Academics Turn PC Power Units Into Speakers To Leak Secrets From Air-Gapped Systems (zdnet.com) 102
Academics from an Israeli university have published new research last week showing how an attacker could turn a computer's power supply unit into a rudimentary speaker that can secretly transmit data from an infected host using audio waves. From a report: The technique, named POWER-SUPPLaY, is the work of Mordechai Guri, the head of R&D at the Ben-Gurion University of the Negev, in Israel. Over the last half-decade, Guri has been pioneering research into new covert data exfiltration channels. The techniques Guri has been developing can be used for stealing data through unconventional means. Guri has been developing these techniques specifically for extracting data from air-gapped systems -- computers isolated on local networks with no internet access. Such computers are often used on government or corporate networks to store sensitive data, such as classified files or intellectual property. Air-gapped systems are protected by several layers of defenses, on top of the "air gap," and you need novel data transmission techniques to go around these defenses. For example, some air-gapped systems don't have speakers, because it's been proven in the past that speakers could be abused to leak information from a secure system using inaudible sound waves.
Oh no, the sky is falling (Score:4, Insightful)
Once again, the "academics" do another proof of concept which in the real world would make a really piss poor spying tool.
Blinking LEDs, drive noises, expansion/contraction of the CPU's heat sink... they've done it all.
If you give bad actors the physical access to your systems needed for any of this to work, you are already compromised.
Re:Oh no, the sky is falling (Score:5, Funny)
I'll shoot them a quick email letting them know they've been wasting their time. Thanks for the heads up!
Re: Oh no, the sky is falling (Score:1)
That's not to say what they are doing does not work, or does not pique my interest, but the last thing this world needs is more needless panic. Why would a spy even mess around with this when he has this kind of physical access to the systems and he can get what he wants with a $15 malware (grabware?) loaded thumbdrive?
Re: (Score:3)
Why would a spy even mess around with this when he has this kind of physical access to the systems and he can get what he wants with a $15 malware (grabware?) loaded thumbdrive?
The spy gets a short window of opportunity to access and compromise the system.
The spy gets all the data currently on the system.
How does the spy get the future data that is not yet on the air-gapped system if subsequent physical access may not be possible?
Re: (Score:2)
Plus with this new method the risk of getting caught is probably far less.
Re: (Score:2)
Plus with this new method the risk of getting caught is probably far less.
You forgot to add a sarcasm tag - or are you serious?
As I understand this "attack" the following is required:
1) Load your special software on the PC
2) Somehow direct the special software to the information of interest on PC
3) Set an appropriately programmed android phone next to the PC power supply (inch or two)
4) Download data at alarmingly slow data rate (think under 110 baud)
The basic problems are:
A) getting your software onto the air-gapped computer
B) gaining physical access to the air-gapped computer
C)
Re: (Score:2)
Mr Pudey: Well sir, I have a silly hack and I'd like to obtain a Government grant to help me develop it.
Minister: I see. May I see your silly hack explained to me?
Mr Pudey: Yes, certainly, yes.
So, there, first step, you introduce a hacker into the facility where the to be hack
Re: Oh no, the sky is falling (Score:1)
What about pointed stick [dailymotion.com] drives?
Re: (Score:3)
Interesting that so much of Israeli intelligence's time is spent finding ways to exfiltrate data from secure computer systems, when all of their primary enemies don't even **have** secure computer systems. Gives one a better idea where most of "their" advanced tech comes from.
Re: (Score:2)
Interesting that so much of Israeli intelligence's time is spent finding ways to exfiltrate data from secure computer systems, when all of their primary enemies don't even **have** secure computer systems. Gives one a better idea where most of "their" advanced tech comes from.
Interesting that this research was done by academics and published on arXiv for the whole world -- including any "primary enemies" -- to see and to take measures against.
Kind of sucks when the facts don't support your biases, isn't it?
Re: (Score:2)
Wasn't it an Israeli commercial company that unlocked the "unbreakable" iPhone for the FBI.
