Video Israeli cyber-security side-channel expert Mordechai Guri has devised a way to pilfer data from devices that have been air-gapped and silenced.
Organizations with extreme security needs may keep certain computer hardware disconnected from any network, a practice known as air-gapping, to preclude the possibility of miscreants hacking in from compromised systems on the network, or from across internet. Attacks on such systems generally require some manner of physical access to introduce malware: an unauthorized person has to get their hands on the machine, typically briefly and unnoticed, to install malicious software, thus getting around the air-gap.
Perhaps the most widely reported air gap attack of this sort is said to have involved the covert introduction of the Stuxnet centrifuge-knackering malware around 2007, after three years of planning, to the nuclear fuel enrichment lab in Natanz, Iran, apparently from a USB stick.
Guri, head of research and development at Ben-Gurion University of the Negev, Israel's Cyber-Security Research Center, told The Register in an email that air-gapped networks are not just for sensitive military facilities. They are used, he said, by many regulated industries to protect sensitive private data, intellectual property, and critical infrastructure.
In previous work, Guri and colleagues have explored various ways to attack air-gapped systems. Two years ago, for example, he and several other researchers developed a technique dubbed MOSQUITO to exfiltrate data from air-gapped systems using ultrasonic transmissions between speakers.
LCD pwn System: How to modulate screen brightness to covertly transmit data from an air-gapped computer... slowlyREAD MORE
An obvious defense against acoustic data transmission is to disable any speakers on the protected device, a practice known as audio-gapping.
But Guri's latest research shows that's not enough. He and his team have found a way to turn the power supply in an isolated, muted machine into a speaker of sorts, one capable of transmitting data at a rate of 50 bits/sec.
He calls the attack POWER-SUPPLaY. The technique has the potential to be used against PC workstations and servers, as well as embedded systems and IoT devices that have no addressable audio hardware.
"We show that malware running on a PC can exploit its power supply unit (PSU) and use it as an out-of-band speaker with limited capabilities," a paper [PDF] detailing the technique explained. "The malicious code intentionally manipulates the internal switching frequency of the power supply and hence controls the waveform generated from its capacitors and transformers."
An evil maid attack is required to make the attack feasible. The attacker also needs a nearby receiver, which in this scenario would be a smartphone, compromised with malware to listen for data or knowingly operated by an insider.
POWER-SUPPLaY alters power consumption by regulating the CPU workload, which causes the switch-mode power supplies (SMPS) in modern electronic devices to alter the switching frequency at which they operate, which is generally between 20 kHz and 20 MHz. Such shifts produce detectable noise in transformers and capacitors. Though most people cannot hear sounds in that frequency range, microphones can detect them.
"By intentionally starting and stopping the CPU workload, we are able to set the SMPS so it switches at a specified frequency and hence emit an acoustic signal and modulate binary data over it," the paper explained. A video of the attack is below:
Guri and others have developed a handful of similar TEMPEST attack schemes, such as luminance signaling via LCD screen fluctuations (BRIGHTNESS), acoustic signaling using fan modulation (FANSMITTER), data exfiltration via power cables (POWERHAMMER), and covert signaling via keyboard lights (CTRL-ALT-LED).
POWER-SUPPLaY is fun though not a practical threat most of us have to worry about. You have to detect the sounds from the power supply unit over any noise in the surrounding environment, and you have to be close enough to pick it up, or have malware on a nearby machine that can listen out for the bits.
If your machine is connected to a network, or can transmit data over Bluetooth, for instance, there are easier ways to exfiltrate data from it.
Having said that, Guri said he believes this type of research may prompt organizations that have policies banning or silencing speakers to consider the possibility of power supplies being turned into data-leaking speakers. ®