yes Yes
running in the system.
13 2472 2461-2483 No Yes Yes
14 2484 2473-2495 No 11b only No B. Signal Generation
Based on the above observations, we used two techniques
to generate Wi-Fi signals from the an air-gapped computer.
C. Overclocking/Underclocking • Memory operations. We transfer data in the data bus to
generate an electromagnetic emission at the frequency of
The memory modules provide the BIOS/UEFI (Unified
the memory modules. Since the clock speed of memory
Extensible Firmware Interface) a set of frequencies that it can
modules is typically around the frequency of 2.4 GHz or
operate at. This information is defined according to the JEDEC
its harmonics, the memory operations generate electro-
(Joint Electron Device Engineering Council) specification, and
magnetic emissions around the IEEE 802.11b/g/n Wi-Fi
it is passed during the boot through a mechanism called
frequency bands.
Serial Presence Detect (SPD). Intel allows the standard timing
• Memory operations + clocking. When the operational
parameters of the installed memory to be changed via a spec-
frequency of the memory modules is not near the
ification called Extreme Memory Profile (XMP). With XMP
2.4 GHz frequency or its harmonics, we initially
the user can modify the parameters of the memory such as the
overclock/downclock the memory speed to the fre-
frequency and CAS latency. Changing the operating frequency
quency of Wi-Fi bands or its harmonics. The overlock-
of the memory modules is referred to as overclocking (for
ing/downclocking operation can be done programmati-
increasing the frequency) and underclocking/downclocking
cally or at the BIOS/UEFI configuration level. Following
(for decreasing the frequency).
the frequency adjustments, we perform the memory op-
eration schemes described above to generate emissions at
D. Wi-Fi Frequency Bands
the Wi-Fi frequency band. Note that malware which are
The IEEE 802.11 standard defines the frequency ranges capable of reconfiguring BIOS/UEFI were found in the
in the electromagnetic spectrum allowed for Wi-Fi commu- wild [10], [9].
nications. There are several versions of the 802.11 standard.
C. Channel Interference
These standards define factors, such as the frequency ranges,
bandwidths and distances. Today, most Wi-Fi chips support the The generated emission from the data bus interfere with
802.11b/g/n standards. The 802.11b/g/n standards are often the Wi-Fi channels. The interferences in the corresponding
referred to as the 2.4 GHz band. A range of 2.400 - 2.490 channel can be measured at the PHY layer of the 802.11
GHz is the most widely used and certified range available protocol stack. The operation is illustrated in figure 3. In this
for Wi-Fi. The standards define a total of 14 channels in the case the AIR-FI signals are generated at 2.44000 GHz. The
2.4 GHz band, but only 11 of these channels are allowed signal are interfering with channels 5-8.
in all countries. The first 11 channels have a space of 5 D. Modulation
MHz between them, and there is a space of 12 MHz between
channel 13 and 14. A common bandwidth of a Wi-Fi channel Algorithm 1 shows the signal modulation process using
is 20 MHz which means that signals of adjacent channels the memory operation technique using on-off keying (OOK)
may interfere with each other. Table II contains a list of modulation. The modulateRAM function receives the array
the regulated Wi-Fi channels supported by the 802.11b/g/n of bits to transmit (bits) and the bit time in milliseconds
standards. (bitTimeMillis). This function iterates over the bits and
according to the current bit, the algorithm determines the
V. T RANSMISSION operation to perform during a bit time period. If the bit is
’1’ (line 4) it performs a series of memory write operations
In this section we present the signal generation technique, which consists of sequential memory copying between two
data modulation, and data transmission protocol. arrays each the size of 1 MB size each (lines 6-7). This loop
Received Message Spectogram
Wi-Fi channels (2.4 GHz)
AIR-FI 30
2.42340 -
Channel 5
20
Frequency (Ghz)
Power (dB)
10
2.42336-
0
2.421 2.44000 2.443
GHz GHz GHz
-10
Fig. 3. AIR-FI channel interference.
2.42332-
-20
Synchronizing
Thread
0.5 1 1.5 2 2.5 3 3.5 4 4.5 5 5.5
Time (s)
Application
AIR-FI 1.2
Software
Malware
Operating
system 1
Network/transport/session
0.8
Value
0.6
2
hundred milliseconds it takes to scan the whole spectrum. This
1.5 mode is maintained by setting the chanscan value to the
1
spectral_scan_ctl control device. This mode can be
used by the attacker to search for a covert transmission if
0.5 the channel is unknown in advance.
