WHY THIS MATTERS IN BRIEF
Air gapped systems normally hold highly sensitive and secret data, and the number of ways to exfiltrate data from them, once compromised, is growing.
Hot on the heels of exploits that use fan noise, infra red cameras, heat, LED lights and drones, magnetic fields and smartphones, and a multitude of other hacks to gain access to sensitive air gapped computer systems, the researchers from Israel’s Ben Gurion University have shown once again that air-gapped networks are not safe from a determined and patient attacker.
The researchers have already devised several devious techniques to extract data from isolated or air-gapped computers that store highly sensitive data and now their latest technique, dubbed PowerHammer, exploits current fluctuations flowing through the power lines supplying electricity to air-gapped computers.
The researchers have been able to exfiltrate data at a rate of 1,000 bits per second for lines connected to the target computer and 10 bits per second from the grid.
As with the Magneto and Odini magnetic field Faraday cage attacks that the researchers also revealed recently, the PowerHammer technique would use malware to regulate a CPU’s utilization to control the system’s power consumption.
Instead of observing magnetic emissions as CPU usage rises and falls, the attacker can observe changes in current flow from the electricity lines outside a building or via the cords supplying power to the infected machine.
“The data is modulated, encoded, and transmitted on top of the current flow fluctuations, and then it is conducted and propagated through the power lines. This phenomena is known as a ‘conducted emission’,” writes Mordechai Guri, lead author of the PowerHammer paper.
“We show that a malicious code can influence the momentary power consumption of the computer, generating data-modulated conduction on the power lines in the low frequency band. The generated noise travels along the input power lines and can be measured by an attacker probing the power cables.”
PowerHammer assumes an attacker has already infected an air-gapped network and focuses on the task of extracting protected data after infection.
Guri notes that power-line communication is common for smart home and industrial applications. All they’re doing is applying the same techniques for malicious covert communications using “parasitic signals” generated by malware.
Anyone worried about a PowerHammer attack has a range of countermeasure options, such as monitoring the currency flow on power lines for deviations from standard transmission patterns. Other options include power-line filters and signal jammers.
Guri notes that traditional intrusion-detection systems would probably suffer from a high rate of false alarms and may be bypassed by malware.