Want to read Slashdot from your mobile device? Point it at m.slashdot.org and keep reading!

 



Forgot your password?
typodupeerror
×
Security IT

Data Exfiltrators Send Info Over PCs' Power Supply Cables (theregister.co.uk) 131

From a report on The Register: If you want your computer to be really secure, disconnect its power cable. So says Mordechai Guri and his team of side-channel sleuths at the Ben-Gurion University of the Negev. The crew have penned a paper titled PowerHammer: Exfiltrating Data from Air-Gapped Computers through Power Lines that explains how attackers could install malware that regulates CPU utilisation and creates fluctuations in the current flow that could modulate and encode data. The variations would be "propagated through the power lines" to the outside world.

Depending on the attacker's approach, data could be exfiltrated at between 10 and 1,000 bits-per-second. The higher speed would work if attackers can get at the cable connected to the computer's power supply. The slower speed works if attackers can only access a building's electrical services panel. The PowerHammer malware spikes the CPU utilisation by choosing cores that aren't currently in use by user operations (to make it less noticeable). Guri and his pals use frequency shift keying to encode data onto the line.

This discussion has been archived. No new comments can be posted.

Data Exfiltrators Send Info Over PCs' Power Supply Cables

Comments Filter:
  • by Anonymous Coward on Thursday April 12, 2018 @10:29AM (#56424677)

    Double-conversion UPS... the data stops there. There's your firewall.

    • by gweihir ( 88907 )

      May not be enough if they use spikes for that transmission. You would probably need to filter and shield far more carefully than an UPS does.

      The whole thing is a worthless stunt anyways: Instead of breaking into the house and tapping the power-line, just open one more door and bug the computer itself.

      • by Anonymous Coward

        *double-conversion* being the key here. Very different than a pass-through UPS design. The instantaneous power draw is insulated completely from the mains.

        • It even applies to things like electronic safes [youtube.com].

          -=)x(.:Beau:.)x(=-
        • by aaarrrgggh ( 9205 ) on Thursday April 12, 2018 @12:13PM (#56425739)

          In fairness, if you are looking at 10 bits per second, that gives you 5 or 6 cycles to modulate each bit over. That is going to be tough for (common) DC capacitors to filter out effectively, although the battery capacitance may still be in play. The rectifier should respond to a drop in DC voltage within a quarter-cycle. The AC filter capacitors won't see this at all, since they will only buffer a quarter-cycle.

          What likely would impact it though is having enough PWM loads on the line and your power supply as a very minor component of load. At worst, you would be forced to use a lot of bits for error correction, but in all likelihood you would not be able to see the attack at the main service panel.

        • by gweihir ( 88907 )

          You have no clue about power electronics design. "Double conversion" just filters better, it does not "insulate completely" at all.

      • Comment removed based on user account deletion
        • by gweihir ( 88907 )

          Valid question, but the answer is simple: There may be encrypted stuff you still want to snoop the passwords for or you may not be interested in the machine itself, but may want to snoop on conversations.

        • If you're going to break into a house, why not just take the damn machine?

          1. You want to continue to monitor the target and collect information continuously.
          2. You don't want the target to know he has been compromised.

      • Except there are plenty of buildings where a restricted area is next to a public space. For example, a building on a college campus. Plenty of restricted labs, but the buildings and hallways are all open. This also holds true for buildings where a different company leases each floor. I can listen in from my own, leased space and not have to break-in anywhere.

    • Wouldn't help; They are varying the power the machine uses, and unless you have a power supply that can output a variable amount of power while keeping the power it draws from the wall constant (which would be either magical or horrendously inefficient at partial loads) there's no way to "filter" this sort of attack.

      =Smidge=

      • by TWX ( 665546 )

        My home has three HVAC units, two water heaters, and a very large 240V air compressor. I'm sure that I could introduce enough random variation in the electrical load to prevent this means of communication from being reliable.

        As I understand it, to prevent someone from managing to capture what's said in the Oval Office by shining a laser onto one of the windows to measure how the window reacts to sound inside of the room, they introduce noise in the form of numerous conversations into the glass, vibrating i

        • Problem here is that large loads are easily filtered out. What they are using is a load variation of about 10 watts or so. So when your AC unit starts, it's pretty obvious and easy to remove the signal.

