Data Exfiltrators Send Info Over PCs' Power Supply Cables (theregister.co.uk) 131
From a report on The Register: If you want your computer to be really secure, disconnect its power cable. So says Mordechai Guri and his team of side-channel sleuths at the Ben-Gurion University of the Negev. The crew have penned a paper titled PowerHammer: Exfiltrating Data from Air-Gapped Computers through Power Lines that explains how attackers could install malware that regulates CPU utilisation and creates fluctuations in the current flow that could modulate and encode data. The variations would be "propagated through the power lines" to the outside world.
Depending on the attacker's approach, data could be exfiltrated at between 10 and 1,000 bits-per-second. The higher speed would work if attackers can get at the cable connected to the computer's power supply. The slower speed works if attackers can only access a building's electrical services panel. The PowerHammer malware spikes the CPU utilisation by choosing cores that aren't currently in use by user operations (to make it less noticeable). Guri and his pals use frequency shift keying to encode data onto the line.
Depending on the attacker's approach, data could be exfiltrated at between 10 and 1,000 bits-per-second. The higher speed would work if attackers can get at the cable connected to the computer's power supply. The slower speed works if attackers can only access a building's electrical services panel. The PowerHammer malware spikes the CPU utilisation by choosing cores that aren't currently in use by user operations (to make it less noticeable). Guri and his pals use frequency shift keying to encode data onto the line.
good luck getting past the UPS (Score:5, Interesting)
Double-conversion UPS... the data stops there. There's your firewall.
Re: (Score:3)
May not be enough if they use spikes for that transmission. You would probably need to filter and shield far more carefully than an UPS does.
The whole thing is a worthless stunt anyways: Instead of breaking into the house and tapping the power-line, just open one more door and bug the computer itself.
Re: (Score:1)
*double-conversion* being the key here. Very different than a pass-through UPS design. The instantaneous power draw is insulated completely from the mains.
Re: (Score:2)
-=)x(.:Beau:.)x(=-
Re:good luck getting past the UPS (Score:5, Informative)
In fairness, if you are looking at 10 bits per second, that gives you 5 or 6 cycles to modulate each bit over. That is going to be tough for (common) DC capacitors to filter out effectively, although the battery capacitance may still be in play. The rectifier should respond to a drop in DC voltage within a quarter-cycle. The AC filter capacitors won't see this at all, since they will only buffer a quarter-cycle.
What likely would impact it though is having enough PWM loads on the line and your power supply as a very minor component of load. At worst, you would be forced to use a lot of bits for error correction, but in all likelihood you would not be able to see the attack at the main service panel.
Re: (Score:2)
You have no clue about power electronics design. "Double conversion" just filters better, it does not "insulate completely" at all.
Re: (Score:3)
"Fuck everything, we're doing five conversions."
Re: (Score:2)
Re: (Score:2)
Valid question, but the answer is simple: There may be encrypted stuff you still want to snoop the passwords for or you may not be interested in the machine itself, but may want to snoop on conversations.
Re: (Score:2)
If you're going to break into a house, why not just take the damn machine?
1. You want to continue to monitor the target and collect information continuously.
2. You don't want the target to know he has been compromised.
Re: (Score:2)
Except there are plenty of buildings where a restricted area is next to a public space. For example, a building on a college campus. Plenty of restricted labs, but the buildings and hallways are all open. This also holds true for buildings where a different company leases each floor. I can listen in from my own, leased space and not have to break-in anywhere.
Re: (Score:3)
Wouldn't help; They are varying the power the machine uses, and unless you have a power supply that can output a variable amount of power while keeping the power it draws from the wall constant (which would be either magical or horrendously inefficient at partial loads) there's no way to "filter" this sort of attack.
=Smidge=
Re: (Score:3)
My home has three HVAC units, two water heaters, and a very large 240V air compressor. I'm sure that I could introduce enough random variation in the electrical load to prevent this means of communication from being reliable.
As I understand it, to prevent someone from managing to capture what's said in the Oval Office by shining a laser onto one of the windows to measure how the window reacts to sound inside of the room, they introduce noise in the form of numerous conversations into the glass, vibrating i
Re: (Score:3)
Problem here is that large loads are easily filtered out. What they are using is a load variation of about 10 watts or so. So when your AC unit starts, it's pretty obvious and easy to remove the signal.
What you need is a randomly variable power consumer/producer that can sufficiently randomize the small variations in power consumption and *possibly* make it too hard to figure out what's the data signal and what's just random noise. Even then, it's going to be pretty difficult to truly hide all possible
Re: (Score:2)
Re: (Score:2)
Re: (Score:2)
The easy, but inefficient way to defeat it would be have a few low priority threads that just spin to keep the CPU at 100%. Since the CPU will be pegged at all times now, the malware will no longer be able to affect the power usage of the computer.
Re: (Score:2)
Or just work in a thing called a "building" where lots of other people are doing stuff.
Re: (Score:2)
One would think that this kind of technique could be applied to electricity if it were really that big a risk
According to the paper linked through the article, even a purpose-built device that randomly loads the power supply in the device being snooped might not be totally effective, nor would EMI filters unless they were purpose-made for the rather low frequencies. And I can easily see a variant of the attack bypassing even those by using a carrier frequency lower than the utility's 50/60Hz... you'd just have to be really patient.
