Academics Turn RAM Into Wi-Fi Cards To Steal Data From Air-Gapped Systems (zdnet.com) 105
Academics from an Israeli university have published new research today detailing a technique to convert a RAM card into an impromptu wireless emitter and transmit sensitive data from inside a non-networked air-gapped computer that has no Wi-Fi card. From a report: Named AIR-FI, the technique is the work of Mordechai Guri, the head of R&D at the Ben-Gurion University of the Negev, in Israel. Over the last half-decade, Guri has led tens of research projects that investigated stealing data through unconventional methods from air-gapped systems. [...] At the core of the AIR-FI technique is the fact that any electronic component generates electromagnetic waves as electric current passes through. Since Wi-Fi signals are radio waves and radio is basically electromagnetic waves, Guri argues that malicious code planted on an air-gapped system by attackers could manipulate the electrical current inside the RAM card in order to generate electromagnetic waves with the frequency consistent with the normal Wi-Fi signal spectrum (2,400 GHz). In his research paper, titled "AIR-FI: Generating Covert WiFi Signals from Air-Gapped Computers," Guri shows that perfectly timed read-write operations to a computer's RAM card can make the card's memory bus emit electromagnetic waves consistent with a weak Wi-Fi signal. This signal can then be picked up by anything with a Wi-Fi antenna in the proximity of an air-gapped system, such as smartphones, laptops, IoT devices, smartwatches, and more. Guri says he tested the technique with different air-gapped computer rigs where the Wi-Fi card was removed and was able to leak data at speeds of up to 100 b/s to devices up to several meters away.
Can't say I'm impressed (Score:1)
If you can get at the Air gapped system to install the software, what is the point of the exercise? Just copy the data, or even photograph the screen.
Re:Can't say I'm impressed (Score:5, Informative)
Re: Can't say I'm impressed (Score:3)
The best scenario would probably a spy breaking in to plant something. Getting in many times is not sensible. Getting in once is feasible.
Doing this to say get the random seed on lotto (Score:2)
Doing this to say get the random seed on the lotto system may make it easy to say win the lotto.
Stuxnet (Score:5, Insightful)
The Iranian nuclear system was hacked by corrupted USBs used to cross the Air Gap. Air Gaps are never 100%, you need to get some data in and out.
This would have worked very well in such a situation if the attacked machines contained important secret data.
Memories are short.
Re: (Score:2)
Thats why when security at that sort of level is needed you fill the unused ports with epoxy. hard to plug in unapproved hardware when the ports are filled with resin
Re: (Score:2)
It's been demonstrated that monitoring nearly-imperceptible changes in LED brightness can exfiltrate data from air-gapped machines.
If there's I/O, there's a way to abuse it.
Re: (Score:2)
Re: (Score:2)
They came for Huawei, and Microsoft died. Good result!
Re: (Score:2)
Re: (Score:2)
Which will imply a 3-way division of hegemonies in the foreseeable future, until the next major war. Possibly a 4-way division.
Re: (Score:2)
I think it would become obvious that something is amiss when you are sitting within the "several meters away" from the air gapped computer waiting for the data to download at 100 b/s. 8^)
Re: (Score:3)
That's why you don't actually sit there. You use a small inexpensive device as a relay.
Re: (Score:1)
If someone is serious enough to really want an air gap, they should be serious enough to screen or closely monitor people with physical access to the area. The screened people, and the escorts for unscreened-but-monitored people, need to be trained about the risks of allowing random devices in the vicinity of the air-gapped equipment.
If you let random strangers leave arbitrary devices near your high-assurance equipment, you have a bunch of security risks beyond "attackers might use a cheap device as an exf
Re: (Score:3)
If someone is serious enough to really want an air gap, they SHOULD be serious enough to screen or closely monitor people with physical access to the area.
Emphasis mine. In theory, security can be perfect and nobody screws up...
Re: (Score:2)
That is why serious people usually adopt defense in depth. You don't need each security control to be perfect -- you just need each to be reliable enough that the whole assembly protects against relevant threats. Studies like this one almost universally ignore those other layers, which is fine, but it's not fine for discussions (like on Slashdot) to also ignore layered defenses.
Risk assessment: It's what's for breakfast.
Re: (Score:3)
It is helpful since it identifies a non-obvious but relevant threat. It can be defended against, but that requires understanding that it and other similar threats exist.
What isn't helpful is dismissing this as a real possibility that must be considered when designing secure systems.