          What you need is a randomly variable power consumer/producer that can sufficiently randomize the small variations in power consumption and *possibly* make it too hard to figure out what's the data signal and what's just random noise. Even then, it's going to be pretty difficult to truly hide all possible

          • by tlhIngan ( 30335 )

            Problem here is that large loads are easily filtered out. What they are using is a load variation of about 10 watts or so. So when your AC unit starts, it's pretty obvious and easy to remove the signal.

            What you need is a randomly variable power consumer/producer that can sufficiently randomize the small variations in power consumption and *possibly* make it too hard to figure out what's the data signal and what's just random noise. Even then, it's going to be pretty difficult to truly hide all possible data

          • It would seem simple enough to rig up a LFSR [wikipedia.org] to a few dozen .1 to 5W devices and have it cycle at some variable rate likely controlled by another LFSR. That should produce enough load noise, bonus points if you can have the low load devices do something useful. Generating good enough randomness is pretty easy, even really good randomness is pretty easy if you just have a bunch of reverse biased diodes [altervista.org] and use the output to also control some devices to induce a random load.
          • The easy, but inefficient way to defeat it would be have a few low priority threads that just spin to keep the CPU at 100%. Since the CPU will be pegged at all times now, the malware will no longer be able to affect the power usage of the computer.

        • One would think that this kind of technique could be applied to electricity if it were really that big a risk

          According to the paper linked through the article, even a purpose-built device that randomly loads the power supply in the device being snooped might not be totally effective, nor would EMI filters unless they were purpose-made for the rather low frequencies. And I can easily see a variant of the attack bypassing even those by using a carrier frequency lower than the utility's 50/60Hz... you'd just have to be really patient.

          The only way I can see to prevent this is a specially made, double conversion UPS or

          • The only way I can see to prevent this is a specially made, double conversion UPS or similar storage-backed power supply that is carefully designed and sized to keep the power consumed from the wall completely independent of the power consumed by the device by averaging that power over the span of hours or maybe even days.

            Another way is to run boinc distributed tasks that load the CPUs 24/7 at 100%. No variation in CPU demand, ever. That's what I do (for other reasons) and my CPUs have been pegged at 100%

        • They stopped that recently. They found that nobody could pick out the regular conversations from the noise. The extra noise wasn't really needed.

        • Well, if you want it to work, try an air-compressor-driven (with a large reservoir) expander turbine generating power for the power supply.

          Might be more effective to just put a larger DC bus capacitor in the PSU though.

      • by MDMurphy ( 208495 ) on Thursday April 12, 2018 @11:13AM (#56425085)

        Based on the concept of motor-generators used for high-security facilities, a "secure " UPS could just use 2 batteries. Incoming power charges battery A while output runs on battery B.
        Incoming power disconnects periodically, output switches to battery A and incoming switched to charging battery B.
        If incoming power is lost ( the main reason for a UPS ) then both batteries are connected in parallel giving the user the full backup capacity.
        At no time is the output connected to anything other than a battery.

        • What might be useful is a UPS that has charging thresholds, where it charges the batteries when they reach a certain percentage charge, and the charge lasts for a random duration. Add a little bit of random variation, like plus or minus 3-5% SoC level on the batteries before the charger turns on, and this would pretty much take care of this type of attack.

      • I once was at an auction of a startup that was bankrupt and was selling their assets. Part of what they were selling was a motor/generator combo. I thought it was a joke, but its function was to completely isolate power coming from either way before the power went to an online UPS (where the batteries were always drawn from, and mains power was there to keep the batteries topped off.) From what I was told, it worked well to keep communication via power from happening on either side, especially coupled wi

  • by Joe_Dragon ( 2206452 ) on Thursday April 12, 2018 @10:30AM (#56424681)

    Apple will fix this with $100 DRMed power cables.

    years ago alienware had an $50+ upgraded power cable as an add on.

    • by mjwx ( 966435 )

      Apple will fix this with $100 DRMed power cables.

      years ago alienware had an $50+ upgraded power cable as an add on.

      Meanwhile, all you need to do is have some kind of transformer or other device that separates electrical circuits.