The only way I can see to prevent this is a specially made, double conversion UPS or
Re: (Score:2)
Another way is to run boinc distributed tasks that load the CPUs 24/7 at 100%. No variation in CPU demand, ever. That's what I do (for other reasons) and my CPUs have been pegged at 100%
Re: (Score:2)
They stopped that recently. They found that nobody could pick out the regular conversations from the noise. The extra noise wasn't really needed.
Re: (Score:2)
Well, if you want it to work, try an air-compressor-driven (with a large reservoir) expander turbine generating power for the power supply.
Might be more effective to just put a larger DC bus capacitor in the PSU though.
Re:good luck getting past the UPS (Score:4, Interesting)
Based on the concept of motor-generators used for high-security facilities, a "secure " UPS could just use 2 batteries. Incoming power charges battery A while output runs on battery B.
Incoming power disconnects periodically, output switches to battery A and incoming switched to charging battery B.
If incoming power is lost ( the main reason for a UPS ) then both batteries are connected in parallel giving the user the full backup capacity.
At no time is the output connected to anything other than a battery.
Re: (Score:2)
What might be useful is a UPS that has charging thresholds, where it charges the batteries when they reach a certain percentage charge, and the charge lasts for a random duration. Add a little bit of random variation, like plus or minus 3-5% SoC level on the batteries before the charger turns on, and this would pretty much take care of this type of attack.
Re: (Score:2)
I once was at an auction of a startup that was bankrupt and was selling their assets. Part of what they were selling was a motor/generator combo. I thought it was a joke, but its function was to completely isolate power coming from either way before the power went to an online UPS (where the batteries were always drawn from, and mains power was there to keep the batteries topped off.) From what I was told, it worked well to keep communication via power from happening on either side, especially coupled wi
Apple will fix this with $100 DRMed power cables (Score:4, Funny)
Apple will fix this with $100 DRMed power cables.
years ago alienware had an $50+ upgraded power cable as an add on.
Re: (Score:2)
Apple will fix this with $100 DRMed power cables.
years ago alienware had an $50+ upgraded power cable as an add on.
Meanwhile, all you need to do is have some kind of transformer or other device that separates electrical circuits.
Spoken like a true desktop security guru (Score:5, Funny)
Spoken like a true desktop security guru.
Re: (Score:2)
>> If you want your computer to be really secure, disconnect its power cable
...and run it on batteries.
Re: (Score:2)
JF45(Nf12&*(
[CONNECTION LOST]
Re: (Score:3)
Or a laptop (even plugged in).
Re: (Score:2)
Probably depends on how the laptop's power circuitry is designed.
Basically there are two forms of battery backups. One form charges the batteries and keeps them charged but doesn't run the load through them unless a switchover event happens. The other form does run the load through the batteries because they cannot afford for the system to go down temporarily for such a switchover.
The former is the way that large UPSes that use lithium-ion batteries works, because lithium-ion batteries cannot sustain bein
Re: (Score:2)
Depends on the filters. They will try to transmit power-spikes and those can get trough an inline-UPS as well to a degree. The whole thing is a worthless stunt anyways as you need to tap the power-line close by.
Re: (Score:2)
That might not be as difficult as you'd think. Commercial buildings have a lot of people coming and going doing maintenance, and most commercial buildings don't hide the basic electrical stuff inside of highly secured areas, they reserve such security for devices that are expensive, or devices that do something important, or for devices that have important information on them. For most buildings the vast majority of the power is for regular mundane things like lighting and HVAC, so the raw incoming power
Virus scanner plugs this security hole. (Score:5, Funny)
On my work machine our overzealous virus scanner settings have closed this security hole... the CPU is constantly pegged at 100% ensuring that the power can't fluctuate at all.
It also eliminated the need for a furnace in the building.
Jesus Christ! (Score:1)
Hackers can get into your system no matter what!
I bet if we went back to abacuses, hackers would figure out how to decipher the clicks and know what you're doing.
"Damn! My abacus was hacked!"
"You moron! You should have used the anti-hacking felt on the beads. Geeze!"
And then a hacker would figure out how to hack the abacus by the felt dust that falls.
Re: (Score:2)
All joking aside, taking this from a more analytical standpoint... There is indeed an attack that you basically point a laser at the back of a laptop screen and monitor the vibrations in order to read what is being typed on said laptop. Great way to steal information at a coffee shop! I'm sure something similar, either laser based or audio based, could be used for an abacus too.
Exfiltrating data via user facial expressions. (Score:5, Funny)
The paper describes a method of adding jank to applications which will cause users to frown and furrow their eyebrows, which in turn can be monitored by a high-def camera furtively installed on their monitor to communicate between 100 and 1337 bits per minute to attackers.
----
Honestly, who approves this research? I mean, yes, it's possible, but if your computer is "air-gapped" and the attackers have the ability to breath your air, you are already screwed.
Re:after installing malware (Score:5, Funny)
Don't install malware
You insensitive clod! I run Windows.
