“Security researchers from the Cyber Security Research Center in the Ben Gurion University of the Negev (Israel) devised a new data exfiltration mechanism, dubbed LANtenna Attack, that leverages Ethernet cables as a “transmitting antenna” to steal sensitive data from air-gapped systems. The research group led by Dr. Mordechai Guri explained that data siphoned from air-gapped systems are encoded over radio waves emanating from Ethernet cables. The data can be intercepted by a nearby software-defined radio (SDR) receiver wirelessly, decoded, and sent to an attacker who is in an adjacent room” (Security Affairs, 2021).

The technique uses electromagnetic waves to steal sensitive data from isolated air-gapped networks. The attack uses malicious code in air gapped computers to gather data then transmit it through radio waves coming from Ethernet cables, effectively using them as antennas. The attacker can intercept the data using a nearby device.

The researchers note that the malicious code can run in an ordinary user-mode process and successfully operate from within a virtual machine.

Analyst Comments:
Air-gapped networks are often wired with Ethernet cables since wireless connections are prohibited to avoid leaking data. Using the malware the researchers were able to transmit wirelessly through 125 MHz radio waves and intercept them with a nearby receiver. Data could be intercepted from as far as 200 cms or roughly 6 feet.

Threat actors would need to physically compromise the air-gapped system, so some sort of malicious insider or a compromised USB drive would need to be used. This makes the attack much less viable for cybercriminals.

The researchers proposed several defensive measures that can be adopted against the LANTENNA attack such as:

  • Implementing zone separation banning radio receiver from the area of air-gapped networks
  • Monitoring the network interface card link activity at the user and kernel levels. Any change of the link state should trigger an alert
  • Using RF monitoring hardware equipment to identify anomalies in the LANETNNA frequency bands
  • Blocking the covert channel by jamming the LANTENNA frequency bands
  • Cable Shielding