All It Takes Is A $1 Antenna And Readily Available Software Defined Radio
A researcher at the Ben Gurion University of the Negev has successfully sniffed UDP packets out of CAT6 cabling and decoded them into human readable text, without spending more than $30. The attack can be successfully executed with a variety of software defined radios, as most can scan and demodulate emissions at around 250MHz, a frequency which can escape from poorly insulated LAN cables.
The experiments they conducted required their receiver to be within 4 meters, however that distance limit was because of the inexpensive antenna they used, more specialized antenna should have a much longer range. For their tests they did need to slow down the UDP packets to successfully capture and decode the data, however there is no reason malware could not be designed to do just that on a system nor to reassure yourself a more refined technique would be able to capture data flowing at a normal speed.
The PDF of the research paper which The Register links to provides a long list of similar ways to defeat an air gapped system, as well as details on the LANtenna attack, if you really want to give yourself a scare this Fruday.
An Israeli researcher has demonstrated that LAN cables' radio frequency emissions can be read by using a $30 off-the-shelf setup, potentially opening the door to fully developed cable-sniffing attacks.