Re: (Score:2)
What? (Score:2)
This is obvious. Not obvious in hindsight but obvious as a fundamental well known security problem. It have been protected against in the past (filtering power lines to reduce or eliminate signal transmission). And it is _really_ old news, this was known and protected against before I was born.
Re: (Score:2)
So, how this works (Score:3)
The attacker needs to gain access to the server's power cord, or maybe the building's power panel then attach some dongle. Then they need to somehow gain access to a air gapped machine on a secure network in what is likely a secured facility. Once they do that, they then gain access to the server and install malware that will send semaphores by upping CPU use.
While an interesting laboratory experiment, I'm not really all that concerned. I do predict it showing up in the next Mission: Impossible installment, though
Re: (Score:2)
Basically, the attacker has to do all steps except the last one, namely to physically access the computer itself. Building access is already a must in most cases. Hence it will be cheaper, more reliable and far easier to just bug the computer itself.
Re:So, how this works (Score:5, Funny)
Ethan: "What are you doing?"
Benji: "I'm installing the tap on the power cable which will adjust the power frequency of the CPU so we can hack into the system and collect the data"
Ethan: "Benji... there's a post-it note right here with the password on it"
Benji: "Oh... well...that works too"
Re: (Score:2)
Nice, indeed!
Re: (Score:2)
I don't think so... Physical access to a building isn't necessary anymore.
Today we have "smart meters" where I live. I'm not sure what the polling rate of my power meter is, but I do know that it's readable often enough that companies offer "time of day rates" so it's got to be at least every hour, and likely is multiple times an hour.
If the polling rate is every 15 min, then you could conceivably get a couple of bits of data every hour. Yea, that's pretty much a useless data rate, but long term could be
Re: (Score:2)
Re: (Score:2)
I'm not sure what the polling rate of my power meter is, but I do know that it's readable often enough that companies offer "time of day rates" so it's got to be at least every hour,
The device doesn't have to transmit data every hour for it to be able to record use on an hourly, or even by-minute, basis. It can record the data and be read once a week.
It will be listening 24/7, however, so the power company can issue it commands to turn off to shed load if necessary.
Re: (Score:2)
A janitor might be able to get into a SCIF room undetected, but they would have difficulty removing any information from said room. Not entirely sure how they would get the malware into the room without leaving behind a USB key though.
Re: (Score:2)
I do predict it showing up in the next Mission: Impossible installment, though
No, more likely an episode next season, if there is one, of /Scorpion. They do some truly stupid stuff on that show. Pure technical comedy. It's worth watching just for that.
Re: So, how this works (Score:2)
This is an improvement (Score:2)
Another worthless stunt (Score:3)
No actual security expert is surprised this is possible. However, this is actually worthless in almost all circumstances. First, you have to be close enough that standard TEMPEST attacks should work a lot better. And second, this has a high risk of causing problems elsewhere and getting notices. And thirs, the data-rate is laughable and unsuitable for most attacks.
Re: (Score:2)
My first thought also was TEMPEST (https://en.wikipedia.org/wiki/Tempest_(codename) ) In the 80s I worked in a facility that was being certified for Top Secret operations inside. It had all the normal shielding, including spot welding of the internal metal shell where testing revealed RF leakage. Incoming power drover a motor. The motor drove a shaft that spun a generator which provided internal power to the facility. I'd guess it would be pretty tough for multiple computers attached to that generato
Re: (Score:2)
The important data leaks though are usually done by people.
Very much so, yes.
10bps... (Score:5, Insightful)
That's only 2000 hours to get 1MB of information...
So yeah... there might be faster, more efficient ways...
Re: (Score:2)
Sorry, 200... assuming no overhead/checksum additional data required to ensure efficient transmission
Re: (Score:3)
Yeah, or just under 7 minutes (call it a full 7 with checksums) to filtrate your 4096-bit private key. Who needs a $5 wrench [slashdot.org]?
Re: (Score:3)
Assuming it's an air-gapped system you've already been able to silently install malicious software onto once before, that is located in a building you can get close to the power infrastructure before the transformer... there might be better, more efficient ways.
Re: (Score:2)
there might be better, more efficient ways.
Yes. Like instead of copying on malware that may be detected by virus scanners or other security software, just copy off the data you want. You already have access to copy things on. The last time I looked, "copy" or "cp" works both ways.
Misleading headling (Score:4, Insightful)
Off the grid: (Score:1)
Congressional testimony (Score:2)
Congressman: Does Facebook exfiltorate data by regulating CPU utilization to create fluctuations in the current flow that could modulate and encode data, then propagate those variations through the power lines to the outside world?
Mr. Zuckerberg: Yes sir, but only for security purposes.
Relax, people (Score:2)
new use for Tesla Powerwall (Score:2)
Random charge and discharge cycles for power line white noise generator.
They did it - no longer theoretical (Score:2)
Power filtering and Monitoring? (Score:2)
Fake news (Score:1)
They must attempt to monitor one computer at a time per power station, after convincing the rest of the population to turn off all electrical equipment for the duration. And at a max data rate of 1 Kbps. Right. Someone alert DHS.