Air-fi Rete locale Giacomo Lanzi

Air-Fi: attacking computers that are disconnected and without network hardware is possible

Estimated reading time: 5 minutes

To keep secret information out of reach of attackers, organizations place it on devices that are not connected to any network. This is to avoid any possibility of communication with the Internet. These machines are called air-gapped . As safe as it may seem, infecting such a machine or network segment isn’t actually that difficult. Extracting the information obtained is much more difficult, but it was still possible with the Air-Fi technique .

To study an exploit of this scenario, all kinds of clever methods come into play, and Mordechai Guri, a researcher at Ben-Gurion University of the Negev (Israel), specializes in finding them. Dr. Guri is not the only one, of course, but in recent years, he has been involved in the discovery of a few dozen of these methods. Un new study describes how to extract data from an isolated computer, this time using Wi-Fi technology (hence the name Air-Fi ).

Air-fi Local network

How the Air-Fi method works

The beauty of Air-Fi is that it works even if the target computer has no Wi-Fi hardware. It relies on malware already installed on the device that can use the bus of DDR SDRAM memory to generate electromagnetic radiation at a frequency of 2.4 GHz . Malware can encode necessary data in variations of this radiation, and any device with a Wi-Fi receiver, including another compromised device, can collect and intercept the generated signals. This other device could be a regular smartphone or even a smart light bulb.

The Air-Fi method is particularly unpleasant from a cybersecurity point of view. It does not require administrator rights on the isolated computer; a normal user account can do the job. Also, using a virtual machine doesn’t provide any protection; VMs have access to memory modules.

Transmission range and speed

The researchers transmitted data without noteworthy distortion at a distance of up to 2-3 meters (in one case, up to 8 meters) and a speed of up to 100 bits per second , depending on the hardware of the infected computer and the type of receiver. Like most similar methods, it’s not very fast. Transferring a 20MB file would take 466 hours, for example. That said, the 1,300-byte “Jingle Bells” text could be transferred in 90 seconds. In this light, stealing a username and password with this technique seems entirely realistic.

Air-Fi RAM

How an attack could work

Infecting a air-gapped system with malware is not difficult. An attacker can easily do this by contaminating a USB drive, using social engineering or by tricking staff. Once done, the attacker would then have to infect a nearby WiFi-capable device to receive the leaked data. For this, the attacker can infect nearby desktops, laptops or even smartphones of personnel operating the target system with air-gapped .

To prevent this type of physical attack on the company, you may want to consider our service of physical test your company’s security !

After a successful infection, the malware steals data from the air-gapped system, leaking it into the air as Wi-Fi for the receiving device. As the researchers explained:

As part of the exfiltration phase, the attacker could collect data from compromised computers. The data can be documents, key records, credentials, encryption keys, etc. Once the data is collected, the malware starts the secret Air-Fi channel . It encodes the data and transmits it in the air (in the 2.4 GHz Wi-Fi band) using the electromagnetic emissions generated by the DDR SDRAM buses.

The following video shows a possible attack scenario.

The extraordinary absence of wi-fi hardware

As we have seen, the Air-Fi attack does not require specific Wi-Fi hardware to be installed on the target machines. How is it possible?

It is shown that the attack uses DDR SDRAM memory buses to generate electromagnetic emissions in the frequency band typical of the Wi-Fi protocol , ie 2.4 GHz Furthermore, it is also possible to encode data in binary code without specific privileges . Using a virtual machine doesn’t help, as they typically have access to hardware RAM anyway.

Communication between CPU and RAM modules takes place via a bus synchronized with the system clock . This generates electromagnetic radiation which will have a frequency related to the clock frequency. In the case of the DDR4 memory blocks it is around 2.4 GHz.

If the frequency of the modules is not the correct value, it is still possible to overclock or downclock the memory speed by adjusting it to the Wi-Fi frequency of 2.4 GHz.

In short, a machine that uses RAM blocks could still find a way to use them for data transmission. Of course, it all starts with a first compromise that installed malware on the machine.

How to defend yourself from Air-Fi

The use of Air-Fi involves electromagnetic emissions. It is possible to counter the strategy by using the following measures:

  • Do not allow Wi-Fi enabled devices to approach air-gapped systems for any reason
  • Monitor isolated systems for suspicious processes
  • Shielding the computer in a Faraday cage
  • Using SOCaaS to monitor networked machines
  • Control operations and visits to the company in order to eliminate the possibility of infection via USB stick

Like all similar methods, Air-Fi is too slow and difficult for common cybercriminals to use for everyday attacks. However, if your company is using air-gapped machines for data storage, it is certainly better to take cover, given the recent data hunger of cyber crime < / em>.

