Researchers use power lines to exfiltrate data from air-gapped computers
Researchers from the Ben-Gurion University of the Negev have come up with another way to exfiltrate data from air-gapped computers: this time, it’s via malware that can control the power consumption of the system.
“Data is modulated, encoded, and transmitted on top of the current flow fluctuations, and then it is conducted and propagated through the power lines,” they pointed out. They call this malware PowerHammer.
Data exfiltration via power lines
They have devised two versions of the attack: line level power-hammering (the attacker taps in-home power lines directly attached to the electrical outlet) and phase level power-hammering (the attacker taps the power lines in the main electrical service panel).
“The receiver is a non-invasive probe connected to a small computer (for the signal processing). The probe is attached to the power line feeding the computer or the main electric panel. It measures the current in the power line, process the modulated signals, decodes the data and sends it to the attacker (e.g., with Wi-Fi transceiver),” the researchers explained.
Special malware present on the target computer harvests the wanted data (e.g., passwords, encryption keys, etc.), encodes the data, transmits it via signals injected to the power lines and delivers it to the probes.
The signals are generated by changing the workload on the CPU cores that are not utilized by working processes, so the computer would not slow down or show any indication of data exfiltration.
According to their testing, binary data can be extracted through the power lines at bit rates of 1000 bits per second for the first attack and 10 bits per second for the second.
Countermeasures
There are several things defenders can do to spot and protect computers from these types of attacks: they can monitor the currency flow on the power lines, install power line filters, engage in signal jamming, and implement host-based intrusion detection and prevention systems to continuously trace the activities of running processes.
Each of these approaches has its weaknesses, though: unreliable results, can be thwarted by additional malware, too many false alarms, works for one type of attack and not the other, and so on.