Devilish SATAn Hack Turns Drive Cable Into Radio Transmitter To Steal Data


A hard drive, disassembled

(Image credit: Photo by Ivo Brasil of Pexels)

Researchers today revealed a new ‘SATAn’ attack that can turn a SATA cable into a radio transmitter, allowing a hacker to exfiltrate data from a system that is not connected to a network and transmit it to a receiver 1 meter away – all without physically modifying the SATA cable or hardware. The software technique can work from user space or through a virtual machine (VM), and you can see a short demonstration in the video embedded below.

The ubiquitous SATA connection is used in billions of devices worldwide to connect hard drives and SSDs inside a PC, making it the perfect target for hackers looking for a sophisticated attack with a large footprint.

Some of the most sensitive data on the planet is stored in isolated systems. These systems are completely isolated from any connection to the outside world, such as a network or the Internet, nor do they have any hardware capable of communicating wirelessly, such as Bluetooth or Wi-Fi wireless hardware. ultra-sophisticated techniques to steal data from them. Researcher Mordechai Guri from the University of the Negev, Israel, has accomplished the feat by converting a standard SATA cable into a radio transmitter, but without making any physical changes to the hardware.

As with all computer interfaces, the SATA bus generates electromagnetic interference during normal operation and, if used correctly, this interference can be manipulated and then used to transmit data. In this case, the researcher used the SATA cable as a wireless antenna that operated on the 6 GHz frequency band, transmitting a short message to the nearby laptop. This attack can be used in concert with keyloggers to steal passwords or other sensitive data. Likewise, attackers can use other mechanisms to steal important data, such as files and images.

Naturally, the attacker would first have to install malware on the targeted machine, but as we have seen with Stuxnet and other attacks, USB devices containing malicious code can spread malware inside protected systems. Otherwise, the attacker would need physical access to install the attack payload.

Once installed, the malware first encodes the data to be stolen. Then it performs certain types of file system access, such as reads and writes, in a controlled manner to generate a signal on the wire. While read or write operations can effectively create the correct signals, the researcher notes that read operations generally do not require higher system-level permissions and generate stronger signals (up to 3 dB ) than write operations. The researchers also noted that background operations that drive other traffic to the storage device are generally fine. However, intense driving activity can interfere with transmissions, so it is best to pause or stop the transmission when intense background activity occurs.

The attacker can then receive the signal from a nearby device, but the range is limited. In this case, the receiver must be within 1 m of the transmitter due to the increased bit error rates associated with longer distances. The receiving device, in this case a laptop computer, uses a software-defined radio (SDR) receiver to receive the signal.

These types of attacks aren’t new – researchers have previously demonstrated that they manipulate the clock rates of an AMD Radeon graphics card to create a radio transmitter that an attacker could receive through a wall 50 feet away – but they are becoming increasingly sophisticated as researchers discover new interfaces to exploit.

There are several ways to mitigate these types of attacks, but they are not foolproof. The document suggests that the first line of defense is to implement policies that prevent initial penetration, as well as other tactics, such as banning radio receivers from the secure facility. Of course, spies can also use their own monitoring hardware to detect if nefarious transmissions are in progress, or install software on secure machines that monitors abnormal file usage, such as strange read and write activity in temporary files. However, these are generally low-yield detection methods because transmissions and driving activity are easy to conceal.

Naturally, the most direct method of protection would be to add additional electromagnetic shielding to the SATA cable or to the PC case. But then again, maybe the complexity of the attack itself is the best protection for us normal people. Building the receiver is surprisingly simple, but developing the required software and coding techniques would require a high level of sophistication, meaning these types of attacks are most likely relegated to nation states engaging in espionage. This means that the average user has nothing to worry about unless they have nuclear launch codes stored on their system.


About Author

Comments are closed.