We recommend that you consider adopting a SOCaaS to prevent the use of malware, run regular procedures for verifying corporate security, both virtual ( Vulnerability Assessment & amp; Penetration Test ) and physical, as previously suggested, through our dedicated test service .

Contact us to find out how we can help you and how our services can secure your company data, we will be happy to answer any questions.

Contattaci

Useful links:

Share


RSS

RSS feed

More Articles…

Categories …

Tags

Acronis Cloud Backup BaaS Backup cloud cloud computing Cloud Conference cloud provider reggio emilia cloud server cloud services CTI cyber security cyber security cyber threat Cyber Threat Hunter Data Exfiltration GDPR Machine Learning Monitoraggio infrastruttura ICT Next Generation SIEM nextgen siem online hosting owncloud owncloud pentest Phishing Plesk Ransomware Ransomware security server virtuale sicurezza siem Smart Working SOAR SOCaaS Threat intelligence UEBA VDS Virtual Machine vps vulnerability assessment web hosting webinar Zabbix Zabbix as a Service

RSS Unknown Feed

RSS Full Disclosure

  • Re: [FD] : "Glass Cage" – Zero-Click iMessage → Persistent iOS Compromise + Bricking (CVE-2025-24085 / 24201, CNVD-2025-07885) November 14, 2025
    Posted by Patrick via Fulldisclosure on Nov 13Hello Jan, You are completely right and it’s something I warned about early, which is abuse of AI-generated sensationalized headline and fake PoC-s, for fame. I urge the Full Disclosure staff to look into it. Discussions with the individual responsible seem to be fruitless, and this likely constitutes […]
  • APPLE-SA-11-13-2025-1 Compressor 4.11.1 November 14, 2025
    Posted by Apple Product Security via Fulldisclosure on Nov 13APPLE-SA-11-13-2025-1 Compressor 4.11.1 Compressor 4.11.1 addresses the following issues. Information about the security content is also available at https://support.apple.com/125693. Apple maintains a Security Releases page at https://support.apple.com/100100 which lists recent software updates with security advisories. Compressor Available for: macOS Sequoia 15.6 and later Impact: An unauthenticated […]
  • Re: 83 vulnerabilities in Vasion Print / PrinterLogic November 14, 2025
    Posted by Pierre Kim on Nov 13No message preview for long message of 668188 bytes.
  • Re: [FD] : "Glass Cage" – Zero-Click iMessage → Persistent iOS Compromise + Bricking (CVE-2025-24085 / 24201, CNVD-2025-07885) November 7, 2025
    Posted by Joseph Goydish II via Fulldisclosure on Nov 07Hey Patrick, I understand the doubt. However… what’s not slop is reproducible logs I provided a video of and the testable, working exploit I provided. Neither is the upstream patches that can be tracked from the disclosure dates to the cve’s listed in the report. The […]
  • Re: : "Glass Cage" – Zero-Click iMessage → Persistent iOS Compromise + Bricking (CVE-2025-24085 / 24201, CNVD-2025-07885) November 7, 2025
    Posted by Jan Schermer on Nov 07I looked at few repos and posts of "Joseph Goydish". It all seems to be thinly veiled AI slop and BS. Cited vulns are not attributed to him really and those chains don’t make a lot of sense. Screen recordings look suspicious, some versions reference High Sierra for some […]
  • runc container breakouts via procfs writes: CVE-2025-31133, CVE-2025-52565, and CVE-2025-52881 November 7, 2025
    Posted by Aleksa Sarai via Fulldisclosure on Nov 07| NOTE: This advisory was sent to | on 2025-10-16. If you ship any Open Container Initiative software, we | highly recommend that you subscribe to our security-announce list in | order to receive more timely disclosures of future security issues. | The procedure for subscribing to […]
  • OXAS-ADV-2025-0002: OX App Suite Security Advisory November 7, 2025
    Posted by Martin Heiland via Fulldisclosure on Nov 07Dear subscribers, We&apos;re sharing our latest advisory with you and like to thank everyone who contributed in finding and solving those vulnerabilities. Feel free to join our bug bounty programs for OX App Suite, Dovecot and PowerDNS at YesWeHack. This advisory has also been published at https://documentation.open-xchange.com/appsuite/security/advisories/html/2025/oxas-adv-2025-0002.html. […]
  • APPLE-SA-11-05-2025-1 iOS 18.7.2 and iPadOS 18.7.2 November 7, 2025
    Posted by Apple Product Security via Fulldisclosure on Nov 07APPLE-SA-11-05-2025-1 iOS 18.7.2 and iPadOS 18.7.2 iOS 18.7.2 and iPadOS 18.7.2 addresses the following issues. Information about the security content is also available at https://support.apple.com/125633. Apple maintains a Security Releases page at https://support.apple.com/100100 which lists recent software updates with security advisories. Accessibility Available for: iPhone XS […]
  • APPLE-SA-11-03-2025-9 Xcode 26.1 November 7, 2025
    Posted by Apple Product Security via Fulldisclosure on Nov 07APPLE-SA-11-03-2025-9 Xcode 26.1 Xcode 26.1 addresses the following issues. Information about the security content is also available at https://support.apple.com/125641. Apple maintains a Security Releases page at https://support.apple.com/100100 which lists recent software updates with security advisories. GNU Available for: macOS Sequoia 15.6 and later Impact: Processing a […]
  • APPLE-SA-11-03-2025-8 Safari 26.1 November 7, 2025
    Posted by Apple Product Security via Fulldisclosure on Nov 07APPLE-SA-11-03-2025-8 Safari 26.1 Safari 26.1 addresses the following issues. Information about the security content is also available at https://support.apple.com/125640. Apple maintains a Security Releases page at https://support.apple.com/100100 which lists recent software updates with security advisories. Safari Available for: macOS Sonoma and macOS Sequoia Impact: Visiting a […]