0
2) Triggering mode: In this mode, the FFT information
2414 2416 2418 2420 2422 2424 2426 2428 2430 is returned for a specific Wi-Fi channel when the Wi-Fi is
Frequency
operating. This mode is maintained by setting the value of the
Fig. 7. The FFT measurements of Wi-Fi channel 3 as measured by the Atheros spectral_scan_ctl control device to manual and then
Wi-Fi receiver, with a transmission from the air-gapped computer. The signal initiating trigger commands. The scan samples are returned
can be seen in the 2424 MHz bin. continuously from the channel currently configured.
As seen in Figure 9, the triggering mode is considerably
faster than the scanning mode. The graph shows the number
A. Wi-Fi Chip PHY Layer of FFT frames received in the scanning and triggering modes
over a period of five seconds. The scanning mode can be
To access the radio and PHY layer data, we used the spectral used by malware to search the AIR-FI transmissions if the
analysis feature within Atheros 802.11n Wi-Fi chipsets. The operational frequency is unknown in advance. After detecting
Atheros chips (AR92xx and AR93xx) can report the data of a transmission, the malware can begin to operate in the
the raw FFT measurement data from the baseband processor to triggering mode to receive the actual data (Figure 10).
the software stack. The data consists of vector of FFT bins for
56 subcarriers of the 20 MHz bandwidth channels. The data C. Demodulation
includes the absolute magnitude (abs(i) + abs(q)) for each The pseudo code of the demodulator is presented in Algo-
bin, an index for the the strongest FFT bin, and the maximum rithm 2. We provide the implementation for a software defined
signal magnitude. radio (SDR) receiver.
Figures 7 and 8 show Wi-Fi channel 3 with and without a) Atheros Wi-Fi Chip: Note that the implementation
AIR-FI transmission, respectively. The 56 bins of FFT are for the Atheros Wi-Fi receiver is based on the same con-
measured by the Atheros Wi-Fi chipset and delivered to the cepts of the SDR code shown in Algorithm 2. However, the
application layer. As can be seen, with the AIR-FI transmis- Atheros implementation includes the extra steps of triggering
sion, the amount of energy in the 2.424 GHz frequency bin the spectral_scan_ctl device, and receiving, buffing,
is significantly higher than other bins in this channel with an decoding and parsing the FFT frames exposed by the Atheros
SNR value of 9 dB. chip. To simplicity the discussion and since we are not
Algorithm 2 demodulate(deviceAddress, freq, sampleRate,
bufferSize, bitTime, windowSize)
1000 Triggering 1: enabled ← F alse
Scanning
2: ctx ← setupContext(deviceAddress)
800
3: rxbuf ← setupRxBuf (ctx, f req, sampleRate, ←
.., buf f erSize)
600
FFT Frames
4:
5: while T rue do
400
6: rxbuf.ref ill()
7: buf f er = rxbuf.read()
200
8: windows = splitT oW indows(buf f er, windowSize)
9: for window in windows do
0
10: spectrum = welch(window)
0 1 2 3 4 5
Time(s) 11: sampleV alue ← spectrum[0]
12: sample ← [getCurrentT ime(), sampleV alue]
Fig. 9. The number of FFT frames received in the scanning and triggering 13: samples.append(sample)
modes.
14: end for
detect
15: if not enabled then
16: thresh, enabled ←
detectEnable(samples, bitT ime)
search 17: end if
Scans the
Wi-Fi
Channel 18: while enabled and enoughSamplesF orBit ←
sampling
channels (samples, bitT ime) do
19: bit ← samplesT oBit(samples, bitT ime, thresh)
Scanning mode Triggering mode 20: output(bit)
(all channels) (specific channel) 21: end while
Fig. 10. The transition between the scanning and triggering mode.
