LANtenna attack allows exfiltrating data from Air-Gapped systems via Ethernet cables

Boffins devised a new technique, dubbed LANtenna, to exfiltrate data from systems in air-gapped networks using Ethernet cables as a “transmitting antenna.”

Security researchers from the Cyber Security Research Center in the Ben Gurion University of the Negev (Israel) devised a new data exfiltration mechanism, dubbed LANtenna Attack, that leverages Ethernet cables as a “transmitting antenna” to steal sensitive data from air-gapped systems.

The research group lead by Dr. Mordechai Guri explained that data siphoned from air-gapped systems are encoded over radio waves emanating from Ethernet cables. Then data can be intercepted by a nearby software-defined radio (SDR) receiver wirelessly, decoded, and sent to an attacker who is in an adjacent room.

“LANTENNA – a new type of electromagnetic attack allowing adversaries to leak sensitive data from isolated, air-gapped networks. Malicious code in airgapped computers gathers sensitive data and then encodes it over radio waves emanating from the Ethernet cables, using them as antennas. A nearby receiving device can intercept the signals wirelessly, decode the data, and send it to the attacker.” reads the paper published by the researchers. “Notably, the malicious code can run in an ordinary user-mode process and successfully operate from within a virtual machine.”

The experts explained that often air-gapped networks are wired with Ethernet cables since wireless connections are strictly prohibited to avoid data leaks.

The researchers used malware to exfiltrate collected data, modulating it, and transmitting wirelessly via the radio waves emanating from the Ethernet cables.

The electromagnetic emissions are generated by the Ethernet cable in the frequency bands of 125 MHz that can be intercepted by a nearby radio receiver.

In a test conducted by the researchers, data exfiltrated from an air-gapped computer was transmitted through the Ethernet cable and was received at a distance of 200 cm apart.

In a read attack scenario, threat actors have to physically compromise the air.gapped system, for example by leveraging a malicious insider or tricking personnel with access to the system into connecting an infected USB drive.

The researchers proposed several defensive measures that can be adopted against the LANTENNA attack such as:

• implementing zone separation banning radio receiver from the area of air-gapped networks;
• monitoring the network interface card link activity at the user and kernel levels. Any change of the link state
  should trigger an alert;
• using RF monitoring hardware equipment to identify anomalies in the LANETNNA frequency bands;
• blocking the covert channel by jamming the LANTENNA frequency bands;
• Cable Shielding;

“This paper shows that attackers can exploit the Ethernet cables to exfiltrate data from air-gapped networks,” the researchers concluded. “Malware installed in a secured workstation, laptop, or embedded device can invoke various network activities that generate electromagnetic emissions from Ethernet cables.”

Follow me on Twitter: @securityaffairs and Facebook

[adrotate banner=”9″]

[adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – hacking, LANtenna Attack)

[adrotate banner=”5″]

[adrotate banner=”13″]