Devilish SATAn Hack Turns Drive Cable Into Antenna to Steal

(Image credit: Ben-Gurion University of the Negev, Israel)

Researchers today revealed a new ‘SATAn’ attack that can turn a SATA cable into a radio transmitter, thus allowing a hacker to exfiltrate data from a system that isn’t connected to a network and transmit it to a receiver 1m away — all without physically modifying the SATA cable or hardware. The software-based technique can work from user space or through a virtual machine (VM), and you can see a short demo in the embedded video below.

The ubiquitous SATA connection is used in billions of devices worldwide to connect hard drives and SSDs inside a PC, making it the perfect target for hackers looking for a sophisticated attack with a wide footprint.

Some of the most sensitive data on the planet is stored in air-gapped systems. These systems are entirely isolated from any connection to the outside world, like a network or the internet, and also don’t have any hardware that can communicate wirelessly, like wireless Bluetooth or Wi-Fi hardware. As such, it requires ultra-sophisticated techniques to steal data from them. Researcher Mordechai Guri at the University of the Negev, Israel, has accomplished the feat by converting a standard SATA cable into a radio transmitter, but without actually making any physical modifications to the hardware.  

As with all computer interfaces, the SATA bus generates electromagnetic interference during normal operation, and if used correctly, that interference can be manipulated and then used to transmit data. In this case, the researcher used the SATA cable as a wireless antenna that operated on the 6 GHz frequency band, thus transmitting a short message to the nearby laptop. This attack can be used in concert with keyloggers to steal passwords or other sensitive data. Likewise, attackers can employ other mechanisms to steal important data, like files and images.

Naturally, the attacker would first have to install malicious software onto the targeted machine, but as we’ve seen with Stuxnet and other attacks, USB devices with malicious code can spread malware inside protected systems. Otherwise, the attacker would need physical access to install the attack payload.

Once installed, the malicious software first encodes the data to be stolen. Then it conducts certain types of file system access, like reads and writes, in a controlled manner to generate a signal on the cable. While either read or write operations can effectively create the correct signals, the researcher notes that read operations typically don’t require higher permissions at the system level and generate stronger signals (up to 3 dB) than write operations. The researchers also noted that background operations that incur other traffic to the storage device are generally fine. Still, intense drive activity can muddy the transmissions, so it’s best to pause or stop the transmission when heavy background activities occur.