New side-channel attack turns SATA cables into radio transmitters

A new form of side-channel attack can use hard drive cables to turn a computer into the digital equivalent of a numbers station, according to research published in July by researcher Mordechai Guri at Ben-Gurion University of the Negev, Israel.

Side channels are potential information pathways indirectly generated by the operation of a computer system—everything from the sounds of keyboards and internal components to leaking electromagnetic radiation and power-monitoring data. Creative attackers can exploit these side channels to exfiltrate information from a system they can’t otherwise access directly, such as air-gapped networks that do not directly communicate with external systems.

One method of side-channel attack is to turn existing computer hardware into a transmitter. For example, in 2020, security firm Duo manipulated the clock rates of Radeon graphics cards to turn GPUs into radios capable of transmitting up to 50 feet away. Guri’s method, dubbed “SATAn,” converts the ubiquitous SATA cable into a radio antenna operating at the 6 GHz frequency band. A system thus subverted is capable of transmitting at 1-bit-per-second over a distance of approximately one meter.

But, it’s pretty niche. No hardware modifications are required; the SATAn exploit uses shellcode to manipulate file system activity, generating a radio signal via the electromagnetic leakage from the SATA cable. Placing it on an air-gapped system, Guri wrote, might require advanced techniques such as “supply chain attacks, removable media attacks, malicious insiders, and deceived employees to breach the network.”

Then the attacker would need a way to place a receiver close by. Guri’s method was a USB software-defined radio plugged into a laptop—a pretty specific piece of equipment to plop down near a secure system—but as he noted in the paper, “a hardware receiver might be hidden or implanted” in any number of devices, like servers.

This is a lot of hoops to jump through. At 1-bit-per-second, SATAn is also very, very slow. Malware like keyloggers, though, could be used to identify the tiny bits of data that the attacker is actually after in the first place. (Guri chose to transmit the word “SECRET” as a proof of concept, though one could theoretically transmit a 1.2 MB file of the text of Moby Dick in roughly 111 days.)

“This is [a] narrow-bandwidth covert channel, it means that the attacker can exfiltrate brief data such as keyloggings, encryption keys, passwords, texts, credentials, biometric informations, personal info, and so on,” Guri wrote to IT Brew via email. “It could theoretically be increased, but not majorly.”

SATAn has a number of advantages that might, in the right circumstances, offset its limitations. SATA interfaces are found virtually everywhere, and the read/write operations used to generate the SATAn signal are “very challenging” for security software to flag as suspicious, Guri told IT Brew. The signal is also clear in the absence of special shielding.

“Due to our tests, there is [not a lot] of interference at 6 GHz, so the signal is of good quality,” he added. “We also measured interferences from internal working processes in the computer, and most of them don’t interfere with the covert channel.”

Begone, SATAn! For the average enterprise or home user, SATAn is nothing more than a curiosity. But for anyone who feels the need to defend against Guri’s method, the paper lists a few countermeasures—such as using multiple layers of network security to detect the initial malware installation, an external RF monitoring system to flag anomalies, a dedicated driver to monitor read/write operations, and signal jamming. Guri also suggested that another obvious solution would be to ban random radio receivers in secure areas.

“This could be considered a physical security issue,” Guri wrote to IT Brew. “For example, one mitigation would be to prohibit RF receivers in the area of the computer.”—TM

Do you work in IT or have information about your IT department you want to share? Email [email protected] or DM @thetomzone on Twitter. Want to go encrypted? Ask Tom for his Signal.