"SATAn" — A New Way to Exfiltrate Data from Air-Gapped PCs using SATA cables

SATAn - a new type of attack on airgapped computers.

"SATAn" hack Air-Gapped computers
Security researchers at the Department of Software and Information Systems Engineering, Ben-Gurion University of the Negev, Israel, have discovered a new cyber-attack technique named “SATAn”.

The new SATAn method is basically a way to steal information and data from air-gapped systems by using the SATA cables as a wireless antenna to transmit data and information from a compromised PC onto a receiver somewhere close.

Security researchers describe their findings about SATAn as —

Although air-gap computers have no wireless connectivity, we show that attackers can use the SATA cable as a wireless antenna to transfer radio signals at the 6 GHz frequency band. The Serial ATA (SATA) is a bus interface widely used in modern computers and connects the host bus to mass storage devices such as hard disk drives, optical drives, and solid-state drives. The prevalence of the SATA interface makes this attack highly available to attackers in a wide range of computer systems and IT environments.


Our experiments show that the SATA 3.0 cables emit electromagnetic emissions in various frequency bands; 1 GHz, 2.5 GHz, 3.9 GHz, and +6 GHz. However, the most significant correlation with the data transmission spans from 5.9995 GHz to 5.9996 GHz. The idea behind the covert channel is to use the SATA cable as an antenna and control the electromagnetic emission.

[..] The results show that attackers can use the SATA cable to transfer a brief amount of sensitive information from highly secured, air-gap computers wirelessly to a nearby receiver. 

Furthermore, the researcher noted that reading operations on SATA are more effective in producing stronger signals than writes. This also makes the overall attack situation easier, as writing can often require more privileges. 

The results show that read operations yield a signal with an average of 3 dB stronger than write operations.

Notably, read operations may require lower permissions than write operations. For example, an application may be permitted to read data or configuration files but might be restricted in writing to them.

Researchers show that attackers can exploit the SATA cable as an antenna to transfer radio signals in the 6 GHz frequency band by using non-privileged read() and write() operations. Notably, the SATA interface is highly available to attackers in many computers, devices, and networking environments.

Here is the video demonstrating an attack:

You can find the full details on SATAn at this link [PDF].

Read Also
Post a Comment