Ethernet cables are being used in a newfound data exfiltration mechanism against air-gapped systems

October 21, 2021
Ethernet cables data exfiltration air gapped systems malware

The latest research has found a new data exfiltration mechanism that utilizes Ethernet cables as a transmitting antenna tool in siphoning sensitive data furtively from air-gapped systems. A security analyst stated that it is an interesting concern how the wires that are supposed to protect air-gap systems become the cause of vulnerability in attacks. 

This new data exfiltration mechanism called “LANtenna Attack” allows malicious codes found in air-gapped devices to accumulate sensitive information. Then, it will encode the accumulated data through radio waves derived from ethernet cables, like how antennas work. A nearby software-defined radio or SDR receiver will then intercept the transmitted signals wirelessly. The data will be decoded and then sent to a threat actor located in a nearby room. 

From a paper entitled “LANTENNA: Exfiltrating Data from Air-Gapped Networks via Ethernet Cables,” researchers highlighted how the malicious code could easily run in an ordinary user-mode process and function using a virtual machine. 

Originally designed as a network security measure, air-gapped networks minimize information leakage risks and other cybersecurity threats by ensuring that computer devices involved in the process are all physically isolated from other networks like the internet or a LAN. 

 

Aside from data exfiltration mechanism using ethernet cables, security researchers demonstrated other alternative ways of leaking sensitive data from air-gapped computers. 

 

Security researchers have demonstrated different ways of leaking sensitive data from air-gapped computers, such as a method devised in February 2020. This method involves a small change in LCD screen brightness, while still visibly clear, to modulate binary information patterns similar to morse code stealthily. 

Another example called the “POWER-SUPPLaY” attack includes a process of how malware can take advantage of a computer’s power supply unit (PSU) to play sounds and utilize it as a secondary out-of-band speaker to leak data. 

One more example is a method called the “AIR-FI” attack, where Wi-Fi signals are exploited as a covert channel to exfiltrate sensitive data without the need to dedicate any Wi-Fi hardware to its targeted systems. 

With the LANtenna attack, malware found in the air-gapped workstation is being used to stimulate ethernet cables to produce electromagnetic emissions in the 15MHz frequency bands. Then, it will be modulated and intercepted by a radio receiver located closely. Ethernet cables can receive data transmitted through an air-gapped computer with a distance of 200cm apart, as per a proof-of-concept demo. 

Security researchers suggest the omission of using radio receivers all around air-gapped networks to countermeasure the possibility of a LANtenna attack. They also added the need to monitor the network interface card link-layer activity against any hidden channel. Jamming the signals and using a metal shield to regulate electromagnetic fields from intruding with or stemming from the shielded wires is also recommended. 

About the author

Leave a Reply