A newly discovered data exfiltration mechanism employs Ethernet
cables as a “transmitting antenna” to stealthily siphon
highly-sensitive data from air-gapped systems, according to the
latest research.
“It’s interesting that the wires that came to protect the
air-gap become the vulnerability of the air gap in this attack,”
Dr. Mordechai Guri, the head of R&D in the Cyber Security
Research Center in the Ben Gurion University of the Negev in
Israel, told The Hacker News.
Dubbed “LANtenna Attack,” the novel technique enables
malicious code in air-gapped computers to amass sensitive data and
then encode it over radio waves emanating from Ethernet cables just
as if they are antennas. The transmitted signals can then be
intercepted by a nearby software-defined radio (SDR) receiver
wirelessly, decode the data, and send it to an attacker who is in
an adjacent room.
“Notably, the malicious code can run in an ordinary user-mode
process and successfully operate from within a virtual machine,”
the researchers noted in an accompanying paper[1] titled “LANTENNA:
Exfiltrating Data from Air-Gapped Networks via Ethernet
Cables.”
Air-gapped networks are designed as a network security measure
to minimize the risk of information leakage and other cyber threats
by ensuring that one or more computers are physically isolated from
other networks, such as the internet or a local area network. They
are usually wired since machines that are part of such networks
have their wireless network interfaces permanently disabled or
physically removed.
This is far from the first time Dr. Guri has demonstrated
unconventional ways to leak sensitive data from air-gapped
computers. In February 2020, the security researcher devised[2]
a method that employs small changes in LCD screen brightness, which
remains invisible to the naked eye, to modulate binary information
in morse-code-like patterns covertly.
Then in May 2020, Dr. Guri showed how malware could exploit a
computer’s power supply unit (PSU) to play sounds and use it as an
out-of-band, secondary speaker to leak data in an attack called
“POWER-SUPPLaY[3].”
Lastly, in December 2020, the researcher showed off “AIR-FI[4],” an attack that
leverages Wi-Fi signals as a covert channel without requiring the
presence of Wi-Fi hardware on the targeted systems.
The LANtenna attack is no different in that it works by using
the malware in the air-gapped workstation to induce the Ethernet
cable to generate electromagnetic emissions in the frequency bands
of 125 MHz that are then modulated and intercepted by a nearby
radio receiver. In a proof-of-concept demo, data transmitted from
an air-gapped computer through its Ethernet cable was received at a
distance of 200 cm apart.
As countermeasures, the researchers propose prohibiting the use
of radio receivers in and around air-gapped networks and monitoring
the network interface card link layer activity for any covert
channel, as well as jamming the signals, and using metal shielding
to limit electromagnetic fields from interfering with or emanating
from the shielded wires.
“This paper shows that attackers can exploit the Ethernet cables
to exfiltrate data from air-gapped networks,” the researchers said
in the paper. “Malware installed in a secured workstation, laptop,
or embedded device can invoke various network activities that
generate electromagnetic emissions from Ethernet cables.”
“Dedicated and expensive antennas yield better distance and
could reach tens of meters with some cables,” Dr. Guri added.