  • by xxxJonBoyxxx ( 565205 ) on Thursday April 12, 2018 @10:31AM (#56424697)
    >> If you want your computer to be really secure, disconnect its power cable

    Spoken like a true desktop security guru.
  • by Anonymous Coward on Thursday April 12, 2018 @10:33AM (#56424711)

    On my work machine our overzealous virus scanner settings have closed this security hole... the CPU is constantly pegged at 100% ensuring that the power can't fluctuate at all.

    It also eliminated the need for a furnace in the building.

  • by Anonymous Coward

    Hackers can get into your system no matter what!

    I bet if we went back to abacuses, hackers would figure out how to decipher the clicks and know what you're doing.

    "Damn! My abacus was hacked!"

    "You moron! You should have used the anti-hacking felt on the beads. Geeze!"

    And then a hacker would figure out how to hack the abacus by the felt dust that falls.

    • by darkain ( 749283 )

      All joking aside, taking this from a more analytical standpoint... There is indeed an attack that you basically point a laser at the back of a laptop screen and monitor the vibrations in order to read what is being typed on said laptop. Great way to steal information at a coffee shop! I'm sure something similar, either laser based or audio based, could be used for an abacus too.

  • by shess ( 31691 ) on Thursday April 12, 2018 @10:35AM (#56424733) Homepage

    The paper describes a method of adding jank to applications which will cause users to frown and furrow their eyebrows, which in turn can be monitored by a high-def camera furtively installed on their monitor to communicate between 100 and 1337 bits per minute to attackers.

    ----

    Honestly, who approves this research? I mean, yes, it's possible, but if your computer is "air-gapped" and the attackers have the ability to breath your air, you are already screwed.

  • This is obvious. Not obvious in hindsight but obvious as a fundamental well known security problem. It have been protected against in the past (filtering power lines to reduce or eliminate signal transmission). And it is _really_ old news, this was known and protected against before I was born.

    • by trg83 ( 555416 )
      I suspect the problem is that 10 bps communication was close enough to normal communication line bandwidth to make people more creative about using them and more cognizant that they could be used that way. In this day of Gbps connections, I suspect people forget that small, valuable information could still be extracted very slowly by patient people. As such, I suspect few people are actively thinking about this threat vector, while certain types of conditioned power might give them protection automatically
  • by enjar ( 249223 ) on Thursday April 12, 2018 @10:40AM (#56424785) Homepage

    The attacker needs to gain access to the server's power cord, or maybe the building's power panel then attach some dongle. Then they need to somehow gain access to a air gapped machine on a secure network in what is likely a secured facility. Once they do that, they then gain access to the server and install malware that will send semaphores by upping CPU use.

    While an interesting laboratory experiment, I'm not really all that concerned. I do predict it showing up in the next Mission: Impossible installment, though

    • by gweihir ( 88907 )

      Basically, the attacker has to do all steps except the last one, namely to physically access the computer itself. Building access is already a must in most cases. Hence it will be cheaper, more reliable and far easier to just bug the computer itself.

      • by the_skywise ( 189793 ) on Thursday April 12, 2018 @11:13AM (#56425103)
        That would be a great Mission Impossible scene though - break into the facility, break into the air-gapped computer room and Benji leans down to the power cable:

        Ethan: "What are you doing?"
        Benji: "I'm installing the tap on the power cable which will adjust the power frequency of the CPU so we can hack into the system and collect the data"
        Ethan: "Benji... there's a post-it note right here with the password on it"
        Benji: "Oh... well...that works too"
    • I don't think so... Physical access to a building isn't necessary anymore.

      Today we have "smart meters" where I live. I'm not sure what the polling rate of my power meter is, but I do know that it's readable often enough that companies offer "time of day rates" so it's got to be at least every hour, and likely is multiple times an hour.

      If the polling rate is every 15 min, then you could conceivably get a couple of bits of data every hour. Yea, that's pretty much a useless data rate, but long term could be

      • by enjar ( 249223 )
        Even with a smart meter being read every 15 minutes it seems kinds difficult to get anything useful out, since the power company is getting a kWH number for the last polling interval. It sounds like they are "listening" for a certain pattern in the on/off of this extra CPU. So while your kWH number might go up, it would be pretty impossible to compare a building's overall load and have one core of a CPU actually make enough difference to do anything about it.
      • I'm not sure what the polling rate of my power meter is, but I do know that it's readable often enough that companies offer "time of day rates" so it's got to be at least every hour,

        The device doesn't have to transmit data every hour for it to be able to record use on an hourly, or even by-minute, basis. It can record the data and be read once a week.

