SATAn: Air-Gap Exfiltration Attack via Radio Signals From SATA Cables

TL;DR

This paper demonstrates a novel air-gap exfiltration attack using SATA cables as antennas to wirelessly transmit sensitive data at 6 GHz, even from virtual machines and user mode, highlighting a significant security vulnerability.

Contribution

It introduces a new attack method exploiting SATA cables as radio antennas for wireless data exfiltration from air-gapped systems, with detailed implementation and evaluation.

Findings

Attack works from user mode and inside VMs.

Effective at transmitting sensitive data wirelessly.

Can operate alongside other workloads without detection.

Abstract

This paper introduces a new type of attack on isolated, air-gapped workstations. Although air-gap computers have no wireless connectivity, we show that attackers can use the SATA cable as a wireless antenna to transfer radio signals at the 6 GHz frequency band. The Serial ATA (SATA) is a bus interface widely used in modern computers and connects the host bus to mass storage devices such as hard disk drives, optical drives, and solid-state drives. The prevalence of the SATA interface makes this attack highly available to attackers in a wide range of computer systems and IT environments. We discuss related work on this topic and provide technical background. We show the design of the transmitter and receiver and present the implementation of these components. We also demonstrate the attack on different computers and provide the evaluation. The results show that attackers can use the SATA cable to transfer a brief amount of sensitive information from highly secured, air-gap computers wirelessly to a nearby receiver. Furthermore, we show that the attack can operate from user mode, is effective even from inside a Virtual Machine (VM), and can successfully work with other running workloads in the background. Finally, we discuss defense and mitigation techniques for this new air-gap attack.