National Cyber Warfare Foundation (NCWF)

Welcome Back, my aspiring cyberwarriors! One of the tried and true rules of cybersecurity is that if you air-gap your systems and network then you are safe. That was largely true until now! Most famously, Iran had air-gapped their nuclear facilities at Natanz and yet Stuxnet was still able to penetrate that system. This was […]

The post Wi-Fi Hacking: Attacking Air-Gapped Systems via Wi-Fi Emissions first appeared on Hackers Arise.

Welcome Back, my aspiring cyberwarriors!

One of the tried and true rules of cybersecurity is that if you air-gap your systems and network then you are safe. That was largely true until now!

Most famously, Iran had air-gapped their nuclear facilities at Natanz and yet Stuxnet was still able to penetrate that system. This was probably a social engineering attack with one of the staff carry in a flash drive infected with Stuxnet. Outside of such social engineering attacks, these air-gapped systems appeared to be safe.

For decades, the most sophisticated espionage units backed by nation states have been able to read unshielded electromagnetic emanations from ethernet, and lately, HDMI cables. Recent research reveals that air-gapped systems can be read from Wi-Fi signals at a distance even when they don’t have a Wi-Fi adapter or AP.

Let’s take a look at this fascinating technique.

The Myth: Air-Gaps are Impenetrable

Air-gapped systems—computers physically isolated from any network—are supposed to be the Fort Knox of cybersecurity. No Wi-Fi, no Ethernet, no Bluetooth. But here’s the truth: air-gaps are not bulletproof. With the right malware and a bit of radio wizardry, attackers can bridge that gap—even using Wi-Fi frequencies, without a Wi-Fi card in sight.

Let’s break down how this works, why it’s possible, and what it means for both hackers and defenders.

Step 1: Initial Compromise—Getting Malware on the Inside

Air-gapped systems are tough to reach remotely, but not impossible. The usual suspects:

Supply chain attacks: Malware is embedded before the device is ever air-gapped.

Infected USB drives: Classic sneakernet—an insider or unwitting employee plugs in a poisoned stick6.

Insider threat: Someone with physical access intentionally introduces malware.

Once inside, the malware waits for its moment.

Step 2: Turning Hardware Into a Wi-Fi Emitter

Here’s where the magic happens. Even if the air-gapped system has no Wi-Fi card, attackers can still transmit data via Wi-Fi frequencies. How? By abusing the DDR memory bus or other internal components to generate electromagnetic (EM) emissions in the 2.4 GHz Wi-Fi band.

Example: AIR-FI Attack
- Malware manipulates memory operations to “pulse” the DDR RAM in patterns that produce EM waves at Wi-Fi frequencies.
- These signals are picked up by any nearby Wi-Fi-capable device—laptops, smartphones, or even IoT gadgets.

No Wi-Fi hardware required. The memory bus itself becomes a covert radio transmitter.

Step 3: Exfiltrating Data Over the Air

The malware collects sensitive data (documents, passwords, keys).

It encodes this data into binary, then modulates the memory bus to emit corresponding EM signals.

A nearby device with a Wi-Fi receiver or cheap SDR receiver listens for these signals, decodes the data, and forwards it to the attacker over the internet.

Range: Several meters—enough to reach a phone in someone’s pocket or a laptop in the next room.

Speed: 1 to 100 bits per second—slow, but enough to leak secrets over time.

Step 4: Variations on the Theme

Similar techniques have been proven the past, including;

SATan Attack: Turns SATA cables into Wi-Fi antennas, using them to emit data in Wi-Fi bands.

AirHopper & Funtenna: Use video cables or general-purpose I/O pins to generate RF emissions, which can be received by nearby radios or phones.

Thermal/Acoustic Channels: Other research has shown data can be sent via heat or sound, but Wi-Fi emissions are faster and harder to detect.

Step 5: Real-World Implications

Critical infrastructure, defense, and industrial systems are all at risk if attackers can get code running inside the air-gap.

Traditional defenses—firewalls, network segmentation—are useless against this kind of exfiltration.

Detection is hard: EM emissions look like normal “noise” unless you know what to look for.

Step 6: Countermeasures

Faraday cages: Shield sensitive rooms to block EM emissions.

Physical separation: Keep air-gapped systems far from networked devices.

Process monitoring: Watch for abnormal memory usage or processes that could be modulating hardware.

Signal jamming: Use white noise generators to drown out covert signals.

Strict USB/media controls: Scan and restrict all removable media.

TL;DR Table

Phase	Technique	Example Attack	Defense
Initial Compromise	Supply chain, USB, insider	Stuxnet, USBStealer	Media controls, vet supply
Signal Generation	DDR/SATA/Video bus EM emissions	AIR-FI, SATan	Faraday cage, monitoring
Data Exfiltration	Wi-Fi band EM picked up by device	AIR-FI	Device separation, jamming

“If you think an air-gap is unbreachable, you’re not thinking like an attacker. The air itself is now a network cable.”

Summary

It is long held belief within the cybersecurity industry that air-gapping a network is an impenetrable defense. This and other radio signal attacks belie that belief. Nearly every digital device emits radio signals and with some inexpensive hardware and ingenuity, these signals can be read.

For more on this and other radio signals attacks, attend our SDR (Signals Intelligence) for Hackers and Wi-Fi Hacking training.

Challenge:
Set up an SDR or Wi-Fi sniffer near your “air-gapped” lab. Can you catch any stray signals? Try modulating memory usage and see what leaks. The air-gap isn’t a wall—it’s just another obstacle.

Stay paranoid. The air is never truly silent.