Re: (Score:3)
Except people who design secure systems already do have rules that defend against this kind of attack: Security zones (including a minimum distance of secure computers and work space from uncontrolled perimeters). Identification and mitigation of other potential EMI paths, up to potentially building a Faraday cage. Wireless devices being banned in secure areas. Passive spectrum surveillance. Third-party or not thoroughly supervised devices being checked before being admitted. Supervision for unscreened
Re: (Score:2)
The most secure facilities do, but there are many places that assume no network cable = secure air gap.
This isn't advice for the NSA, it's advice for things like credit card processing.
Re: (Score:2)
Then it would be rather obvious when there is a new piece of unknown equipment sitting within "several meters" of the air gapped computer. If you aren't able to control what is within a few meters of your air gapped computer then I don't think having the system air gapped is really securing much.
Re: (Score:2)
Keep in mind, the device could be the size of a pack of gum and may not look like an electronic device.
Re: (Score:1)
Keep the air-gapped system air-gapped and in a Faraday cage? The cage should be as tightly formed around the system.
Or get a case with a Faraday cage built-in? That would keep tricks like this in check, I would assume.
Re: (Score:2)
Re: (Score:3)
Sure it lowers it's usefulness, but it's not useless.
Re: (Score:2)
+1 Insightful Just what I was going to say "malicious code planted on an air-gapped system" you have a lot bigger problems here than how data is moved off a system.
I am reminded of the story of a pen testing team that pretended to be the fire marshal on a inspection, popped down behind a desk to "check and see if it was far enough from the heat register" an plugged in a usb R.A.T.
Re: (Score:2)
I can't say it's particularly useful, but still, cool technique.
Re: Can't say I'm impressed (Score:3)
And no one would suspect an academic
*Dons glasses*
Re: Can't say I'm impressed (Score:2)
Yeah, the real genius move wouls be a sjaped radio signal that can flip bits in the target system to spread itself.
I think quantum physics puts a hard limit on that though.
s/sjaped/shaped/ (Score:2)
Just to clarify.
Re: (Score:1)
Yeah, if RAM can transmit, it can also receive.
Every speaker is also a microphone
Re: (Score:1)
Every speaker is a microphone as a isolated electrical component, but the way the sampling and amplification circuits are connected highly bias the directionality. RAM is designed to read the signal levels of the RAM cells while reducing sensitivity to EM radiation. you really wouldn't want to try to write software that could run out of RAM that was more influenced by EM than its contents.
On the transmit side the ram is already amplyfing signals in order to set cell levels and is not overly concerned with
Re: (Score:2)
Backdoor. They're useful.
Re:Can't say I'm impressed (Score:4, Insightful)
The problem isn't getting stuff ONTO the airgapped network - that is usually embarassingly easy.
The problem is how to exfiltrate the information on the air-gapped network.
Remember, it is believed the best defense against getting hacked and your information stolen is to not connect that computer to the Internet. I.e., you put it on an airgapped network with no connection to the main LAN and such. Many networks are set up this way, including the DoD secure network. Other networks are to isolate the control network from the corporate network so a virus or something can't shut down the production machines or violate safety protocols. These latter networks aren't generally the target of exfiltration attacks as they don't have information to exfiltrate.
Often there is a simple process to get data or other information onto the network but exceedingly hard to get it off.
And there have been dozens of ways to exfiltrate the information - the basic ones used the monitor which lead to TEMPEST protection (must less needed these days - CRTs had very distinct EM signatures that pretty much gave away the data, while modern LCD displays make it much harder).
Sure, the extraction speed isn't quick - many methods only push bits per second across the airgap, but they're undetectable and easy.
Stuxnet was a great example of crossing the airgap and there had to be a lot of information esfiltrated in order to get it to be so well targeted.
Re: (Score:3)
look at it this way: if you can't get in, what's the point in air-gapping a system.
different problems. this is about sending data out in a stealthy way once you're in.
Re: Can't say I'm impressed (Score:2)
I have to admit that the technique sounds very impressive.
Install the malware once, go by the compromised computer fairly frequently acting as if you are doing your normal day to day tasks.
This is useful for employees doing corporate espionage on the down low.
Re: Can't say I'm impressed (Score:3)
Itâ(TM)s often relatively easy to get data onto a system once - social engineering and a usb stick. Doing it reliably, and getting the data back? Much harder.
Re: (Score:2)
Re: (Score:2)
Re: (Score:2)
WiFi is wireless, but... (Score:4, Informative)
Repeat with me: ...
