back to article Data exfiltrators send info over PCs' power supply cables

If you want your computer to be really secure, disconnect its power cable. So says Mordechai Guri and his team of side-channel sleuths at the Ben-Gurion University of the Negev. The crew have penned a paper titled PowerHammer: Exfiltrating Data from Air-Gapped Computers through Power Lines that explains how attackers could …

  1. Voland's right hand Silver badge

    Finally, an application for a Smart Meter

    After that, it's pretty simple, because all the attacker needs is to decide where to put the receiver current clamp:

    There is already a government mandated one - it is called Smart Meter.

    1. Anonymous Coward
      Anonymous Coward

      Re: Finally, an application for a Smart Meter

      >There is already a government mandated one - it is called Smart Meter.

      I was feeling happy and calm until I read your comment on a subject that makes my blood boil, £20bn what a TWOFTAM, wankers. Now to go and listen to some whale music or something to bring my anger levels back down again.

      1. GIRZiM
        Unhappy

        Re: Whale Music

        Am I the only one who finds whale song creepy and quite the reverse of soothing?

        1. Destroy All Monsters Silver badge

          Re: Whale Music

          Now to go and listen to some whale music or something to bring my anger levels back down again.

          If you listen to the power line, you can hear govnmt whales moaning, far away...

          1. GIRZiM
            Happy

            Re: Whale Music

            There's something soothing about the sound of the power lines.

            Maybe it's the way the sound hums to me, like a loving parent to a sleepless baby.

            Or perhaps it's the way they almost seem to whisper "It's okay. All is well. The freezer is not defrosting. The milk is not turning in the fridge. The lights haven't gone out in a citywide blackout and cannibal thugs are not coming for you in your bed in an orgy of destruction and bloodletting - not tonight at any rate. Tomorrow night, we can't make any promises about tomorrow night but, tonight at least, sleep easy - you might need all your energy tomorrow night so you should probably try to be well rested (just in case)."

            I find it comforting.

  2. DropBear
    Trollface

    That's quite ok, would you like to buy some of my consumption-randomizing desktop UPSes? They also have embedded AI that starts beeping like crazy as soon as it detects suspicious patterns in the consumption of the attached load! The AIs even share their experience securely, via blockchain...!

  3. Trygve Henriksen

    I expect a proper(inline) UPS would stop it.

    1. Voland's right hand Silver badge

      Not really

      I expect a proper(inline) UPS would stop it.

      Not really - if your PC goes from 30-40W (usual x86 desktop idle) to 120W that will show up on the other side of the UPS. It is current which is being pulse modulated here, not voltage.

      The only thing which a normal UPS may do in this scenario is to decrease the effective bit rate a little bit.

      You need a rather special power supply to defend against this - one with a constant current draw which discards all "unused" power by heating the air, water, charging - whatever. Normal UPSes do not do that.

      1. Anonymous Coward
        Anonymous Coward

        Re: Not really

        Just rectify the mains (inside the room, obvs..) onto a DC supply, put a soddin' great capacitor on it, then run an inverter off the stabilised DC. You might manage to exfiltrate at 1bit/hour off that arrangement :-)

        In fact, a 12V car battery float charged feeding a cheapo 300W inverter from Maplins (oh, hang on) would do the job nicely.

        But if an attacker has uncontrolled access to your building riser, you've got plenty of other things to worry about, too.

        1. Jaybus

          Re: Not really

          "Just rectify the mains (inside the room, obvs..) onto a DC supply, put a soddin' great capacitor on it, then run an inverter off the stabilised DC."

          A good description of the common double-conversion UPS.

          1. Anonymous Coward
            Anonymous Coward

            48V DC kit?

            "[...]run an inverter off the stabilised DC [...]"

            Who needs an inverter anyway?

            Once upon a time, when telco gear in phone exchanges (?) ran off rather large 48V DC batteries and sometimes a generator backing them up, some of the equipment manufacturers had 48VDC (rather than mains) powered variants of some of their computery kit, with the only difference being the input power conversion (what's in a switched mode power supply anyway?).

            Does that kind of thing still exist?

      2. jaywin

        Re: Not really

        Or a "power factor correction" box - basically a load of big capacitors - normally used to improve the power consumption of inductive loads, I expect it would also play havock with something trying to manipulate it's current draw.

