It has been the case for a long time that a proper "airgap" is not made out of just air but also electromagnetic and acoustic isolation.<p><a href="https://www.dni.gov/files/NCSC/documents/Regulations/Technical-Specifications-SCIF-Construction.pdf" rel="nofollow">https://www.dni.gov/files/NCSC/documents/Regulations/Technic...</a>
Not this one again...<p>It's not Wi-Fi. The article title is misleading clickbait. They are just using a simple script to exercise the RAM in a way that produces more or less radio noise, and then using a debug feature in an off the shelf Wi-Fi chipset to measure the channel noise and transfer data that way (at an extremely low rate of a few bits per second). At no point are Wi-Fi signals involved. Both sides need to collude to make this work. It only takes a few hours to put together this kind of demo.<p>He did the same thing with GSM a few years ago - the exact same concept with 800MHz RAM - but he's so bad at it that even though he was using an open source fully documented GSM stack as a base for his receiver (osmocombb), he couldn't get more than a few bits per second out of it, even though you could obviously get a <i>lot</i> more data through with access to the DSP hardware at the receiver like he did.<p>This guy basically runs a paper mill where every few months he comes up with a new side channel, builds the minimum viable PoC, and produces no research of value. He makes no attempt to measure theoretical maximum channel bandwidths, he doesn't optimize the data coding, nothing. He just picks a new random idea, like using screen brightness or network activity LEDs to encode information, and cranks out a paper. And he's <i>really</i> good at clickbaiting his way through news cycles, which I'm sure keeps the funding going.<p>You can implement a PoC at the same level of some of his papers in a one line shell script that blinks the camera LED on a machine to transfer a file bit by bit:<p><a href="https://twitter.com/marcan42/status/1339156243517095936?s=19" rel="nofollow">https://twitter.com/marcan42/status/1339156243517095936?s=19</a>
> The memory buses generate electromagnetic radiation at a frequency correlated to its clock frequency and harmonics. For example, DDR4-2400 emits electromagnetic radiation at around 2400 MHz,” researchers wrote.<p>The IO clock runs at 1.2GHz, and the data lines run at double that.<p>As an overview of the issues designing for DDR4, I liked this technical note: <a href="https://media-www.micron.com/-/media/client/global/documents/products/technical-note/dram/tn4040_ddr4_point_to_point_design_guide.pdf" rel="nofollow">https://media-www.micron.com/-/media/client/global/documents...</a><p>“Prior to designing the card, it is useful to decide how much of the timing budget to allocate to routing mismatch. This can be determined by thinking in terms of time or as a percentage of the clock period. For example, 1% (±0.5%) at 800 MHz clock is 6.25ps (1250ps/200). Typical flight times for FR4 PCB are near 6.5 ps/mm. So matching to ±1mm (±0.040 inch) allocates 1% of the clock period to route matching.”
A few months ago I read a comment lamenting about all of these "novel" airgap "attacks" that are just all variants on the same theme of "figure out a new side-channel to send data between two complicit devices over". You can use memory module busses, power/camera/keyboard LEDs, fan speeds, ultrasound emitted from speakers...it's not very interesting, at this point.<p>I bet that I can come up with a new one off the top of my head...alright, how about malware that imperceptibly dims/brightens the screen, which could be interpreted as a 1-bit symbol and picked up even when the screen is facing away from the receiver (by observing the reflection off of a nearby surface)?<p>See also <a href="https://news.ycombinator.com/item?id=28394826" rel="nofollow">https://news.ycombinator.com/item?id=28394826</a>. These aren't "attacks" - these are methods of data exfiltration between two compromised devices. There <i>are</i> attacks that e.g. steal private RSA keys by capturing the EM radiation during cryptographic operations, but this is not that.
These types of attack are known as Van Eck phreaking<p><a href="https://en.m.wikipedia.org/wiki/Van_Eck_phreaking" rel="nofollow">https://en.m.wikipedia.org/wiki/Van_Eck_phreaking</a>
This appears to be the same work published in the USENIX Security Symposium in 2015 as "GSMem": <a href="https://www.usenix.org/system/files/conference/usenixsecurity15/sec15-paper-guri.pdf" rel="nofollow">https://www.usenix.org/system/files/conference/usenixsecurit...</a><p>It was impressive then, and it's still impressive.
That has to be one of the more amazing attacks I've ever seen, but of course it only works in a really weak environment where someone is trying to use a single disconnected machine otherwise close to other machines with normal capabilities.<p>I'm actually curious if something like this is behind the logic of why a minimum 6-foot gap is required between classified and unclassified workstations in the same building. But actual SCIFs don't allow radio waves through the walls and don't allow any sort of radio-enabled devices that may be able to read this signal and send it back home inside. You <i>definitely</i> can't bring IOT devices anywhere remotely close to a high-security environment.
Funny anecdote. Back in 1999 or so, I noticed by happenstance that when I had the cover of my PC off during a HDD defrag (yeah, that was a Windows thing back then), that I could easily pick up the noise from the bus at exactly 100Mhz on a radio I had in the room. At first I suspected I was bugged, because the HDD made noise in the same rhythmic pattern as that data being transferred across the bus, which was creating the EM noise. Can you imagine tuning your radio and coming across the ambient sounds in your room? Kinda terrifying.
I'd like to see an attack that communicates in the infrared by loading and unloading the CPU (or any other heat generating component) and then the attacker reads with line-of-site thermal imaging. You'll get like 6bpm, but hey, it's somethin'.
This is impressive, though would be even more so if they could figure out how to do the reverse and arbitrarily plant bits <i>in</i> the memory of an air-gapped, uncompromised machine.
AFAICT the covert channel created is write-only, so maybe the appropriate title is "AirGap Attack Turns Memory Modules into Wi-Fi <i>Transmitters</i>"?
Awful article, lol. They're not making a WiFi basestation or something. They're literally just making some broadcast in the 2.4 GHz ISM band.