National-level agencies and well-funded commercial / non-government actors are already more capable than this. Is it a threat to the everyday company/user? Hell naw. Is it practical? Nope. Is it possible with the right motivation? I think so.
Is it (or similar) already in practice? Probably.
Re: Oh no, the sky is falling (Score:1)
Yeah, we are biased against Israel. Our neurons have been biased by past observation of attempts at genocide and being sneaky meddling (Mossad) fucks that even outclass the CIA.
Now what?
What's your bias based on again? ;)
Seeing antisemites [youtu.be] everywhere, hiding behind the floor boards, lurking in the shadows?
Re: (Score:1)
Maybe you should consider it's not for their "enemies" [middleeastmonitor.com]
Re: (Score:2)
Indeed, and corporate espionage is supposedly very lucrative as well.
Re: (Score:2)
"all of their primary enemies don't even **have** secure computer systems"
arguably every country on the planet is Israel's primary enemy, or at least soon might be. they're kind of like the USA that way.
Re: Oh no, the sky is falling (Score:1)
Well, some say they ARE the USA, although it's not clear who's the pimp and who's the bitch yet. ;)
The Israelis I've met are quite nice, but quite brainwashed as well. As a Germany (proud grandson of Jew hiders and Nazi hunters) they reminded me of Holocaust deniers. As soon as you mention anything, they become irrational and triggered.
Re: (Score:1)
Re: (Score:2)
eh, a great way to brainwash people is to promote a lot of vigorous lifestyle disagreement to keep them occupied and distracted. you can have a lot of diversity and a lot of brainwashing at the same time. the brainwashing is just along a different axis.
Re: (Score:2)
Just because someone is an ally one decade doesn't mean they can't become a dangerous enemy next decade.
Re: (Score:2)
more or less the entire middle east has played us like fiddles for the past 20 years at least. sure we blew up a lot of people and that's great, but it's all mostly benefited other players in the region more than us, at least directly.
we benefit indirectly from the destabilization but if that's the goal, i think we should literally just program a missile launch system to randomly target areas at random periods. keep 'em guessing lol, kind of like an "abused" housewife.
or even better, nationstates can straig
Re: Oh no, the sky is falling (Score:1)
They can just sneak a keylogger/key press generator between the keyboard and port. Or they can open the case and install a malicious device on one of the USB header pins on the motherboard if they have that kind of access. Much faster and more reliable than rigging up (and testing) an acoustic pick up.
Re: Oh no, the sky is falling (Score:1)
And if the spy happens to be your sys admin, all bets are off. They are already running in 'god mode' and will get the data anyway, anyhow.
Re: (Score:1)
Re: (Score:1)
The PSU generates a very low baud rate and there is no error checking/correction. You can add this to your "Make the PSU snitch on the computer" spy software, but your incredibly low speed will go even lower. And there is no way to tell the PSU to resend the packets on demand.
Yes, this is an interesting tech demo, but it will see no use in the real world. A real spy who has this kind of physical access will plant a much more reliable hardware (or software) bug into the machine, or if this is just g
Re: (Score:2)
People needless panics when Nike decides to change the designs of their shoes.
However being an academic research, I would expect most people reading it would take it in proper context.
IT security research isn't for the people who panic all the time. It is a game of knowing there is a problem, judging its scope, and what factors can be used to protect from it.
Re: (Score:2)
he can get what he wants with a $15 malware (grabware?) loaded thumbdrive?
Secure systems often have the USB ports filled with epoxy.
The case is locked shut.
The computer is bolted to the desk.
You could take a photo of the screen, except the security guards took your cellphone when you entered the building.
Re: Oh no, the sky is falling (Score:5, Funny)
Secure systems often have the USB ports filled with epoxy.
The case is locked shut.
The computer is bolted to the desk.
You could take a photo of the screen, except the security guards took your cellphone when you entered the building.
Boss just told us to remove the PSU's from the secure systems, "just to be sure".
Re: (Score:2)
You could take a photo of the screen, except the security guards took your cellphone when you entered the building.
