Hacker Can Steal Data from Air-Gapped Computers through Power Lines

Hacker Can Steal Data from Air-Gapped Computers through Power Lines



Air-gapped computers are those that are isolated from the Internet and local networks and therefore, are believed to be the most secure devices that are difficult to infiltrate or exfiltrate data.
"As a part of the targeted attack, the adversary may infiltrate the air-gapped networks using social engineering, supply chain attacks, or malicious insiders. Note that several APTs discovered in the last decade are capable of infecting air-gapped networks, e.g., Turla, RedOctober, and Fanny," researchers said.
"However, despite the fact that breaching air-gapped systems has been shown feasible, the exfiltration of data from an air-gapped system remains a challenge."
Dubbed PowerHammer, the latest technique involves controlling the CPU utilization of an air-gapped computer using a specially designed malware and creating fluctuations in the current flow in morse-code-like pattern to transfer data hints in binary form (i.e., 0 and 1).
hacking-malware-air-gap-computer
In order to retrieve modulated binary information, an attacker needs to implant hardware to monitor the current flow being transmitted through the power lines (to measure the emission conducted) and then decodes the exfiltrated data.

"We show that a malware running on a computer can regulate the power consumption of the system by controlling the workload of the CPU. Binary data can be modulated on the changes of the current flow, propagated through the power lines, and intercepted by an attacker," researchers said.

According to the researchers, attackers can exfiltrate data from the computer at a speed of 10 to 1,000 bits-per-second, depending upon their approach.

The higher speed would be achieved if attackers are able to compromise the power lines inside the target building that connects the computer. This attack has been called "line-level powerhammering."

The slower speed is achieved in "phase-level powerhammering" that that can be exploited from the outside electrical service panel of a building.

In both variants of the attack, the attacker measures and encodes the emission conducted and then decodes the exfiltrated data.

With the line-level PowerHammering attack, researchers were able to exfiltrate data from a PC running an Intel Haswell-era quad-core processor at the rate of 1000 bits/second and an Intel Xeon E5-2620-powered server at 100 bits/second, both with a zero percent error rate.

The phase-level variant attack suffers performance degradation. Due to the background noise in the phase level, (since power is shared with everything else connected, such as appliances and lights), the researchers could achieve speeds up to 3 bits/second at a zero percent error rate, though this increased to 4.2% at speeds of 10 bits/second.

"The results indicate that in the phase level power-hammering attack, desktop computers could only be used to exfiltrate small amount of data such as passwords, credential tokens, encryption keys, and so on," the researchers said.

For more details on the PowerHammer attack, you can head onto the paper [PDF] titled, 'PowerHammer: Exfiltrating Data from Air-Gapped Computers through Power Lines.'

Comments