Customers

Newsletter

{subscription_form_1}
Products and Solutions
Partners
Cloud Models
News
Google Reviews
Secure Online Desktop s.r.l.
4.9
Based on 37 reviews
powered by Google
review us on
Omid Fazeli
06:59 20 Apr 18
They have a lot of solutions for any kind of business. Lower prices than many others. The support service is always active and efficient.
See All Reviews
Facebook
Secure Online Desktop s.r.l.
Secure Online Desktop s.r.l.
5.0
Based on 12 reviews
powered by Facebook
review us on
Paolo Raimondi
Paolo Raimondi
11:06 21 Apr 18
La Polimatica Progetti Srl, azienda di... cui sono titolare, collabora con soddisfazione da alcuni anni con Secure Online Desktop. L'Azienda è costituita da professionisti seri e competenti. Insieme a loro abbiamo costruito un sistema organizzato di soluzioni ICT, servizi e attività di consulenza per la compliance alla normativa in materia di protezione dei dati personali (GDPR).read more
Ilaria Miglietta
Ilaria Miglietta
04:16 21 Apr 18
Servizi affidabili e di semplice... utilizzo. I loro tecnici molto attenti alle esigenze del cliente, continuate cosìread more
Francesca Marastoni
Francesca Marastoni
11:41 20 Apr 18
Excellent service company with... wonderful stuff. Highly recommended.

Ottima azienda, servizi molto utili, staff qualificato e competente. Raccomandata!read more
Alessio Liga
Alessio Liga
08:25 20 Apr 18
Servizi di alto livello, competenti e... disponibili a accettare nuove sfide per sviluppare business
Ottimo supportoread more
Matteo Revelli
Matteo Revelli
22:39 19 Apr 18
Ottima azienda, offre servizi di alta... qualità con personale competente e disponibile.read more
Lorenzo Munari
Lorenzo Munari
16:25 19 Apr 18
Azienda molto seria e... affidabile.

E' un piacere poter collaborare con realtà di questo tiporead more
Francisco Amadi
Francisco Amadi
10:41 19 Apr 18
Ho avuto il piacere di collaborare con... loro e spero vivamente che succeda di nuovo. Competenti, professionali, precisi e cordiali!read more
Davide Michelotto
Davide Michelotto
07:42 19 Apr 18
Ottimo servizio, seri professionisti al... timone della società e celerità nei tempi di risposta, oltre ogni aspettativa.read more
Gabriele Petralia
Gabriele Petralia
12:28 18 Apr 18
Luca Prati
Luca Prati
10:12 18 Apr 18
Azienda eccellente, consulenza... customizzata e puntuale.
Un ottimo fornitore.
Io personalmente ho parlato con l' Ing. Venuti, valore aggiunto indubbiamente.read more
Valerio Lezza
Valerio Lezza
21:35 17 Apr 18
Daniela Cospito Di Leo
Daniela Cospito Di Leo
21:20 17 Apr 18
More Reviews
js_loader
payments gateway
About