        It will be listening 24/7, however, so the power company can issue it commands to turn off to shed load if necessary.

    • A janitor might be able to get into a SCIF room undetected, but they would have difficulty removing any information from said room. Not entirely sure how they would get the malware into the room without leaving behind a USB key though.

    • I do predict it showing up in the next Mission: Impossible installment, though

      No, more likely an episode next season, if there is one, of /Scorpion. They do some truly stupid stuff on that show. Pure technical comedy. It's worth watching just for that.

      • I couldn't make it through an episode of that show. I can suspend disbelief but this show was just too far. I think the "server farm" that was obviously a self storage facility was the final straw.
  • ... over the method of catching XBox power supplies on fire and watching the smoke signals.

  • by gweihir ( 88907 ) on Thursday April 12, 2018 @10:48AM (#56424845)

    No actual security expert is surprised this is possible. However, this is actually worthless in almost all circumstances. First, you have to be close enough that standard TEMPEST attacks should work a lot better. And second, this has a high risk of causing problems elsewhere and getting notices. And thirs, the data-rate is laughable and unsuitable for most attacks.

    • My first thought also was TEMPEST (https://en.wikipedia.org/wiki/Tempest_(codename) ) In the 80s I worked in a facility that was being certified for Top Secret operations inside. It had all the normal shielding, including spot welding of the internal metal shell where testing revealed RF leakage. Incoming power drover a motor. The motor drove a shaft that spun a generator which provided internal power to the facility. I'd guess it would be pretty tough for multiple computers attached to that generato

  • 10bps... (Score:5, Insightful)

    by jaymemaurice ( 2024752 ) on Thursday April 12, 2018 @10:54AM (#56424913)

    That's only 2000 hours to get 1MB of information...

    So yeah... there might be faster, more efficient ways...

    • Sorry, 200... assuming no overhead/checksum additional data required to ensure efficient transmission

    • Yeah, or just under 7 minutes (call it a full 7 with checksums) to filtrate your 4096-bit private key. Who needs a $5 wrench [slashdot.org]?

      • Assuming it's an air-gapped system you've already been able to silently install malicious software onto once before, that is located in a building you can get close to the power infrastructure before the transformer... there might be better, more efficient ways.

        • there might be better, more efficient ways.

          Yes. Like instead of copying on malware that may be detected by virus scanners or other security software, just copy off the data you want. You already have access to copy things on. The last time I looked, "copy" or "cp" works both ways.

  • by chispito ( 1870390 ) on Thursday April 12, 2018 @11:00AM (#56424977)
    It should read, "Researchers Send Info Over PCs' Power Supply Cables."
  • Generator + treadmill + Jack Russell Terrier + squirrel (or cat)
  • Congressman: Does Facebook exfiltorate data by regulating CPU utilization to create fluctuations in the current flow that could modulate and encode data, then propagate those variations through the power lines to the outside world?

    Mr. Zuckerberg: Yes sir, but only for security purposes.

  • The vast majority of us are not sufficiently important or interesting to be worthy of such an attack.
  • Random charge and discharge cycles for power line white noise generator.

  • I think we all knew this could be done in theory but someone actually went out and tried it and measured what the results were. They even came up with data rates. It should be noted also that they could still read the data above other noise on the power line. They used frequency shift keying to encode their data so that noise from some devices could be easily filtered out. Big things like a water heater or stove can be filtered out by amplitude, inductive things like air compressors or pool pumps are al
  • If my UPS / Power Filter sees any funny business in the line power, it's going to either compensate or terminate the power, effectively ending this type of attack. The only way this type of attack could work would be if the victim has no power monitoring, which is risky at best for the victim.
  • They must attempt to monitor one computer at a time per power station, after convincing the rest of the population to turn off all electrical equipment for the duration. And at a max data rate of 1 Kbps. Right. Someone alert DHS.

If you have a procedure with 10 parameters, you probably missed some.

Working...