22: end while
TABLE IV
T HE WORKSTATIONS USED FOR THE EVALUATION
PC Hardware RAM OS
ASRock ATX DDR4 X99 Extreme4 Crucial 4 * 4GB DDR4 SRAM Ubuntu 18.04.1
WORKSTATION-1
CPU- Intel Core i7-6900K @ 3.2Ghz- 16 cores 2.4GHz RAM clock 4.15.0-72-generic
ASRock ATX DDR4 X99 Extreme4 SK Hynix 4 * 4GB DDR4 SRAM Ubuntu 18.04.1
WORKSTATION-2
CPU- Intel Core i7-6900K @ 3.2Ghz- 16 cores 2.4GHz RAM clock 4.15.0-72-generic
X99-UD4-CF Ubuntu 18.04.2
WORKSTATION-3 (overclocked) 4 * 4GB DIMM DDR3 2133MHz Micron
Intel Core i5-5820K 5.0.0-36-generic
H97M-D3H Ubuntu 18.04.1
WORKSTATION-4 (overclocked) 4 * 4GB DIMM DDR3 1600MHz Hynix
Intel Core i7-4790 4.15.0-72-generic
2423.810
2423.809 40
2423.808
Algorithm 3 detectEnable(samples, bitTime) 30
2423.807
1: enableSequence ← [1, 0, 1, 0, 1, 0, 1, 0]
2: samplesDuration ← getSamplesDuration(samples) Frequency (kHz)
2423.806
Power (dB)
20
5: return 0, F alse
2423.803
6: end if 0
2423.802
7:
8: calculatedCorr ← calculateSampleCorrelationT oBits ← 2423.801
-10
(samples, enableSequence, bitT ime) 2423.800
9: if calculatedCorr < CORR T HRESH then 2 4 6 8
Time (s)
10 12 14
2423.810
D. WORKSTATION-3 (2133 MHz overclocked)
40
2423.809
35 The signal generated by WORKSTATION-3 resides in the
2423.808
30 2402 MHz band which interferes with Wi-Fi channel 1.
2423.807
25 Table IX IX presents the BER results with
Frequency (kHz)
Power (dB)
2423.805 15 and Wi-Fi dongle as the receivers. In this case, a single core
2423.804
10 maintains the transmission. The workstation DRAM was
5 overclocked to 2.4 GHz to target the Wi-Fi frequency bands.
2423.803
0 With the SDR receiver we were able to maintain a BER of
2423.802
-5 0% for the entire range of 0 - 100 cm, with a bit rate of 100
2423.801 -10 bit/sec. With the Wi-Fi receiver in the scanning mode, we
2423.800 were able to maintain a BER of 0 - 0.15% for the range of 0
2 4 6 8 10 12 14
Time (s) - 100 cm, with a bit rate of 1 bit/sec.
Table X presents the BER results with WORKSTATION-3
Fig. 12. A transmission from WORKSTATION-2. as the transmitter and Wi-Fi dongle (triggering mode) as the
receiver. In this case, we were able to maintain a BER of 0
- 14.7% for the range of 0 - 300 cm, with a bit rate of 16
and triggering modes. In scanning mode we were able to bit/sec.
maintain BER of 0% for the entire distance range of 0 - 180
cm, with a bit rate of 1 bit/sec. In the triggering mode we E. WORKSTATION-4 (1600 MHz overclocked)
maintained a BER of 0 - 8.33% for the range of 0 - 210 cm, The signal generated by WORKSTATION-4 resides in the
with a bit rate of 10 bit/sec. 2402 MHz band which interferes with Wi-Fi channel 1.
Table XI presents the BER results with WORKSTATION-
C. WORKSTATION-2 (2.4 GHz) 4 as the transmitter and the SDR receiver and Wi-Fi dongle
as the receivers. In this case, a single core maintains the
Figure 12 presents the signal generated from transmission. With the SDR we were able to maintain a BER
WORKSTATION-2 with all cores participating in the of 0% for the entire range of 0 - 800 cm, with a bit rate of
transmission. A signal with a bandwidth of 1 kHz exists in 100 bit/sec. With the Wi-Fi dongle, we were able to maintain
the 2423.8045 - 2423.8055 MHz frequency range. In this a BER of 0 - 0.17% for the range of 0 - 800 cm, with a bit
case, the preamble sequence (10101010) can be seen at rate of 1 bit/sec.
the beginning of the transmission. The signal generated by
WORKSTATION-2 overlaps with channels 3,4, and 5. F. Channels
1) SDR: Table VII presents the SNR and BER results, We measured the SNR values of AIR-FI transmission in
respectively, with WORKSTATION-2 as the transmitter and 2.4 GHz Wi-Fi channels 1-11. Figure 13 shows the FFT
an SDR receiver as the receiver. In this case, we transmitted measurements of channels 1-11 as measured by the Atheros
the data at a bit rate of 100 bit/sec and were able to maintain a Wi-Fi receiver, with a transmission from WORKSTATION-1.
BER of 3.75% for a distance up to 210 cm from the transmit- The AIR-FI signals can be seen in different frequencies of the
ter. Note that due to the local ramifications and interference, channel. Table XII summarizes the SNR values measured in
the signal quality might vary with the distance and location of each case. The SNR values ranged from 4.5 dB in channel 5
the receiver. to 13 dB in channel 6.
