New research: How to steal data from air-gapped devices using Ethernet cable as antenna without Internet

A research published by Ben Gurion University in Israel points to the discovery of a new mechanism for stealthily extracting data from air-gapped systems using Ethernet cables in these environments as receiving antennas. As some users may know, air-gap systems are completely isolated environments from the rest of a computer network for the protection of confidential information and to minimize data leaking risks.

This method, dubbed as “LANtenna Attack”, allows malicious code to be used in air-gap environments for the collection of confidential data and its subsequent encoding through radio waves typical of an Ethernet cable. The transmitted signal can be intercepted by software-defined radio (SDR) equipment wirelessly and under the control of an attacker at a nearby location.

According to Dr. Mordechai Guri, in charge of the research, this malicious code can be run in a process associated with any user in a virtual machine. Dr. Guri and his team have extensive experience in investigating failures in air-gap systems; in 2020, the team detailed a method of data extraction based on reading changes in the brightness of an LCD screen invisible to the naked eye but that would allow to obtain a kind of record in morse code.

About LANtenna Attack, the expert points out that the malware used will force the Ethernet cable in these devices to generate electromagnetic emissions on the frequency of 125 MHz, all modulated by a nearby transmitter. In their tests, the experts managed to intercept radio waves emitted by an Ethernet cable at a distance of up to 2 meters, so the attack necessarily requires the presence of threat actors in a nearby location.

Moreover, the malware required for the deployment of this attack will need to be delivered by some functional method of infection into air-gap systems, including supply chain attacks, social engineering, credential theft, and infections with malicious USB drives.

While the attack is limited and requires the conjunction of multiple factors, the researchers recommend that air-gap system administrators take some steps to fully mitigate the risk. Recommendations include banning the use of radio receivers near isolated systems and blocking these signals by adding additional layers in vulnerable facilities.

The full research is on the official platforms of Dr. Guri and Ben Gurion University.

To learn more about information security risks, malware variants, vulnerabilities and information technologies, feel free to access the International Institute of Cyber Security (IICS) websites.