      3. BebopWeBop
        Trollface

        Re: Not really

        For anyone who is interested, we have diversified our line of magic pens (to improve the quality of CDs), directional speaker cables and a host of other must have additions to your true home audio setup with these magnetic stickers. Place them in the directed patter (instructions provided or can be cust fitted by out team of trained warocks) to blck all malevonant eminations from your PC*

        * versions available for Linux and Macintosh** installations

        **for a modest additional cost but remember you are worth it

        1. Anonymous Coward
          Anonymous Coward

          Re: our line of magic pens

          "Place [the stickers] in the directed patter (instructions provided or can be cust fitted by out team of trained warocks) to blck all malevonant eminations from your PC*"

          Are you sure your 'Rainbow electret foil' isn't interfering slightly with your wireless keyboard/mouse ;) ?

      4. ashton

        Re: Not really

        How about obfuscation ?

        Random signals when ups is recharging battery.

      5. Robert Helpmann??
        Childcatcher

        Re: Not really

        If I understand this properly, in order for this to be effective, the malware would have to be installed on the target machine or machines and it the attacker would have to have physical access to the facility power lines and the machines should not be on battery backup and definitely not on multiple battery backup systems (a scenario not uncommon in high value targets). This sounds like something a nation state actor would use as a last resort as there are plenty of easier ways to get the job done.

      6. Unicornpiss

        Re: Not really

        I would think just a decent power supply with some big capacitors would tend to blur any usable data or reduce the bitrate so much that no one would bother. Or leave some HD video playing on your other monitor. "Really, it's for security!"

      7. Jaybus

        Re: Not really

        "You need a rather special power supply to defend against this"

        A 'proper(inline) UPS' was specified. With a double-conversion UPS, the line power draw measurement is showing the current drawn by the UPS's (asynchronous) battery charging circuitry. I suppose that it shows that there was an increased power draw by the attached equipment sometime in the past several minutes. Not a very useful or accurate metric, easily thwarted by disabling sleep mode.

  4. jake Silver badge

    More brilliance from BGU ...

    If your site security is so lax that J. Random Induhvidual can plug a box into your cable plant with impunity, you're pretty much open to the planet anyway.

    1. Aitor 1

      Re: More brilliance from BGU ...

      The problem here is the old evil maid.

      An electrician or cleaning person will have access enough to install data exfiltration equipment.

      the next thing you need is the "classic" "lost" usb stick. And there you go.. as air gapped pcs will get usb sticks connected to them, almost for sure.

      1. BebopWeBop

        Re: More brilliance from BGU ...

        They don't here - we plug them all.

        1. Charles 9

          Re: More brilliance from BGU ...

          Then how do you get data in or out, particularly if it's not in human-readable form?

          1. onefang

            Re: More brilliance from BGU ...

            "Then how do you get data in or out, particularly if it's not in human-readable form?"

            We use a secret, well hidden, room full of an infinite number of monkeys, and a lot of wire.

  5. Tigra 07
    Linux

    Your house has Windows...

    Now there's bugs in the walls!

  6. Anonymous Coward
    Anonymous Coward

    Not again... Well, if they think that's good I've managed to get the led under my mouse to transmit data. I'm still trying to work out the details on how to receive the data but at least I'm half way there.

    1. Anonymous Coward
      Anonymous Coward

      Seeing the light

      "if they think that's good I've managed to get the led under my mouse to transmit data. I'm still trying to work out the details on how to receive the data but at least I'm half way there."

      Has the 'paper' already been published on how to use the hard drive activity light for a similar purpose ?

      Or is this whole subculture coverage here and elsewhere just completely and utterly TITSUP .....

      Totally irrelevant theatre-style security, u prats.

      Meanwhile,

      How are those anti-AMD types (TCS?) doing this week with their RyzenFall and such stuff? Maybe I missed something?

      What about the Intel Management Engine exploits which Charlie Demerjian finally got into the media after years of trying ?

      Etc.

      1. Anonymous Coward
        Pint

        Re: Seeing the light

        Has the 'paper' already been published on how to use the hard drive activity light for a similar purpose ?

        Totally irrelevant theatre-style security, u prats.

        It is an axiom of risk management to put serious effort into defending against highly likely scenarios rather than highly unlikely ones.

