LANtenna Attacks Exploit Air-Gapped Networks Via EthernetExploits Use Ethernet Cables, Can Leak Data to Location Several Meters Away
Researchers at Ben-Gurion University of the Negev, Israel, have uncovered a new type of electromagnetic attack, dubbed LANtenna, that exfiltrates sensitive data from an isolated, air-gapped computer using Ethernet cables as transmitting antenna.
Mordechai Guri, head of research and development at the university's Cyber Security Research Center, says that "malicious code in air-gapped computers gathers sensitive data and encodes it over radio waves emanating from the Ethernet cables, using them as antennas. A nearby receiving device can intercept the signals wirelessly, decode the data, and send it to the attacker."
Air-gapped networks are said to be more secure because their infrastructure is physically isolated, and they’re separated from the internet and other unsecured connections. Large-scale industrial companies, such as power companies and oil and gas firms, as well as government agencies, use these networks.
"This paper shows that attackers can exploit the Ethernet cables to exfiltrate data from air-gapped networks," Guri says. "Malware installed in a secured workstation, laptop, or embedded device can invoke various network activities that generate electromagnetic emissions from Ethernet cables."
Javvad Malik, security awareness advocate at cybersecurity firm KnowBe4, says that such attacks are likely be of interest to critical infrastructure or other sectors that have sensitive systems.
"Like many other attacks against critical infrastructure or air-gapped systems like the Iranian nuclear facility, which was targeted by Stuxnet, the biggest challenge is getting the malware onto the air-gapped system to begin with," Malik tells Information Security Media Group.
Guri says that LANtenna allows adversaries to leak sensitive data from isolated, air-gapped networks to a location several meters away.
"Ethernet cable emits electromagnetic waves in the frequency bands of 125 MHz. Changing the adapter speed or turning it on and off makes it possible to regulate the electromagnetic radiation and its amplitude," says Guri.
In this case, data could be transmitted from an air-gapped computer through its Ethernet cable and received 200 cm apart, he says, adding that the signal was wrapped around 125.010 MHz.
His research also showcases how a standard software-defined radio receiver in the area could decode the information and pass it to the attacker using internet.
"Our research topic is focusing on covert channels and air gap security. The interesting point in this research is that the cables that were used to protect the network actually helped this attack. The cables that used to prevent wireless communication were exploited as antennas for wireless communication," Guri tells ISMG.
The research also shows that social engineering techniques, stolen credentials, insider threat, and supply chain attacks would be the most likely avenues to be successful, Malik says.
“Broadly speaking, these are also the main avenues through which the majority of attacks are undertaken, so organizations should focus on closing these paths down as best as possible. By doing so, they greatly reduce the likelihood of an attack being successful,” Malik notes.
Zoning, according to Guri, is a mitigation measure in which no wireless receivers are allowed within a specified distance of air-gapped networks. Users can also install software that monitors and detects suspicious activities, he says, adding that special shielded cables can also help.
The researcher recommends shielding Ethernet cables, which cope with the threat presented in this research by limiting the leakage of signals generated by LANtenna techniques.
"Different techniques can be used for shielding Ethernet cables. The most common is to place a shield around each twisted pair to reduce the general electromagnetic emission and the internal crosstalk between wires. It is possible to increase the protection by placing metal shielding around all the wires in the cable," Guri notes.
While there have not been air-gapped network attacks recently, Guri tells ISMG that malware that attack air-gapped networks have been reported by security firms in the past, including the Ramsay malware in 2020.
In May 2020, security researchers at ESET discovered a cyberespionage toolkit called Ramsay, which was designed to infiltrate air-gapped networks to steal documents, take screenshots and compromise other devices.
Researchers discovered that Ramsay potentially posed an unusual threat because of its ability to penetrate and operate within air-gapped networks (see: Cyberespionage Malware Targets Air-Gapped Networks: Report).