2) Scanning & triggering modes: Table VIII presents the
BER results with WORKSTATION-2 as the transmitter and G. Virtual Machines (VMs)
a Wi-Fi dongle as the receiver in the scanning and triggering Virtualization technologies are commonly used in modern
modes. In the scanning mode, we were able to maintain a BER IT environments. One of their advantages is the isolation of
of 0% for the entire range of 0 - 270 cm, with a bit rate of hardware resources they enforce. Hypervisors/virtual machine
1 bit/sec. In the triggering mode, we were able to maintain a monitors (VMMs) provide a layer of abstraction between
BER of 0 - 4.16% for the range of 0 - 210 cm, with a bit rate the virtual machine and the physical hardware (CPU and
of 10 bit/sec. peripherals). Since the covert channel is closely related to the
TABLE VI
T HE BER MEASURED WITH WORKSTATION-1 (W I -F I RECEIVER )
TABLE VII
T HE SNR AND BER MEASURED WITH WORKSTATION-2 (SDR RECEIVER )
TABLE VIII
T HE BER MEASURED WITH WORKSTATION-2 (W I -F I RECEIVER )
TABLE IX
T HE BER MEASURED WITH WORKSTATION-3 (SDR AND W I -F I RECEIVERS )
Guest
physical
Guest Guest Extended Host
address
linear Page Page physical
address Tables Tables address
Channel 1 Channel 2 Channel 3
TABLE XI
T HE BER MEASURED WITH WORKSTATION-4 AND SDR/W I -F I RECEIVERS
Distance (cm) 0 100 200 300 400 500 600 700 800
BER (Pluto SDR) 0 0 0 0.05 0 0 0 0 0
BER (Wi-Fi dongle) 0.04% 0.09% 0.02% 0.06% 0.17% 0% 0.1% 0.08% 0%
TABLE XII
SNR VALUES OF AIR-FI TRANSMISSION IN CHANNELS 1-11
Channel 1 2 3 4 5 6 7 8 9 10 11
AIR-FI frequency (GHz) 2.411 2.414 2.421 2.428 2.432 2.436 2.442 2.446 2.452 2.454 2.461
SNR 5 dB 6 dB 11.5 dB 10 dB 4.5 dB 13 dB 8 dB 10 dB 8 dB 10 dB 10 dB
TABLE XIII
V IRTUALIZATION
60
the specific asset. In our case, Wi-Fi capable devices, such
Bare metal
VirtualBox
as smartphones, smartwatches, laptops, and so on, should be
58
VMware banned from the area of air-gapped systems.
56 B. Runtime Detection
The signal generation algorithm is based on memory oper-
Amplitude (dB)
54
ations which trigger the DDR SDRAM emissions. Host based
52
intrusion detection systems can monitor the activity of the
processes in the OS. In our case, a process that abnormally
50
performs memory transfer operations would be reported and
inspected.
48
A challenge to the runtime detection approach is that the
signal generation algorithm (presented in Section V) involves
46
bare memory operations such as memcpy(). Monitoring the
memory access instructions at runtime necessitates sandboxing
0 1 2 3 4 5 6 7 8 9 10 or debugging of the process, which severely degrades per-
Time (sec) formance [31] and can easily be bypassed by malware using
rootkit techniques [17]. In our case, the malware may inject
Fig. 15. AIR-FI signal generated on bare metal, VMware and VirtualBox.
a shellcode with a signal generation code into a legitimate,
trusted process to bypass the security products. To overcome
the evasion techniques, it is possible to employ solutions such
tion to protect against TEMPEST (Telecommunications Elec- as MemoryMonRWX, which is a bare metal hypervisor that
tronics Materials Protected from Emanating Spurious Trans- can track and trap all types of memory access: read, write, and
missions) threats and other types of radiated energy attacks. execute [50]. However, all these detection techniques would
In this approach, Wi-Fi transceivers are not allowed in certain likely suffer from high rates of false alarms, since many
classified areas. The NATO zoning procedure defines measures processes intensively use the memory for legitimate needs
in which areas within a secured perimeter are classified as (e.g., image processing, matrix calculations, etc.). Another
zone 0 to zone 3, depending on the safety requirements of approach is to use Wi-Fi monitoring hardware equipment in
2.4238 Ghz
this solution can be used in certain cases, it is impractical as
No Load
1 Core Load
a large-scale solution [12].
45 2 Core Load
4 Core Load
8 Core Load
IX. C ONCLUSION
40
In this paper, we demonstrated how attackers can exfiltrate
Power (dB)