        Exfiltrating data is usually pretty easy if someone has access to the machine, and getting access to the machine is supposed to be the hard part. If they have access to the machine then there is really not much you can do to protect your data apart from close the stable door when you find out, if they don't have access to the machine then all these side channels are completely irrelevant.

      2. bpfh
        Coat

        Re: Seeing the light

        I remember reading an article about this a few years ago, and some pc/mobo manufacturers alleviated this by randomising the flashing when the HDD was being used. I don't know if this ever made it to mainstream implementation though...

        1. Unicornpiss

          Re: Seeing the light

          "I remember reading an article about this a few years ago, and some pc/mobo manufacturers alleviated this by randomising the flashing when the HDD was being used."

          Dell took it a step further in all their Ultrabooks---they removed all of the useful indicators from the machine. You have a generic white LED that is on when the laptop is powered up. No charge indicator, HDD activity, wireless, or any other lights except for Caps Lock. It's actually really annoying having no idea what's going on, especially when Windows updates appear to be stuck.

          1. Anonymous Coward
            Anonymous Coward

            Re: Seeing the light

            "It's actually really annoying having no idea what's going on"

            But didn't a wise person once say, back in the ancient history of computing, that only one warning/error light was needed, and the rest would be obvious by analysing the other symptoms?

            That's very badly paraphrased, but my search engine optimisation is failing me today.

            Windows updates being stuck is surely normal operation anyway?

          2. Anonymous Coward
            Anonymous Coward

            Dell is like Hell only Dull

            No charge indicator, HDD activity, wireless, or any other lights except for Caps Lock.

            They should rename it the "Caps Lock Down" LED and just leave it on permanently.

            1. Vendicar Decarian1

              Re: Dell is like Hell only Dull

              No, they should turn the caps lock light off when the caps lock is enabled, so that it mirrors the logic of power lights that go off when a device is turned on.

      3. Ben Tasker

        Re: Seeing the light

        > Totally irrelevant theatre-style security, u prats.

        See, I prefer to look at this another way.

        There will always be those (whether it's management, customers or someone else) who will insist that it's possible to be 100% secure, and that you absolutely must be. That normally results in a near-unusable service/product because of all the crud that's been added to it to cover edge-cases. Worse, sometimes you find out a customer has been sold an SLA based on the idea you're 100% secure against all vectors.

        This and other research like it is just another example you can give for why that could never be possible, and more importantly (from a business standpoint) should never be claimed nor promised.

        A few people above have suggested possible solutions for this issue, so what you'd then do (having confirmed they should work) is go and work out the price of implementing - almost certainly so high that those demanding 100% security will refuse to pay the cost.

        It doesn't apply to every bit of research done, but it's still useful to have. Plus, obscure things like this (once disclosed) sometimes provide inspiration for someone to find a related approach that's much more practical in the real world. Plus, frankly, some of it is really fucking interesting to work on and tinker with even if there's no direct tangible real-world application to the vector.

        1. Ugotta B. Kiddingme

          Re: Ben Tasker

          upvote for your last paragraph

    2. Tigra 07
      Pint

      RE: AC

      Can't you transmit it like morse code?

    3. PNGuinn
      Joke

      @ AC

      "Not again... Well, if they think that's good I've managed to get the led under my mouse to transmit data. I'm still trying to work out the details on how to receive the data but at least I'm half way there."

      Balls - that's what you need to prevent those pesky leds talking to strangers.

      OTOH, small efficient motor inside a wireless balled mouse, and could be told to drive your data right out of your office. D'oh.

      Q patent for intelligent mouse with gps in 3 2 1...

  7. Empty1

    Old tech was easier

    Oh, it was so much easier decoding the clack of the abacus

    1. jelabarre59

      Re: Old tech was easier

      Oh, it was so much easier decoding the clack of the abacus

      It worked on Logopolis.

  8. SiFly

    Meh

    Again any sort of physical access to the computer provides a means of getting information out of it though you still need malware running on the computer in the first place ...

    1. scrubber
      Black Helicopters

      Re: Meh

      Kind of my first thought too, but what if the physical access to install the malware happens at the factory or the shipping depot, places where the NSA have been known to place people...

      1. teknopaul

        Re: Meh

        If the nsa can install hardware on route they can pop a wifi chip in there and save themselves from scrabbling around in your fuse box.

        1. Charles 9

          Re: Meh

          Unless they know the target's going into something like a Faraday cage or a place where all radio emissions are monitored, meaning no radio exfiltration allowed.

