LANtenna Attacks Exploit Air-Gapped Networks Via Ethernet

Critical infrastructure security
Endpoint protection
Risk management and administration

Operations use Ethernet cables, data can leak on site a few meters away

LANtenna attacks operate overhead networks over Ethernet
Image source: Shutterstock

Researchers in Ben-Gurion University of the Negev, Israel, have discovered a new type of electromagnetic attack called LANtenna, which exfoliates sensitive data from an isolated computer with air gaps using Ethernet cables as a transmitting antenna.

See also: The basic guide for container monitoring

Mordechai Guri, head of research and development at the University’s Cybersecurity Research Center, said that “malicious code in air-gap computers collects sensitive data and encodes it on radio waves emitted by Ethernet cables, using them as antennas. A nearby receiver can intercept signals wirelessly, decode the data, and send it to the attacker. “

Air-tight networks are believed to be more secure because their infrastructure is physically isolated and separated from the Internet and other unsecured connections. Large-scale industrial companies, such as energy companies and oil and gas companies, as well as government agencies, use these networks.

“This document shows that attackers can use Ethernet cables to filter data from air-tight networks,” Guri said. “Malware installed on a secure workstation, laptop, or embedded device can cause a variety of network activities that generate electromagnetic emissions from Ethernet cables.”

Javad Malik, an advocate for security awareness at cybersecurity firm KnowBe4, says such attacks are likely to be of interest to critical infrastructure or other sectors that have sensitive systems.

“Like many other attacks on critical infrastructure or airspace systems, such as Iran’s Stuxnet-targeted nuclear facility, the biggest challenge is to put malware in the airspace system to begin with,” Malik told Media Security. Media Group.


Guri says LANtenna allows opponents to drop sensitive data from isolated networks with gaps in the air to a location a few meters away.

“The Ethernet cable emits electromagnetic waves in the 125 MHz band. Changing the speed of the adapter or turning it on and off allows you to adjust the electromagnetic radiation and its amplitude,” says Guri.

In this case, the data can be transmitted from a computer with an air pass through its Ethernet cable and received 200 cm apart, he said, adding that the signal is wrapped around 125,010 MHz.

His research also shows how a standard software-defined radio in the area can decode the information and transmit it to an attacker using the Internet.

“The topic of our study focuses on hidden channels and air gap security. The interesting point in this study is that the cables used to protect the network actually helped with this attack. The cables used to prevent wireless communication were used as wireless communication antennas, Guri told ISMG.

Mordechai Guri, Head of Research and Development, BGU Cyber ​​Security Research Center, who opened LANtenna


The study also shows that social engineering techniques, stolen credentials, internal threats and supply chain attacks would be the most likely path to success, Malik said.

“Generally speaking, these are also the main roads on which most of the attacks take place, so organizations need to focus on closing these roads as best they can. In this way, they significantly reduce the likelihood of the attack being successful, “Malik said.

Zoning, according to Guri, is a mitigation measure that does not allow wireless receivers within a certain distance from air-tight networks. Users can also install software that monitors and detects suspicious activity, he said, adding that special shielded cables can also help.

The researcher recommends shielding Ethernet cables that address the threat presented in this study by limiting the leakage of signals generated by LANtenna techniques.

“Different techniques can be used to shield Ethernet cables. The most common is to place a shield around each twisted pair to reduce the overall electromagnetic radiation and internal crossover between the wires. It is possible to increase the protection by placing a metal shielding around all the wires in the cable, ”notes Guri.

A similar attack

Although there have been no recent network airspace attacks, Guri told ISMG that malware that attacks airspace networks has been reported by security companies in the past, including Ramsay malware in 2020.

In May 2020, security researchers at ESET discovers a set of cyber espionage tools called Ramsey, which is designed to infiltrate airtight networks to steal documents, take screenshots, and compromise other devices.

The researchers found that Ramsey was potentially an unusual threat due to its ability to penetrate and operate in airtight networks (see: Cyber ​​espionage malware targets air leaky networks: report).