Data Exfiltrators Send Info Over PCs' Power Supply Cables (theregister.co.uk)

← Back to Stories (view on slashdot.org)

Data Exfiltrators Send Info Over PCs' Power Supply Cables (theregister.co.uk)

Posted by msmash on Thursday April 12, 2018 @03:25AM from the what-in-the-world dept.

From a report on The Register: If you want your computer to be really secure, disconnect its power cable. So says Mordechai Guri and his team of side-channel sleuths at the Ben-Gurion University of the Negev. The crew have penned a paper titled PowerHammer: Exfiltrating Data from Air-Gapped Computers through Power Lines that explains how attackers could install malware that regulates CPU utilisation and creates fluctuations in the current flow that could modulate and encode data. The variations would be "propagated through the power lines" to the outside world.

Depending on the attacker's approach, data could be exfiltrated at between 10 and 1,000 bits-per-second. The higher speed would work if attackers can get at the cable connected to the computer's power supply. The slower speed works if attackers can only access a building's electrical services panel. The PowerHammer malware spikes the CPU utilisation by choosing cores that aren't currently in use by user operations (to make it less noticeable). Guri and his pals use frequency shift keying to encode data onto the line.

22 of 131 comments (clear)

Min score:

Reason:

Sort:

good luck getting past the UPS by Anonymous Coward · 2018-04-12 03:29 · Score: 5, Interesting

Double-conversion UPS... the data stops there. There's your firewall.
1. Re:good luck getting past the UPS by gweihir · 2018-04-12 03:55 · Score: 2
  
  May not be enough if they use spikes for that transmission. You would probably need to filter and shield far more carefully than an UPS does.
  The whole thing is a worthless stunt anyways: Instead of breaking into the house and tapping the power-line, just open one more door and bug the computer itself.
  
  --
  Most ACs are not even worth the keystrokes to insult them. Be generically insulted by this and ignored otherwise.
2. Re:good luck getting past the UPS by Smidge204 · 2018-04-12 04:01 · Score: 2
  
  Wouldn't help; They are varying the power the machine uses, and unless you have a power supply that can output a variable amount of power while keeping the power it draws from the wall constant (which would be either magical or horrendously inefficient at partial loads) there's no way to "filter" this sort of attack.
  =Smidge=
3. Re:good luck getting past the UPS by TWX · 2018-04-12 04:09 · Score: 2
  
  My home has three HVAC units, two water heaters, and a very large 240V air compressor. I'm sure that I could introduce enough random variation in the electrical load to prevent this means of communication from being reliable.
  As I understand it, to prevent someone from managing to capture what's said in the Oval Office by shining a laser onto one of the windows to measure how the window reacts to sound inside of the room, they introduce noise in the form of numerous conversations into the glass, vibrating it enough that one can't pick-out the real conversation from the rest of the noise. One would think that this kind of technique could be applied to electricity if it were really that big a risk, a bank of several 100W lightbulbs with random timer controllers to turn them on and off may well be enough to screw with current draw to prevent exfiltration.
  
  --
  Do not look into laser with remaining eye.
4. Re:good luck getting past the UPS by MDMurphy · 2018-04-12 04:13 · Score: 3, Interesting
  
  Based on the concept of motor-generators used for high-security facilities, a "secure " UPS could just use 2 batteries. Incoming power charges battery A while output runs on battery B.
  Incoming power disconnects periodically, output switches to battery A and incoming switched to charging battery B.
  If incoming power is lost ( the main reason for a UPS ) then both batteries are connected in parallel giving the user the full backup capacity.
  At no time is the output connected to anything other than a battery.
5. Re:good luck getting past the UPS by bobbied · 2018-04-12 04:22 · Score: 2
  
  Problem here is that large loads are easily filtered out. What they are using is a load variation of about 10 watts or so. So when your AC unit starts, it's pretty obvious and easy to remove the signal.
  What you need is a randomly variable power consumer/producer that can sufficiently randomize the small variations in power consumption and *possibly* make it too hard to figure out what's the data signal and what's just random noise. Even then, it's going to be pretty difficult to truly hide all possible data transfer using this technique. You may slow down the data rate possible, but I don't think you can totally mask this power consumption variation.
  
  --
  "File to fit, pound to insert, paint to match" - Aircraft Maintenance 101
6. Re:good luck getting past the UPS by BeauHD+(+6,+Expert) · 2018-04-12 04:28 · Score: 2
  
  It even applies to things like electronic safes.
  