    2. Ben Tasker

      Re: Meh

      I've been in more than a few buildings where the server rooms are heavily secured, but the plant is not (it's just machinery etc, etc....). So access to the plant is undoubtedly a lot easier a good %age of the time.

      You do need to get the malware onto your target computer somehow, but that can potentially be done remotely via social engineering or chaining exploits to get RCE.

      When you're talking about this level of sophistication, it's not unreasonable to think that your victim's network might already have various systems in place trying to detect (and block/report) the more traditional methods of exfiltration. It might be an inconvenient approach (with plenty of issues), but it is potentially a way around those.

      I've certainly worked in places where this research will have been noted and they'll be watching for any developments and discussing whether there are any *easy* mitigations they can put in place (like better securing the plant rooms). Most of those tend to have strong physical security around the site, but the assumption is always that that could be overcome and so should be treated (to some extent) as not being there

      1. Unicornpiss
        FAIL

        Re: Meh

        In a previous job, we twice received (from a security vendor no less) a PC meant to control and DVR a camera system, that was infected with several pieces of malware.

        So, yeah, you're already "pre-screwed" sometimes before you even open the box.

  9. Stuart Castle Silver badge

    Getting a little James bond here, but could you not design the reader so it fits in a band clamped around the power cable? Most users, even assuming they noticed it, would probably assume that it's the same sort of thing as the ferrite core on display cables. In my experience, most people seem to assume that is some sort of handle to pull out the cable. Even assuming they notice it, they will probably think it needs to be there.

    These clamps could be fitted by (say) the cleaner in the morning, and taken away by the same cleaner a few days later. Design it right, and the device could be installed or removed in a few seconds, and a doubt anyone would question a cleaner hanging round a computer for a few seconds.

  10. Jason Bloomberg Silver badge
    IT Angle

    It's getting tedious now

    Can't they just publish their list of 'ways to do it' in one big dump rather than one at a time every month or so?

    Come on El Reg; bite that hand which feeds and stop giving them endless publicity.

    1. Roland6 Silver badge

      Re: It's getting tedious now

      The variations would be "propagated through the power lines” to the outside world.

      Love to see a demonstration of this: eavesdropping gismo attached to main power cable to a call centre, reliably picking up data from a single PC...

  11. JeffyPoooh
    Pint

    "...attackers could install malware..."

    Which could then be "Exfiltrating Data from Air-Gapped Computers through Power Lines..."

    1) If it's "Air-Gapped", then how does the malware get in?

    2) If the malware can get in, then perhaps that route works in both directions?

    Those concerned should conduct a physical survey I supposed.

    And review how malware could get in in the first place...

    1. Sir Runcible Spoon

      Re: "...attackers could install malware..."

      Infiltration is a separate risk from ex-filtration and so often treated separately.

      In order to secure your data, it's usual to assume that miscreants already have access to the devices but have no easy way of getting the data out of the environment, so you limit the opportunities and closely monitor the ones you can't shut down completely (because they are needed for some reason).

      To be honest, it would make more sense to infiltrate the system with a spy with an eidetic memory.

  12. ThatOne Silver badge
    Facepalm

    Highly unlikely to work

    Unless you have chosen the most convoluted way possible to steal Aunt Mary's chocolate cookies recipe, computers tend to be connected to the same grid in bunches. How do you separate the power consumption pattern of a single CPU among a dozen computers in an office? The noise level is just too high, even if you filter everything out (HDs and fans kicking in, LEDs going on and off and all that) but CPUs.

    At this point I have a more likely data exfiltration warning: Sleep talking! What happens if some employee talks in his sleep, bad guys are recording him, and he starts blabbering something confidential in his sleep? Danger! Danger!

  13. handleoclast

    Give everybody a laptop

    The batteries ought to even out the current draw sufficiently.

    Maybe. :)

  14. DavidI

    Not a new attack

    Contrary to what the authors conclude in there article, this attack is not new. A year ago it was already documented in the following blog post:

    https://pushstack.wordpress.com/2017/07/24/data-exfiltration-from-air-gapped-systems-using-power-line-communication/

  15. Anonymous Coward
    WTF?

    So....

    ..500+ pc's (plus 1000) monitors connected to ****ing huge site UPS.

    How the hell to you find the traffic in that haystack?

