​How safe is your air-gapped PC? Attackers can now suck data out via power lines

You'll now need to monitor the power cables connecting to isolated computers holding sensitive information.
Written by Liam Tung, Contributing Writer

Video: Air-gapped data is holy grail for hackers: Four methods they most commonly use

Researchers from Israel's Ben Gurion University of the Negev have shown once again that air-gapped PCs are not safe from a determined and patient attacker.

The researchers have already devised several devious techniques to extract data from isolated or air-gapped computers that store highly sensitive data.

Techniques they've proven work include a drone-assisted attack on a computer's flashing LEDs, using a CPU's low-frequency magnetic radiation to leak data through a Faraday cage, and attacking the very CCTV cameras used to monitor air-gapped computers.

The latest technique, dubbed PowerHammer, exploits current fluctuations flowing through the power lines supplying electricity to air-gapped computers.

The researchers have been able to exfiltrate data at a rate of 1,000 bits per second for lines connected to the target computer and 10 bits per second from the grid.

As with the Magneto and Odini Faraday-cage attacks that the researchers revealed in February, the PowerHammer technique would use malware to regulate a CPU's utilization to control the system's power consumption.

Read now: IT physical security policy

Instead of observing magnetic emissions as CPU usage rises and falls, the attacker can observe changes in current flow from the electricity lines outside a building or via the cords supplying power to the infected machine.

"The data is modulated, encoded, and transmitted on top of the current flow fluctuations, and then it is conducted and propagated through the power lines. This phenomena is known as a 'conducted emission'," writes Mordechai Guri, lead author of the PowerHammer paper.

"We show that a malicious code can influence the momentary power consumption of the computer, generating data-modulated conduction on the power lines in the low frequency band. The generated noise travels along the input power lines and can be measured by an attacker probing the power cables."

PowerHammer assumes an attacker has already infected an air-gapped network and focuses on the task of extracting protected data after infection.

Guri notes that power-line communication is common for smart home and industrial applications. All they're doing is applying the same techniques for malicious covert communications using "parasitic signals" generated by malware.

Anyone worried about a PowerHammer attack has a range of countermeasure options, such as monitoring the currency flow on power lines for deviations from standard transmission patterns. Other options include power-line filters and signal jammers.

Guri notes that traditional intrusion-detection systems would probably suffer from a high rate of false alarms and may be bypassed by malware.

Previous and related coverage

A Faraday cage or air gap can't protect your device data from these two cyberattacks (TechRepublic)

Long thought impenetrable, these forms of physical security continue to be found vulnerable. The latest attack vector is low-level magnetic fields.

Think you're safe from hackers offline? This drone steals data from a PC's blinking LED

If you've got an air-gapped computer, it might be time to cover up the hard drive's leaky flashing LED lights.

CCTV cameras enslaved to infiltrate air-gap networks

Surveillance camera lighting systems can create a web of light for leaking and extracting data from networks.

Four methods hackers use to steal data from air-gapped computers

Air-gapped computers are seen as high-value targets, so considerable research has gone into taking data from them -- without a network connection. Here's what you need to know.

Editorial standards