The latest research has found a new data exfiltration mechanism that utilizes Ethernet cables as a transmitting antenna tool in siphoning sensitive data furtively from air-gapped systems. A security analyst stated that it is an interesting concern how the wires that are supposed to protect air-gap systems become the cause of vulnerability in attacks.
This new data exfiltration mechanism called “LANtenna Attack” allows malicious codes found in air-gapped devices to accumulate sensitive information. Then, it will encode the accumulated data through radio waves derived from ethernet cables, like how antennas work. A nearby software-defined radio or SDR receiver will then intercept the transmitted signals wirelessly. The data will be decoded and then sent to a threat actor located in a nearby room.
From a paper entitled “LANTENNA: Exfiltrating Data from Air-Gapped Networks via Ethernet Cables,” researchers highlighted how the malicious code could easily run in an ordinary user-mode process and function using a virtual machine.
Originally designed as a network security measure, air-gapped networks minimize information leakage risks and other cybersecurity threats by ensuring that computer devices involved in the process are all physically isolated from other networks like the internet or a LAN.
Aside from data exfiltration mechanism using ethernet cables, security researchers demonstrated other alternative ways of leaking sensitive data from air-gapped computers.
Security researchers have demonstrated different ways of leaking sensitive data from air-gapped computers, such as a method devised in February 2020. This method involves a small change in LCD screen brightness, while still visibly clear, to modulate binary information patterns similar to morse code stealthily.
Another example called the “POWER-SUPPLaY” attack includes a process of how malware can take advantage of a computer’s power supply unit (PSU) to play sounds and utilize it as a secondary out-of-band speaker to leak data.
One more example is a method called the “AIR-FI” attack, where Wi-Fi signals are exploited as a covert channel to exfiltrate sensitive data without the need to dedicate any Wi-Fi hardware to its targeted systems.
With the LANtenna attack, malware found in the air-gapped workstation is being used to stimulate ethernet cables to produce electromagnetic emissions in the 15MHz frequency bands. Then, it will be modulated and intercepted by a radio receiver located closely. Ethernet cables can receive data transmitted through an air-gapped computer with a distance of 200cm apart, as per a proof-of-concept demo.
Security researchers suggest the omission of using radio receivers all around air-gapped networks to countermeasure the possibility of a LANtenna attack. They also added the need to monitor the network interface card link-layer activity against any hidden channel. Jamming the signals and using a metal shield to regulate electromagnetic fields from intruding with or stemming from the shielded wires is also recommended.