Stealing data from airgapped computers by using power fluctuations as a covert channel

Ben Gurion university's Mordechai Guri is a master exfiltrator, a computer scientist who's devised a bewildering array of innovative techniques for getting data off of "airgapped" computers that have been fully disconnected from any kind of network.

Airgapping is supposed to constitute a kind of defense in depth. On the one hand, it's hard to sneak malware onto computers that are disconnected from the internet; but on the other hand, even if these computers are compromised somehow, their airgaps stop the malware from sending sensitive data out.

That's where Guri comes in. Having observed that there are lots of ways that airgapped computers can be compromised (via poisoned USB sticks, a la Stuxnet; or via a saboteur with physical access; or via factory-installed malware or malware installed during shipping), Guri set about figuring out how that malware might get data off of a compromised system.

The latest method is called "Powerhammer," detailed in a paper co-authored with Boris Zadov, Dima Bykhovsky and Yuval Elovici. The researchers show that they can modulate the power-demand from the system by strategically loading and unloading tasks into the CPU, so that an adversary with access to the breaker panel or power-outlet can receive data. They can get 1kbps using a technique called "line-level powerhammering" and 10bps with "phase-level powerhammering" — the latter being more stealthy, with the attacker only requiring access to the mains service panel, rather than the electrical outlet.

In this paper we provide an implementation, evaluation, and analysis of PowerHammer, a malware (bridgeware [1]) that uses power lines to exfiltrate data from air-gapped computers. In this case, a malicious code running on a compromised computer can control the power consumption of the system by intentionally regulating the CPU utilization. Data is modulated, encoded, and transmitted on top of the current flow fluctuations, and then it is conducted and propagated through the power lines. This phenomena is known as a 'conducted emission'. We present two versions of the attack. Line level powerhammering: In this attack, the attacker taps the in-home power lines1 that are directly attached to the electrical outlet. Phase level power-hammering: In this attack, the attacker taps the power lines at the phase level, in the main electrical service panel. In both versions of the attack, the attacker measures the emission conducted and then decodes the exfiltrated data. We describe the adversarial attack model and present modulations and encoding schemes along with a transmission protocol. We evaluate the covert channel in different scenarios and discuss signal-to-noise (SNR), signal processing, and forms of interference. We also present a set of defensive countermeasures. Our results show that binary data can be covertly exfiltrated from air-gapped computers through the power lines at bit rates of 1000 bit/sec for the line level power-hammering attack and 10 bit/sec for the phase level power-hammering attack.

Exfiltrating Data from Air-Gapped
Computers through Power Lines
[Mordechai Guri, Boris Zadov, Dima Bykhovsky and Yuval Elovici/Arxiv]

(via 4 Short Links)