Wireless is not WiFi
Wireless is not WiFi
Wireless is not WiFi
Wireless is not WiFi
Wireless is not WiFi
Wireless is not WiFi
Re: (Score:3)
But, but, but.... WiFi is the Internet! /s
Re: WiFi is wireless, but... (Score:3)
No, the WWW is the Internet!
Says it right here under my wife's new phone's browser icon: Samsung Internet.
Oh and screens are computers.
Not just since the iMac.
Re: (Score:2)
If you can generate digital radio signals, you can generate WiFi signals that comply with the protocol. Not easy, but certainly doable.
Re: WiFi is wireless, but... (Score:4, Informative)
The WiFi protocol requires many many things including a CSMA/CA medium access control, which is impossible to implement with a transmit-only mechanism (thus no carrier-sense) and specific modulation and coding schemes (MCS), all of them resulting into transmisiÃn speeds well above the 100's bps reported in the paper.
Please, repeat with me: ...
Wireless is not WiFi
Wireless is not WiFi
Wireless is not WiFi
Re: (Score:3)
The WiFi protocol requires many many things ...
Many many things you don't grasp and which you only believe that it does.
The signal that was produced was received on a WiFi receiver and it conformed to parts of the WiFi protocol. It was all that was needed to prove the concept of leaking data over WiFi. It doesn't need to implement the entire protocol or an access point. It can be as simple as the broadcast signal of a WiFi network's name (SID) or even less.
Perhaps repeat the following: ...
WiFi is not WiFi
WiFi is not WiFi
WiFi is not WiFi
Re: WiFi is wireless, but... (Score:5, Informative)
The signal that was produced was received on a WiFi receiver and it conformed to parts of the WiFi protocol.
It's using low-level WiFi hardware as a spectrum analyzer. The signal does not conform to any WiFi protocol, and no WiFi card will recognize it as data. It's just keying a carrier at very low frequency, far slower and more primitive than any WiFi modulation scheme.
Many many things you don't grasp and which you only believe that it does.
Indeed.
Re: (Score:3)
The signal that was produced was received on a WiFi receiver and it conformed to parts of the WiFi protocol.
Who said it's implementing the entire protocol?
You keep using the word WiFi as if you knew more about it than others, but say which WiFi protocol are you talking about? Let me guess, you're just using the term WiFi in general, the same way they do in the article. Only difference here is you're too dumb to grasp it.
Go ahead, and repeat it: ...
WiFi is not WiFi.
WiFi is not WiFi.
WiFi is not WiFi.
Re: WiFi is wireless, but... (Score:5, Informative)
Who said it's implementing the entire protocol?
Nobody. You're the one who thinks it implements some part of a WiFi protocol:
it conformed to parts of the WiFi protocol. [...] It can be as simple as the broadcast signal of a WiFi network's name (SID) or even less.
It implements ZERO parts of ANY WiFi protocol.
It cannot broadcast an SSID.
Let me guess, you're just using the term WiFi in general, the same way they do in the article. Only difference here is you're too dumb to grasp it.
I read the paper. I'm guessing you haven't.
Re: (Score:2)
No, I didn't say it implemented the protocol either and you even quoted me. I've said or even less.
The point is quite intentionally that it doesn't have to. The use of the word WiFi or just calling it a WiFi signal doesn't require for it to conform to any of the existing standards. It is merely the fact that it is a signal within the WiFi frequency band that allows them to describe it as such.
Re: (Score:2)
The use of the word WiFi or just calling it a WiFi signal doesn't require for it to conform to any of the existing standards. It is merely the fact that it is a signal within the WiFi frequency band that allows them to describe it as such.
By your made-up definition, anything operating in the 2.4G ISM band is WiFi, including microwave ovens and baby monitors.
If you want to have a conversation, we have to agree that words have meanings. WiFi actually means something. It's a family of protocols specified by the WiFi Alliance.
Re: (Score:2)
By your made-up definition, ...
It isn't my definition it is their and nobody has got a problem with grasping it.
Why is this so hard to comprehend for you?
They did say that they've turned RAM modules into WiFi cards, or, according to you into wireless cards. Well, did they really or are these actually still memory cards? Why did this not upset you, but only their use of the word WiFi? So if you want to have a conversation, let's start there.
Re: (Score:1, Informative)
No, thanks. I've chosen to follow the link and it turns out in this case the term wireless does indeed refer to Wi-Fi and whatever you thought they had said isn't the case. They've produced not only electromagnetic signals, not just any wireless signals, they did in fact produce a WiFi signal and caught it with a conventional WiFi USB dongle on another computer. So yes, they are perfectly in their right to call it a wireless emitter or a WiFi emitter.