Wait, if security guard took your cellphone, how can you then place your cellphone next to the power supply?
Oh, and how do you get your "singing capacitor" software onto the air gap computer in the first place?
Re: (Score:2)
Wait, if security guard took your cellphone, how can you then place your cellphone next to the power supply?
You hide a microphone and transmitter in the power-strip under the desk.
Oh, and how do you get your "singing capacitor" software onto the air gap computer in the first place?
You bribe the technician who works for the subcontractor that installs the computers.
Re: (Score:2)
If you can bribe the subcontractor, there are better ways to compromise the computer.
Hiding a microphone in the power strip sounds really easy (no need for a speaker, the data leak is only output), but that requires you to:
1) introduce the hacked power strip into the secure facility
2) ensure the hacked power strip is within an inch or so of the singing capacitor
3) devise some way for the power strip to transmit data out of a secure facility, where bugs and transmitters are prohibited/searched for
Perhaps an
Re: (Score:2)
The software is the hard part, as anyone airgapping will (i hope) be far more attentive to the software than minor invisible hardware changes. It should very much be read-only for the OS/boot partition with checksums at every boot and in memory periodically. Booting from DVD-R is slow but it absolutely prevents unauthorized changes to the system.
A simpler attack against an unsophisticated target is via the powerline, reading the data directly on the building wiring.
A decently paranoid setup will use a mot
Re: Oh no, the sky is falling (Score:1)
Somebody still has full access to the file system, and people can be bought off. Are they seizing notepads and pens at the door?
Yes, you can seal the server inside a block of concrete, but as long as somebody has full access to the file system, and exploits exist, you still have that threat vector to deal with.
Re: Oh no, the sky is falling (Score:2)
It is not unusual for secure facilities to limit/scrutinize ANYTHING carried in or out of the secure facility.
I have to believe an air gap computer with names of confidential sources (for example) would be in a facility where the guards make sure you aren't carrying out a list of confidential sources on your note pad.
Re: (Score:2)
Because it's baked into the computer before it leaves? Intercepted in transport?
Both of those things happen, really.
IF you're able to get audio into the room with the airgap, AND you can either access the actual computer(s) destined for that airgap system or control the manufacturer to simply modify everything shipped for that time period, this attack would allow an ongoing relatively high bandwidth data exfil with zero ongoing human input.
Audio is relatively easy to get via powerline -- a modified wall-wa
Re: Oh no, the sky is falling (Score:2)
You're describing somehow magically getting all kinds of compromised hardware into a secure facility, and no, audio is not a high-bandwidth connection, it would likely be very, very slow - think 110 baud.
Re: (Score:2)
>You're describing somehow magically getting all kinds of compromised hardware into a secure facility, and no, audio is not a high-bandwidth connection, it would likely be very, very slow - think 110 baud.
I can almost actually think at 110 baud. Once I tried to whistle at 110 baud. Even got some characters to come out. (Not the ones I wanted, though).
Re: (Score:3)
I'll shoot them a quick email letting them know they've been wasting their time.
Haven't you ever met any academics? They already know.
Re: (Score:1)
Re: (Score:3)
Have these academics been in any place that is approved for handling classified data? I understand that they take serious precautions against audio side channels to protect against this sort of attack: playing white noise over PA systems; disallowing microphone inputs on the Internet-accessible computers; having acoustic insulation in the walls, overhead spaces, and doors; and more. Sure, someone could maybe use a regular phone call to try to capture some of the leaked sound, but by design there will be b
Re: (Score:2)
It's been 30 years since someone built a proof of concept demo using lasers to listen on sound hitting windows.
Re: (Score:2)
It was discovered and used in 1947, over 70 years ago, and it was actually a useful invention, not one that relied on being able to stand in the secure room using items you'd never get into a secure room (cellphone).
https://en.wikipedia.org/wiki/... [wikipedia.org]
Re: (Score:1)
You're making good points, but why are you so fixated on the cellphone?
It's pretty obvious that any airgap room is not going to allow cell phones (or windows for that matter) but getting audio out is a far easier task than data.
