This evasive new cyberattack can bypass air-gapped systems to steal data from the most sensitive networks

Cybersecurity researchers at Ben-Gurion University demonstrate a novel technique that steals data using electromagnetic radiation and a $1 antenna.
Written by Danny Palmer, Senior Writer
Image: Getty/Manuel Breva Colmeiro

Cybersecurity researchers have demonstrated a novel method of cyberattack that could allow malicious hackers to steal information from some of the most well-protected computers.

Air-gapped systems are isolated from the internet due to the nature of the information they handle. The idea is that by being completely removed from both the public-facing internet and the rest of the network, any information stored and processed within them remains secure from unauthorised access by outsiders.

Typically, air-gapped systems are found in sensitive or high-risk environments – which are likely to be tempting targets for malicious hackers – including critical infrastructure, satellite and military networks

But a new technique demonstrated by researchers at Ben-Gurion University of the Negev's Department of Software and Information Systems Engineering shows that it's possible for attackers to breach air-gapped systems by exploiting low-frequency electromagnetic radiation generated by the targeted computer.

"The attack is highly evasive since it executes from an ordinary user-level process, does not require root privileges, and is effective even within a Virtual Machine," Mordechai Guri, head of R&D of the Cyber Security Research Center at Ben Gurion University, wrote in a newly published research paper.

Also: Cybersecurity: These are the new things to worry about in 2023

Dubbed COVID-bit, the covert channel attack first relies on an attacker being able to gain physical access to the targeted system to plant malware on it using a USB drive. This could be a covert operative who has gained access to the secure facility the air-gapped machine is in, or a malicious insider could be persuaded, blackmailed or tricked into installing the malware.

It's widely reported that Stuxnet, a malware worm used to heavily disrupt Iranian uranium enrichment and nuclear facilities in 2010, was planted using USB flash drives. So, while physical access is difficult to gain, it isn't impossible.

The malicious code exploits the dynamic power consumption of computers and manipulates the momentary loads on CPU cores. This approach allows the malware to control the computer's internal utilization and generate low-frequency electromagnetic radiation on the 0-60 kHz band.

According to researchers, it's possible to exploit this technique to transfer sensitive information from the compromised machine, including files, encryption keys, biometric information, and keylogging data, which can include usernames and passwords, along with private keys for bitcoin wallets.

To do this, all an attacker needs is a smartphone or a laptop with a small antenna, which can be bought for just $1, and to be within around two meters of the compromised machine. The attacker wouldn't necessarily have to be in the same room as the targeted system, as the electromagnetic radiation being generated can penetrate a wall.

Also: The stakes 'could not be any higher': CISA chief talks about the tech challenges ahead

Data transmitted over this frequency doesn't transfer as quickly as standard methods: researchers note that transferring a large amount of information, such as keylogging data for the last hour, could take up to 10 minutes. But so long as the attacker isn't physically ejected from the perimeter, the data will be secretly transmitted.

The best protection against a COVID-bit attack would be to ensure that only authorized personnel are allowed anywhere near systems, although this doesn't solve the issue of a compromised insider with the proper authorization.

The research paper suggests that additional measures to guard against this kind of attack on air-gapped systems include restricting the frequencies that can be used by certain CPUs, as well as using antivirus software that can detect unusual CPU patterns. 

"Security systems such as malware protection and detection applications can monitor how running threads utilize the CPU cores to detect suspicious patterns. In the case of COVID-bit, threads that persistently change the CPU utilization would be reported for further forensic investigation," said Guri.

COVID-bit isn't the first time Guri has found ways to bypass air-gapped systems, as demonstrated by previous research showcasing other techniques, including Powerhammer, Power-SuppLaY and Air-Fi, among others.


Editorial standards