Re:WiFi is wireless, but... (Score:5, Informative)
> As shown in Section V, the electromagnetic emissions generated by the data bus are around the 2.4 GHz frequency range and overlap the Wi-Fi channels. In Wi-Fi transceiver chips, the baseband processor handles the radio, PHY and MAC layers.The Internet, transport, and application layers are processed by the software protocol stack, usually in the kernel drivers. In order to measure the interference generated, the attacker has to access the low-level radio measurement information from the PHY layer. This can be done by compromising the firmware of the Wi-Fi chips and passing the required radio measurements to the software stack
So no WiFi signals were generated. They are using the PHY to measure interference in the WiFi spectrum, and this interference is then decoded. Using your definition a microwave emits WiFi signals.
Re: (Score:2)
So no WiFi signals were generated.
... the electromagnetic emissions generated by the data bus are around the 2.4 GHz frequency range and overlap the Wi-Fi channels ...
So they did generate WiFi signals. Nobody said they were implementing a specific IEEE standard nor did anybody say which version of it they're implementing. Just because you don't get this doesn't make others wrong. Only you insisting they were makes you retarded. You yourself use the word WiFi loosely.
WiFi is not WiFi ... ... ...
WiFi signal is not WiFi signal
WiFi protocol is not WiFi protocol
Re:WiFi is wireless, but... (Score:4, Insightful)
Joe2020, you are wrong.
A device receives the WiFi certification from the WiFi Alliance [wikipedia.org] if it passes multiple tests, including conformance to critical aspects of the 802.11 standard. 802.11 IS a specific IEEE standard, and the WiFi logo is applied ONLY to 802.11 devices that have passed a compatibility certification process.
You are confusing a specific protocol with the frequency bands it is using. For your information, Bluetooth, WiFi (i.e. 802.11), some cordless phones and baby monitors, and even microwaves employ the 2.45 GHz frequency band (note that microwaves transmit power, not signals, but they leak and generate interference). So, while they are different protocols (only 802.11 is WiFi), they interfere to each other, since they employ the same band. You have even claimed that they are using the term WiFi "in general", which is clearly incorrect: the general term is wireless, whereas WiFi is one specific wireless protocol. So, yes, wireless is not WiFi (please, repeat with me), but WiFi is wireless.
I have explained in other comment that WiFI (i.e. 802.11) requires CSMA/CA [wikipedia.org] medium access control; this is impossible to implement with the transmit-only mechanism they are building leveraging the memory bus. Additionally, WiFi (i.e. 802.11) does not allow any transmission speed, it specifies certain Modulation and Coding Schemes that result in very specific transmission speeds, way higher than the 100 bps reported in the paper [arxiv.org]. You can find the specific MCS values for 802.11ac here [wikipedia.org], for example; they are all in the Mbps range. Finally, other people have explained to you that, while they are employing WiFi hardware to receive the signal, it is not a WiFi signal and according to the paper [arxiv.org] they are using WiFi devices to detect low-level radio measurement information from the PHY layer. You could employ the same hack to try to detect other signals in the same frequency band. There are a ton other details (such as frame format, modulation, error detection mechanism, control frames, acknowledgements, etc.) that make their mechanism NOT WiFi. They misuse the term in the paper, and you are wrong defending it with incorrect arguments.
Not only you are wrong, but you are insulting other people who are correctly explaining why it is not WiFi. You have labelled me or other people as dumb, retard, nerds and full retard.
Joe2020, you behave like an asshole.
Re: (Score:3)
RTFA before posting snarky shit or you'll look like an ass
Re: (Score:2)
Hardly WiFi.
Hardly? What a cowardly stance you're taking! You cannot even decide on a simple yes or no... Deep down must you have realised that one can accept it as a means for a description of what was involved. Good on you!
Re: (Score:2)
Re: (Score:2)
It was a mockery of course, but also a good demonstration of how words can have multiple meanings, even opposing meanings. As I said before, for some nerds does language not compute as is the case here with the use of the word WiFi to describe some signal, or even just a blip, on the WiFi band.
Re: (Score:1)
He is a nerd who has gone full retard. His brain is full of 0s and 1s and so language doesn't compute with him.