  -=)x(.:Beau:.)x(=-
7. Re:good luck getting past the UPS by aaarrrgggh · 2018-04-12 05:13 · Score: 4, Informative
  
  In fairness, if you are looking at 10 bits per second, that gives you 5 or 6 cycles to modulate each bit over. That is going to be tough for (common) DC capacitors to filter out effectively, although the battery capacitance may still be in play. The rectifier should respond to a drop in DC voltage within a quarter-cycle. The AC filter capacitors won't see this at all, since they will only buffer a quarter-cycle.
  What likely would impact it though is having enough PWM loads on the line and your power supply as a very minor component of load. At worst, you would be forced to use a lot of bits for error correction, but in all likelihood you would not be able to see the attack at the main service panel.
8. Re:good luck getting past the UPS by DontBeAMoran · 2018-04-12 08:21 · Score: 2
  
  "Fuck everything, we're doing five conversions."
  
  --
  #DeleteFacebook
Apple will fix this with $100 DRMed power cables by Joe_Dragon · 2018-04-12 03:30 · Score: 3, Funny

Apple will fix this with $100 DRMed power cables.
years ago alienware had an $50+ upgraded power cable as an add on.
Spoken like a true desktop security guru by xxxJonBoyxxx · 2018-04-12 03:31 · Score: 5, Funny

>> If you want your computer to be really secure, disconnect its power cable

Spoken like a true desktop security guru.
Virus scanner plugs this security hole. by Anonymous Coward · 2018-04-12 03:33 · Score: 5, Funny

On my work machine our overzealous virus scanner settings have closed this security hole... the CPU is constantly pegged at 100% ensuring that the power can't fluctuate at all.
It also eliminated the need for a furnace in the building.
Exfiltrating data via user facial expressions. by shess · 2018-04-12 03:35 · Score: 4, Funny

The paper describes a method of adding jank to applications which will cause users to frown and furrow their eyebrows, which in turn can be monitored by a high-def camera furtively installed on their monitor to communicate between 100 and 1337 bits per minute to attackers.
----
Honestly, who approves this research? I mean, yes, it's possible, but if your computer is "air-gapped" and the attackers have the ability to breath your air, you are already screwed.
Re:after installing malware by PPH · 2018-04-12 03:37 · Score: 4, Funny

Don't install malware
You insensitive clod! I run Windows.

--
Have gnu, will travel.
Re:filter by PPH · 2018-04-12 03:40 · Score: 2

Or a laptop (even plugged in).

--
Have gnu, will travel.
So, how this works by enjar · 2018-04-12 03:40 · Score: 2

The attacker needs to gain access to the server's power cord, or maybe the building's power panel then attach some dongle. Then they need to somehow gain access to a air gapped machine on a secure network in what is likely a secured facility. Once they do that, they then gain access to the server and install malware that will send semaphores by upping CPU use.
While an interesting laboratory experiment, I'm not really all that concerned. I do predict it showing up in the next Mission: Impossible installment, though
1. Re:So, how this works by the_skywise · 2018-04-12 04:13 · Score: 4, Funny
  
  That would be a great Mission Impossible scene though - break into the facility, break into the air-gapped computer room and Benji leans down to the power cable:
  
  Ethan: "What are you doing?"
  Benji: "I'm installing the tap on the power cable which will adjust the power frequency of the CPU so we can hack into the system and collect the data"
  Ethan: "Benji... there's a post-it note right here with the password on it"
  Benji: "Oh... well...that works too"
Another worthless stunt by gweihir · 2018-04-12 03:48 · Score: 2

No actual security expert is surprised this is possible. However, this is actually worthless in almost all circumstances. First, you have to be close enough that standard TEMPEST attacks should work a lot better. And second, this has a high risk of causing problems elsewhere and getting notices. And thirs, the data-rate is laughable and unsuitable for most attacks.

--
Most ACs are not even worth the keystrokes to insult them. Be generically insulted by this and ignored otherwise.
10bps... by jaymemaurice · 2018-04-12 03:54 · Score: 4, Insightful

That's only 2000 hours to get 1MB of information...
So yeah... there might be faster, more efficient ways...

--
120 characters ought to be enough for anyone
1. Re:10bps... by Actually,+I+do+RTFA · 2018-04-12 04:11 · Score: 2
  
  Yeah, or just under 7 minutes (call it a full 7 with checksums) to filtrate your 4096-bit private key. Who needs a $5 wrench?
  
  --
  Your ad here. Ask me how!
2. Re:10bps... by jaymemaurice · 2018-04-12 04:32 · Score: 2
  
  Assuming it's an air-gapped system you've already been able to silently install malicious software onto once before, that is located in a building you can get close to the power infrastructure before the transformer... there might be better, more efficient ways.
  
  --
  120 characters ought to be enough for anyone
Misleading headling by chispito · 2018-04-12 04:00 · Score: 3, Insightful

It should read, "Researchers Send Info Over PCs' Power Supply Cables."

--
The Daddy casts sleep on the Baby. The Baby resists!