Academics turn PC power units into speakers to leak secrets from air-gapped systems

POWER-SUPPLaY technique uses "singing capacitor" phenomenon for data exfiltration.

computer power supply unit

Image: IgorShubin

Academics from an Israeli university have published new research last week showing how an attacker could turn a computer's power supply unit into a rudimentary speaker that can secretly transmit data from an infected host using audio waves.

The technique, named POWER-SUPPLaY, is the work of Mordechai Guri, the head of R&D at the Ben-Gurion University of the Negev, in Israel.

Over the last half-decade, Guri has been pioneering research into new covert data exfiltration channels. The techniques Guri has been developing can be used for stealing data through unconventional means.

Guri has been developing these techniques specifically for extracting data from air-gapped systems -- computers isolated on local networks with no internet access.

Such computers are often used on government or corporate networks to store sensitive data, such as classified files or intellectual property.

Air-gapped systems are protected by several layers of defenses, on top of the "air gap," and you need novel data transmission techniques to go around these defenses.

For example, some air-gapped systems don't have speakers, because it's been proven in the past that speakers could be abused to leak information from a secure system using inaudible sound waves.

Meet POWER-SUPPLaY, a new data exfiltration technique

In a research paper shared with ZDNet yesterday, Guri said the POWER-SUPPLaY technique was developed for these types of situations, where speakers have been removed from air-gapped systems.

By using specially-crafted malware, the Israeli researcher says that a power supply unit (PSU) can be transformed into a very simple speaker capable of emitting the most basic of audio waves.

[Guri has only developed and studied the data exfiltration technique. Guri's work does not focus on planting the malware on air-gapped systems or getting near to an air-gapped system to steal data. This is out of scope of his project.]

Guri says the trick behind the POWER-SUPPLaY technique is to manipulate power inside a PSU's capacitors to trigger a "singing capacitor phenomenon."

This phenomenon generates acoustic waves when current passes through a capacitor at various frequencies. By controlling the power frequencies, the POWER-SUPPLaY malicious code can also control the audio waves, and hence, hide data inside it.

singing-capacitor.png

Image: Mordecai Guri

"Our technique works with various types of systems: PC workstations and servers, as well as embedded systems and IoT devices that have no audio hardware.

"Binary data can be modulated and transmitted out via the acoustic signals. The acoustic signals can then be intercepted by a nearby receiver (e.g., a smartphone), which demodulates and decodes the data and sends it to the attacker via the Internet," Guri added.

The main advantage of the POWER-SUPPLaY technique is that the malware doesn't need any special privileges.

"The transmitting code can be initiated from an ordinary user-space process and is highly evasive," Guri said.

POWER-SUPPLaY can broadcast data up to six meters away

The downside is that the attack is not extremely fast, can't transmit data over big distances, and is subject to background noise that may impact the transmission's quality, making exfiltration in some scenarios almost impossible.

Guri said that the distance at which POWER-SUPPLaY works usually depends on the PSU brand and the bitrate and frequency bands at which the stolen data is encoded and then transmitted via acoustic signals.

The Israeli academic said that experiments have shown that POWER-SUPPLaY exfiltration speeds can vary between 0-40 bits/sec at short distances of up to 1 meter or 0-10 bits/sec when the data needs to travel for more than 2 meters. The maximum transmission distance recorded in the experiment was 6 meters.

Guri said that the first method can be reliably be used to transmit binary data, keystrokes logs, text files, and so on, while the slower bit rates could be used to transfer a small amount of data, such as short texts, encryption keys, passwords, and keystrokes.

Basically, the closer an attacker can place a smartphone to record the sounds coming from the infected computer, the better the speed and lower the transmission error rates.

Additional details about the technique and possible countermeasures are available in a research paper titled "POWER-SUPPLaY: Leaking Data from Air-Gapped Systems by Turning the Power-Supplies Into Speakers."

Guri's team has previously also worked on other air-gapped data exfiltration techniques, such as:

  • LED-it-Go - exfiltrate data from air-gapped systems via an HDD's activity LED
  • USBee - force a USB connector's data bus give out electromagnetic emissions that can be used to exfiltrate data
  • AirHopper - use the local GPU card to emit electromagnetic signals to a nearby mobile phone, also used to steal data
  • Fansmitter - steal data from air-gapped PCs using sounds emanated by a computer's GPU fan
  • DiskFiltration - use controlled read/write HDD operations to steal data via sound waves
  • BitWhisper - exfiltrate data from non-networked computers using heat emanations
  • Unnamed attack - uses flatbed scanners to relay commands to malware infested PCs or to exfiltrate data from compromised systems
  • GSMem - steal data from air-gapped systems using GSM cellular frequencies
  • xLED - use router or switch LEDs to exfiltrate data
  • aIR-Jumper - use a security camera's infrared capabilities to steal data from air-gapped networks
  • HVACKer - use HVAC systems to control malware on air-gapped systems
  • MAGNETO & ODINI - steal data from Faraday cage-protected systems
  • MOSQUITO - steal data from PCs using attached speakers and headphones
  • PowerHammer - steal data from air-gapped systems using power lines
  • CTRL-ALT-LED - steal data from air-gapped systems using keyboard LEDs
  • BRIGHTNESS - steal data from air-gapped systems using screen brightness variations
  • AiR-ViBeR - steal data using a computer's fan vibrations

Categorized based on the exfiltration channels, these look like:

power-supplay-categories.png

Image: Mordecai Guri