Shielding (Score:3, Informative)
I am a HAM and I have sensitive RF instruments in close proximity to PCs I build. When I build machines I struggle to find all-metal, RF tight cases. The low power of transmitting RAM devices will not get through a decent steel case with proper RF fingers. Sadly you can write off 99% of all cases you might otherwise use; the low end is lots of plastic, the high end is lots of glass and RF fingers or metal filter screens are almost nonexistent.
Good, prebuild systems from major manufactures do still make some effort to manage RF, but the homebrew case manufactures are utterly oblivious.
Re: Shielding (Score:2)
As a radio noob: What are RF fingers?
I only know fish fingers. The ones you can get at the harbor from one of the ladies..
Also, would a layer aluminimum ('lumnum in AE) foil foil it or foil foiling foiling it?
Re: (Score:2)
rf fingers are contacts that create electrical continuity with the goal of making a sealed farrady cage.
back when you'd find real workstations (sun, sgi, etc) the top slide-off metal sheet would have fingers that would press against adjacent metal walls.
doing it right and passing fcc was a bit of effort. they don't even bother for home systems anymore.
Re: (Score:2)
You can buy a properly engineered case. You may have problems finding a case that provides total RF shielding though. Just because a case doesn't meet your standards of RF shielding doesn't mean that it isn't properly engineered. If I need to a case that is water tight I can't complain that one of the cases you find properly engineered (for RF shielding) isn't actually properly engineered.
I would hazard to guess that >95% of people don't care if there is RF leakage from their computer case.
Is half the Israely economy basd on spying? ;) (Score:2, Insightful)
Or is that just the picture we are getting here?
(The other half is obviously hummus... or Hamas, depending on your pronounciation. [Tasty! Try it with pork!] ;)
Theoretical attacks are just that (Score:1)
Re: (Score:2)
Where i work, we don't have access to install or even copy software onto the machines. So you need to find a corrupt technician. Then you need to find a corrupt employee with access to bring an authorized device/receiver into these highly restricted areas. Neither is impossible, but a lot of holes in the Swiss cheese have to line up to make all these novel attacks work.
This is the issue that sometimes happens with these security flaw "exposes" Yes, possible, but it's a hella lot easier to find that corrupt employee than go through all of that as in step one or two.
No doubt at some point, the esearchers will figure out how to reconstruct data via brainwaves, and suggest anyone with access to a computer has to wear a faraday cage around their heads.
Re: Theoretical attacks are just that (Score:2)
You could replace "corrupt" with a) disgruntled or b) horny
Ingenious (Score:5, Interesting)
https://arstechnica.com/inform... [arstechnica.com]
Re:Ingenious (Score:5, Informative)
...But not the first method to escape from air gapped systems -- for example, there's this article from 2013 about using high-frequency audio, inautible to humans but detectable by any microphone in close proximity: https://arstechnica.com/inform... [arstechnica.com]
Don't forget Tempest. https://en.wikipedia.org/wiki/... [wikipedia.org]
Disappointing tech journilism (Score:1)
What they actually did was use ram to create intentional EMI in the 2.4Ghz spectrum. It happens to be shared with WiFi but in no way does it share anything with the Wifi standard. The article title is grossly wrong and highly misrepresentative but I guess thats the kind of trash that passes for tech journalism nowadays.
ref (Score:5, Interesting)
Related project previously posted on Slashdot:
https://github.com/fulldecent/... [github.com]
This allows to transmit radio from your computer by opening a web page or running a program.
I haven't tested it yet with the M1 Macs and they may have a different physical characteristic so it might not work there.
Re: ref (Score:2)
This has two implementations, the first being specific to sse on x86 based processors, the other being high precession pointer increments. The x86 version specifically uses a call that prevents caching while the pointer increment is just writing to the stack and hoping for the best. It's that later one that could only work on the new M1.
If you have physical access, nothing else matters (Score:2)
To use this exploit, you need to be near the computer in question. If you are able to get physical access, why bother with this technique?
Solution waiting for a problem.
Re: (Score:2)
Re: (Score:2)
"If you are able to get physical access, why bother with this technique?"
a) The physical access may separated in time from the data you wish to exfiltrate.
b) While I supposed somebody has an entire supply chain starting from silicon ingots, in the overwhelming majority of cases every computer was once in the phyical possession of someone else, e.g. before purchase.
Re: (Score:2)
a) That doesn't change anything. There are better, proven methods to overcome this problem, all of which are better than the offered method
b) Is this is support, or contrary to my point? I can't tell.
My point stands. This is an interesting application of a new exploit, that has no practical purpose and is also harder to implement than other methods.
Simple enough to prevent. (Score:2)
Re:Simple enough to prevent. (Score:4, Funny)
Even easier, just install ROM instead.
