A researcher at Ben Gurion University in Negev, Israel published a paper last Friday detailing a new technique of utilizing SATA communications to generate radio signals as a means of data exfiltration. This technique, dubbed SATAn, relies on other attacks to facilitate the initial compromise, as well as a second device to act as the receiver for the exfiltrated data.
The attack only requires read-write access to any device connected to the motherboard via SATA (hard disk drive, solid state drive, CD/DVD drive, etc.) and access to the data being exfiltrated. The malicious software then executes a series of reads and writes to generate a pattern of electromagnetic field that is interpreted as a radio signal on the 6GHz spectrum by a receiver as far as one meter away.
This attack requires a targeted staging and attack vector, but ultimately it highlights the importance of physical security and how critical it is to maintain secure operations, even on air-gapped networks. Companies should heavily restrict access to the physical location of air-gapped networks and should document access whenever granted. Additionally, companies can establish a baseline of normal electromagnetic frequencies in highly sensitive areas and regularly test against that baseline, as well as routinely inspect server racks for unknown devices.
Companies should also utilize application allow-lists to prevent unauthorized applications from running on air-gapped machines and integrate and monitor IDS systems into their air-gapped network, which should be monitored regularly. Depending on risk appetite, monitoring an environment may be more important than maintaining a network’s air-gapped status. Companies may want to consider establishing a “data diode” of one-way log shipping (via UDP) to a log aggregator outside the network; this would require heavy restrictions via access control lists (which should be logged and monitored).