The first step of getting it out of the computer is the hardest, and converting it to an airgapped format that's discounted because the relevant audio hardware is deleted --- it's a good idea. In this academic proof of concept, the task of reading and exfil the audio is left for the
Re: Oh no, the sky is falling (Score:3)
I fixate on the cellphone because the hack, as described in the linked-to article, requires a modified android device to monitor the 'singing capacitors'.
Re: Oh no, the sky is falling (Score:2)
From the linked-to article:
"Binary data can be modulated and transmitted out via the acoustic signals. The acoustic signals can then be intercepted by a nearby receiver (e.g., a smartphone), which demodulates and decodes the data and sends it to the attacker via the Internet," Guri added.
Re: (Score:1)
"Sure, someone could maybe use a regular phone call to try to capture some of the leaked sound"
And all of that juicy data gets instantly lost in all of the compression/audio bandwidth reduction that phone companies use (yes, including landlines), so they can cram more and more traffic through the same equipment they don't want to replace or upgrade.
And the landline phone at the victim's end needs to have a studio quality mic (never gonna happen)
Re: (Score:2)
Even so, you often see most LED's have just changed to a timed blink to indicate data is processing. As well some load smoothing to different components.
That said, data can be transmitted via nearly any type of artifact that has happened during computation. You probably could spike and drop power usage to send data over the power circuit to send information as well.
Re: (Score:2)
That is what this "technique" does, it manipulates power usage to exploit a sub audible tone capacitors emit under certain situations.
The only downside is you need to load your software on the air gap computer, and be able to place a cellphone next to the power supply to 'hear' the singing capacitor and download info at 110 baud (or less)...
Re: (Score:2)
Re: (Score:2)
Consider, your trusted people, the ones with access have to get parts ( and even entire computers ) from somewhere.
If the supply chain to them is compromised, singing power supplies, disk drives, etc can be sent to.
If undetected before installing at your location, you are compromised without direct physical access.
Re: Oh no, the sky is falling (Score:2)
KGB did some serious spying using a metal rod and some reflected radio waves. It's very shitty audio with a narrow frequency range, but sometimes leaking only a few symbols is enough for the right application. Sure, I can't download a movie over a blinking LED but I can get a password or some largeish coprime integers through.
Re: (Score:1)
Not so much in the case of the blinkelights. a cabinet across the aisle from your target in the datacenter is achievable by a sophistated attacker.
audio and powerline signals would surely be impossible to read in a datacenter, but led certainly will
Re: Oh no, the sky is falling (Score:1)
Re: (Score:2)
I'd assume all efforts are made to make sure that doesn't happen, but sometimes people get sloppy.
Another option would be maybe strong arming a supplier.
Maybe you can bully a vendor into placing some custom firmware into a system that's going to be used in a secure environment, but if said environment is going to have an airgap you still need to get data out.
Re: (Score:2)
Once again, the "academics" do another proof of concept which in the real world would make a really piss poor spying tool.
Blinking LEDs, drive noises, expansion/contraction of the CPU's heat sink... they've done it all.
If you give bad actors the physical access to your systems needed for any of this to work, you are already compromised.
To clarify the environment you're ignorantly scrutinizing, that "bad actor" is the temp employee you hired last week who does not hold a security clearance, and therefore does not have access to the secure room where the air gapped systems reside.
In other words, you didn't give the bad actor physical access. They discovered an (air-gapped) exploit around your physical security. They're sitting on the outside of that secure room attempting to use these "techniques" to exfiltrate data across the very physic
Re: (Score:2)
If you give bad actors the physical access to your systems needed for any of this to work, you are already compromised.
Indeed. The problem is that the "cloud" is basically already compromised as well, if you think this idea through. And while obvious to any security expert, a lot of people have problems with this idea and try to avoid thinking about it.
Re: (Score:2)
If you give bad actors the physical access to your systems needed for any of this to work, you are already compromised.
If you were a bad actor what would you prefer to have, one off physical access or continuous remote access?