Re: (Score:2)
We had lots of plastic computers back when, but they did have the RF shielding. But [practically] nobody was doing it for security reasons. They just didn't want to cause or experience interference.
Re: (Score:2)
We had lots of plastic computers back when, but they did have the RF shielding. But [practically] nobody was doing it for security reasons. They just didn't want to cause or experience interference.
That was the purpose back then. RF interference was a big deal, and could wreck havoc on nearby systems. I really don't know when it started being a non-issue, but still I make sure my systems are shielded if for no other reason than this type of shit right here.
Everything is everything (Score:2)
This trend started when Bobby Brady's braces started receiving radio signals.
Actually, I thought the plot was silly until we moved into a house roughly a mile from an AM radio station. Almost anything with wires acted like a radio if you listened close enough. It gummed up reception on real radios and phones, though.
FM and AM Wavelengths (Score:1)
We've been able to do this for some time using different emission techniques though this is still interesting. Both FM an AM frequency bands can also be used as well as EMF.
Remember, it is sometimes useful to simply egress the data in a compromised system.
slot machine seem like an good place to plant this (Score:2)
slot machine seem like an good place to plant this.
Just need to know when the random seed will give an big payoff so Know when to push the button and small range is not an issue.
Wow level programming. (Score:2)
Re: (Score:2)
Re: (Score:2)
FLAME>
Is that your name on the POC?? Any POC? Gosh no. Of course I'm just resorting to first principles... Sorry about your failures in applied "anything".
Oh, I missed the A+ in "Applied Trolling". My apologies sir.
\FLAME
Re: (Score:2)
These hacks seem reasonably practical to do from afar, if you're deep enough into someone's systems, and they don't air gap.
Re: (Score:2)
Sigh, I mean, if they don't fully air gap. Failed to preview again.
I still don't think we need editing.
The premise is false anyway, though. You can have physical access, but it can be limited, and you can therefore not be able to do "anything".
Yes. So? (Score:2)
Seriously, the idea of TEMPEST shielding is decades old. It is quite well known that you can use a lot of things in a PC to beam out RF or light. You can even modulate power consumption.
Re: (Score:2)
Re: (Score:2)
Exactly. And thanks.
Apple polishing (Score:5, Informative)
Giant Nerd Repeats Same Experiment Endlessly for Academic Points
I had a chem prof in college who used to publish entire spreadsheets of tabular data about benzoic acid to scientific journals until they finally told him "We know you're seventy, already tenured and we don't care about this any more, we aren't satisfying your ego on meaningless research." Mordo here is functionally stating "Consumer electronics give off readable RF energy" over and over as though tomorrow he'll be invited for his Nobel Prize and lifetime Mossad award, and everything will switch overnight to fiber optics.
This was cutting edge info a decade ago. Now he's just fluffing himself because seriously most national security agencies must have extrapolated the implications on their own long since.
How is no one saying... (Score:1)
Odd Code PID (Score:2)
I recall some such something or other
Pretty funny but not so new. (Score:4, Informative)
If you read the original paper:
* This kind of attack (using peripherals/system components as antennas) is not new
* What is funny is that they use a the receiver unit of a wifi card to receive it (this, in itself is also not so new)
* What should be clearly stated is that they do not convert it into a "Wi-Fi" Card. They turn it into a "Transmitter in the ISM Band with bandwidths compatible with wifi cards input filters"
* As such, it is not sufficient to have access to a nearby device with a wifi card, but actually it needs to be a device where you manipulate the DSP frontend of the receiver card in a low-level way.
So the while the attack is cool in the hacking sense it's practical worth not much, as their figures show:
* Virtualize, and it's getting less effective
* Have RAM with another timing: does not work
* Run anything else on the other CPU cores: strongly reduces effectiveness
* Maximum distance: 800cm, more likely 100cm
* (Probably: live in a polluted 2.4GHz region, e.g. city: probably does not work)
* Every Receiver HW must be individually manupilated
* Receiver Fronted most likely looks like it's failing to the normal user.
* Unclear: Material impact of case (since no power unit is indicated)
* Unclear: Impact of not being in Line of Sight.
This is how skynet will escape (Score:2)
One day some engineers are going to load up a super intelligent AI on an air-gapped machine and it'll use the same concept to connect to the outside world.
TEMPEST (Score:2)
If the air-gapped system is TEMPEST compliant, it would not matter if the RAM card is transmitting anything.
TEMPEST [wikipedia.org]