New Technique “SATAn” to hack Air-Gapped computers using SATA cables as Antenna

Cyber Security researchers at the Department of Software and Information Systems Engineering, Ben-Gurion University of the Negev, Israel, have discovered a new technique called “SATAn”.

The new method allows stealing information and data from air-gapped systems by using the SATA cables as a wireless antenna to transmit data and information from a hacked PC onto a receiver somewhere close to a distance of less than 4 feet. Air-gapped systems are used in critical environments like nuclear power plants that need to be physically isolated from networks that are connected to the public internet. The same researcher   has been involved in more than 12 projects researching various techniques for stealing data from air-gapped networks.

His team has proved that isolated networks can still allow leaking of sensitive information via signals (light, vibrations, sound, heat, magnetic or electromagnetic fields) generated by components like monitors, speakers, cables, CPU, HDDs, cameras, keyboards.

For this SATAn attack to work, an attacker first needs to infect the target device with a piece of malware. Once installed the malware can use SATA cables for performing the exfiltration by modulating and encoding it. Although air-gap computers have no wireless connectivity, malware will allow the use of the SATA cable as a wireless antenna to transfer radio signals at the 6 GHz frequency band. The Serial ATA (SATA) is a bus interface widely used in modern computers and connects the host bus to mass storage devices such as hard disk drives, optical drives, and solid-state drives. 

The experiments show that the SATA 3.0 cables emit electromagnetic emissions in various frequency bands; 1 GHz, 2.5 GHz, 3.9 GHz, and +6 GHz. The idea behind the covert channel is to use the SATA cable as an antenna. Also during the research they found out that reading operations on SATA are more effective in producing stronger signals than writes operation. This also makes the overall attack situation easier, as writing can often require more privileges.   Using this technique data transmission with a bit rate of 1 bit/sec is possible, which is shown to be the minimal time to generate a signal which is strong enough for modulation.


 A countermeasure proposed in the paper is that of a SATA jammer, which monitors for suspicious read/write operations from legitimate applications and adds noise to the signal.