Wouldn't a sine wave line filter prevent this? (Score:2)
Re: (Score:2)
Blasting Slayer 24/7 at eardrum-rupturing volume is easier and way more interesting.
Re:Wouldn't a sine wave line filter prevent this? (Score:5, Interesting)
Filtering the power between the wall and/or power brick, to prevent frequency anomalies, should be able to stop this new spy technique.
It would have zero effect.
Who disagrees?
Everyone that bothered to learn how this works before opening their maw.
This technique increases and decreases system power consumption in order to change the frequency of the whine that the coils and capacitors inside the power supply make.
If anything, what you are suggesting MAKES IT EASIER. A perfectly sanitized power input is the ideal input for this technique.
Re: (Score:2)
Re: (Score:2)
You're making the same mistake as OP.
The technique does not transmit information via power lines, but rather uses the computer's PSU as an ad-hoc speaker. The only way to defeat that is to prevent software from having any effect on the power draw of the system.
Re: (Score:2)
Re: (Score:2)
The AC power is a sine wave... (well mostly a sine, its never perfect)
Re: Wouldn't a sine wave line filter prevent this? (Score:1)
Switch mode power supply is not (contemporary) AC once you get inside it where the hum of capacitors matter, and it's kHz range not 50/60 Hz.
Re: (Score:2)
No, the issue is in the power supply and the audio it emits, the "signal" doesn't travel down the power line, if it did a surge suppressor or UPS would render it useless.
Re: Wouldn't a sine wave line filter prevent this? (Score:1)
Information like real versus apparent power does slip through the wire and out to the street.
Re: (Score:2)
Filtering the power between the wall and/or power brick, to prevent frequency anomalies, should be able to stop this new spy technique. Who disagrees?
Completely ineffective. This is about sound, not signals on the power line.
Play classical music (Score:5, Funny)
I'm sure if you pump classical music at low volume you can defeat all of the sonic attacks. Plus it's soothing and keeps young punks away.
Re: (Score:3)
Re: (Score:1)
Re: (Score:2)
Only if you want all your data center techs coming for you with torches and pitchforks.
A vendor with notoriously long tech support hold times that I used to have to call frequently had their Musak on Hold playing off a CD that had nine sitcom theme songs on it. Over and over and over . . .
The CD had been chosen by their IT director, who I was introduced to at an event. I lit into him with a tirade that I had been planning in my head during the interminable hours that I had sat on hold over the years, whil
Re: (Score:2)
That's the problem with companies that cheap out and think that Muzak and CDs are interchangable. (Actually, it's iHeartRadio, Muzak was acquired by iHeartRadio in the 2010s).
Muzak and such are all about long play no-repeat music - from the 60s where you had easily 1000 hours of music on several records in a
Re: (Score:2)
The best that I ever ran into was Symantec tech support line. Their music-on-hold system had failed that morning and someone had gone out to their car to grab their Diskman to plug in as a temporary replacement. The CD in the player was Bill Cosby's 'Wonderfulness' album, so I was actually in a pretty good mood by the time Support picked up the phone. Only good experience that I ever had with Symantec.
Re: (Score:2)
Back in the day on the full screen preview guide channel cable systems just used an local radio feed for the audio
Re: (Score:2)
Re: (Score:2)
Re: (Score:2)
The problem with white noise is that it would be relatively easy to remove it from an audio stream because it's constant. Classical is/can be more dynamic than white noise...though people would argue that it's essentially equivalent to white noise.
Re: Play classical music (Score:2)
No, white noise can not be easily filtered out - do you even know what the definition of White Noise is?
"In signal processing, white noise is a random signal having equal intensity at different frequencies, giving it a constant power spectral density."
The key word is "random"...
Re: (Score:2)
Well, you could use this song from Kenny G. https://www.youtube.com/watch?... [youtube.com]
I hear it's been a bit overdone, but hey... it's all in the name of national security!
Proof of concept = no proof of concept (Score:1, Insightful)
Re: (Score:2)
Re: (Score:1)
Maybe you should read the article instead of opening your mouth.
