A team of Israeli researchers have discovered a new method of exfiltrating data from air-gapped devices. The attack method weaponizes air-gapped devices’ own Power Supply Units (PSU).
What is Air-Gapping?
Air-gapping is a network security measure where a device or an entire network is physically isolated from other devices or networks. Air-gapped systems are therefore isolated on local networks with no internet access and no access to other unsecured networks. Consequently, attacks to such systems or devices would normally require someone to have physical access to the devices or systems to introduce malware.
Organizations with high security needs implement air-gapped systems to safeguard sensitive data against cyberattacks originating from compromised systems on company networks or the internet. Unlike what one may think, air-gapped systems are not just used in sensitive military facilities. They are also used on government and corporate networks to protect sensitive private data, classified files, intellectual property and critical infrastructure.
How Can Air-Gapped Devices’ PSUs Steal Data?
A team of Israeli researchers led by Mordechai Guri, the head of R & D at the Ben-Gurion University of the Negev in Israel, have discovered a way of turning the PSU of an air-gapped device with no audio hardware into a speaker. A speaker capable of transmitting exfiltrated data from air-gapped devices at a rate of 50 bits/sec.
Guri has called this attack technique POWER_SUPPLaY. He states that the technique not only works with air and audio gapped workstations and servers. It also works with embedded systems and IoT devices that have no audio hardware.
The technique works by intentionally stopping and starting a device’s CPU (Central Processing Unit) workload using malware to control the device’s PSU switching frequency. When the PSU switches at a specified frequency it emits an acoustic signal. This acoustic signal, whose frequency range is not usually detectable by humans, can then be used to transmit binary data. Next, the acoustic signal carrying the binary data is picked up by a microphone in a nearby receiver. This receiver is usually a smartphone that has either been compromised with malware to listen for data or is being operated by an insider.
“We show that malware running on a PC can exploit its power supply unit (PSU) and use it as an out-of-band speaker with limited capabilities,” explains Guri in a paper detailing the technique. “The malicious code intentionally manipulates the internal switching frequency of the power supply and hence controls the waveform generated from its capacitors and transformers.”
Other Side Channel Air-Gap Attacks
The POWER_SUPPLaY technique is an example of a side-channel attack. Side-channel attacks exfiltrate data by manipulating and then monitoring external indicators such as blinking lights or fan vibrations on PCs.
Guri’s research team does not explore ways of compromising and planting malware on secure air-gapped systems. The team focuses on ways of exfiltrating data from these super secure systems without being detected by either network administrators, antivirus scanners or any other security software.
Over the past half a decade, Guri has been exploring various methods of exfiltrating data from air‑gapped systems. Other techniques Guri and his team have explored include the use of electromagnetic, acoustic, thermal and optical channels. Examples of such techniques include, among others:
- LED-it-Go – exfiltrates data from air-gapped systems using a hard disk drive’s activity LED
- USBee – forces a USB connector’s data bus to give out electromagnetic emissions that can be used to exfiltrate data
- Fansmitter – steals data from air-gapped PCs using sounds emanated by a computer’s graphics processing unit’s fan
- BitWhisper – exfiltrates data from non-networked computers using heat emanations
- PowerHammer – steals data from air-gapped systems using power lines
- CTRL-ALT-LED – steals data from air-gapped systems using keyboard LEDs
- BRIGHTNESS – steals data from air-gapped systems using screen brightness variations
Is this Threat a Concern?
The Stuxnet attack conducted in November 2007, shattered the belief that air-gapped systems are impenetrable. In this attack, the Stuxnet computer worm was deployed against an Iranian nuclear facility, allegedly by US and Israeli operatives, by crossing an air gap.
However, the general public should not be concerned. There are far more dangerous and likely threats lurking on the internet. On the other hand, it would be wise for administrators of super secure air-gapped systems to take Guri’s latest work into consideration. Although not all theoretical exfiltration threats can be taken seriously, governments and certain organizations cannot ignore this threat altogether.
Finally, Guri’s paper explains that there are four main counter measure categories that could be used against this threat. These are zones separation, signal detection, signal jamming, and signal blocking.