OK but (Score:2)
If you're that close to the air-gapped PC you can use conventional physical means of access, right? I suppose if you want to be surreptitious and not actually disassemble it and remove the data storage devices, then sure.
Re: (Score:2)
Well, you may have access to a terminal but not to the server room of the air-gaped system. It is not because the system is air-gapped that it is a single system. The hard drives could be encrypted. There may not be a physical USB port to plug a memory stick, ...
Overall, many people seem to think that air gap means secure. They showed it is not necessarily true. And yes, it has been shown before with other side channels. But it is always good to be aware what are the channels known to be issues with your se
Re: OK but (Score:2)
WTF, do you not understand "air gap"?
You don't have 'terminals' connected to an air gap computer, the terminal connection is a, wait for it, network connection that can be compromised!
You can't access an air gap system remotely, any terminals would be inside the secure facility, where the actual secure, air gap, computer is located...
Re: (Score:2)
I do understand air-gap.
Air gap means it is not connected to the internet. Your facility can be air gaped. It is not connected to the internet. It does not mean that every node of the system is stand alone.
Now you may have some access to a machine in that network for viewing information. But not for taking it with you. No printer or something like that. In such a case, you could use the article's technique to leak some data.
Re: (Score:2)
This only works if the "air-gapped" computer is in an insecure area where you can a) physically access the computer, b) load your malware on the air-gap computer, and c) place a cellphone within inches of the power supply to detect the audio emitted by the "singing capacitors".
Of course, an air-gap'ed computer is typically in a secure room, has no available USB, CD, or floppy (removable media) ports, and no cellphones are allowed in the room, but hey, I'm certain that won't stop a villain!
I honestly don't s
Re: OK but (Score:2)
A smartphone is altered to collect.
Curious how one gets a cellphone into a secure facility - air gap computers tend to be in secure facilities.
It sure is nerdy (Score:1)
When you are able to install software on a government system then you'll be able to carry out the data the same way you got the software in. Only a nerd wouldn't, but first turn a power supply into a musical instrument.
Re: (Score:2)
When you are able to install software on a government system then you'll be able to carry out the data the same way you got the software in. Only a nerd wouldn't, but first turn a power supply into a musical instrument.
Not really, depending on deployment process. But in most cases there is some other channel.
Re: It sure is nerdy (Score:2)
Define 'alternate channels' for an air-gapped computer, understanding that the computer has no network connection, no USB ports, no floppy/Zip/Bernoulli/tape/CD/DVD drives - how, pray tell, do you get that software on the air gap computer to make the capacitors sing in the first place? Also, keep in mind the air gap computer is typically in a secure facility, and cellphones or other technology in the room.
Re: (Score:2)
Have you missed "When you are able to install software on a government system..." somehow?
And? (Score:3)
Israel... why am I not surprised? (Score:3)
Home of the biggest and most sneaky state-sponsored black hat industry.
Are they tryig to fulfil that old stereotype of the sneaky Jew? ;) ... at the same time.
If I was a Jewish religious leader, I'd expel Israel from the Jewish community. All they do is make Jews look like Nazis and the Nazi stereotype of Jews
Re: Israel... why am I not surprised? (Score:2)
Wow, the anti-semitism is deep with this one.
I tend to give Israel a pass on their seeming military/defense pre-occupation, I just have to remind myself that every neighboring nation wants to eliminate Israel, several even have a history of lobbing random bombs into Israel whenever they feel like it. I don't know what country you like in, I'm in America, and I guarantee you if Canada and Mexico openly declared their desire to wipe the USA off the map and occasionally, without notice, started dropping bombs
How come you're always such a fussy young man? (Score:2)
Vary power or pwm or whatever and hardware can sing, if you don't mind maybe wrecking it sooner or later.
I remember a bud back in college running a program, and suddenly his Commodore floppy was humming an intelligible digitized Beat It.
in b4 (Score:1)
The Shopswell Its Time To Buy Top Best Products (Score:1)
Re: (Score:1)