    Last time I looked, most companies do not have a 1 pc per external feed setup.

    Heck, even a house it's going to be shared with washing machines, microwaves, tumble driers and all other sorts of noisy junk.

  16. EveryTime

    Ah, another theoretical but completely improbable attack.

    It sounds reasonable, if you don't actually understand how things work.

    1000 bits per second? By modulating the power draw of a switch-mode power supply? Not a chance.

    Perhaps if you got to design the power supply specifically to transfer the information, had a dedicated transmitter load instead of a computer, and had a noise-free power source you could get some information out. But far, far less than they suggest.

    With a regular power supply, no way. With a normal OS, no way. With regular power line phase noise, no way. With any but the most contrived lab conditions, you get nothing at all.

    Remember, you get no power line phase information. That limits you to 25/30 baud. You expected to modulate the current draw faster than that? On an AC supply, with current nulls? Oh, you were going to use a sophisticated redundant encoding scheme that avoids those. And somehow that modulation gets past the stability control of multiple layers of switching power supplies, which includes noise spreading, power factor correction and common mode filters and uncounted sources of non-linear behavior.

    Assuming that you could transmit any data at all, the OS isn't going to be your friend. It's going to screw you over on scheduling. Your magical too-sophisticated-for-mortals modulation scheme is going to fall apart in the face of timing variations.

    And remember this is a unidirectional channel. You can't tell what the receiver is hearing. You can't adjust your modulation, bit rate, phase, or anything. You can't adjust your redundancy. You can't know to retransmit. That screws over every single one of your worse-than-marginal communication layers.

    On to the physical matters. the receiver wouldn't just clamp around the power cord. It would need to clamp around a single conductor. Which means slicing open the cord, plugging the computer into your receiver, or getting into the electrical box. Not something that would be done unobserved. Yes, you may be able to sense current variations by distorting the power cord and sensing the near field, at the loss of another 10db in noise performance. (Hey, Shannon, how much does cost me?)

  17. PNGuinn
    Black Helicopters

    Let's look at ths slightly differently....

    Lots of interesting comments here. I can see that in *some* circumstances it might be possible to access the supply to a single or small number of computer supply feeds via an unsecured supply cable. Not necessarily the switchboard. Cable ducting above ceiling / below floor anyone?

    But let's think around this one for a bit. Assume that you've done some research on your target, you know the topography. In other words, you've likely got someone on the inside. The place has considered security, and they've got all sorts of protections in place, and they think they're secure.

    By definition, that probably means they are not. You've independently "audited" their "security". Something like this might just work. The real problem here, it seems to me, is getting the data OUT into the real world unnoticed. Ok, if your tap is in a relatively unsecured area, that might be easy.

    What you really need to know is what they are currently protecting themselves against, design your tap around it, and either, depending on the amount of data you want, and when the data are available, pull your agent out and tap or tap and then get your agent to remove the tap. Then pull the agent or not as desired. Or live dangerously and leave the tap for later.

    Thought. Have they got power line networking anywhere. Ah, WiFi - Must have. Because. or somesuch good reason. Or "intelligent" controls ... ah, green .... Would the systems in place notice a little more naughty RF on the powerlines? How easy would it be to add something into a psu case or on to a mobo or into the birdsnest behind the epoxied usb ports on the front panel ... in a computer, possibly before delivery or at repair?

    Remember, the biggest security risk is human, and it doesn't need to be situated locally between keyboard and chair.

  18. DeBeep

    fuck computers....man, this will never stop...

    back to the forest.....

  19. Anonymous Coward
    Anonymous Coward

    Whoops

    Sounds like they will need to rewrite the TEMPEST guidelines to add "Backup battery system"

  20. GIRZiM
    Pirate

    Surely

    It's just easier to say "This a government spot inspection. I've come about your GDPR. I'm going to plug this device into your server and see how easy it is to extract data from it. Then I shall report back to my department and you'll receive notification of any fines and/or necessary action within twenty-eight working days," flash your gym membership card at them and get down to business, no?

    1. Anonymous Coward
      Anonymous Coward

      Re: Surely

      Nah, all you need to do is pitch up at a branch office with a PC under your arm, say "I'm from IT" and, as you say, flash your gym membership card.

      Then connect the PC to the network under a desk somewhere and leave.

      Social engineering red-teaming 101. Succeeds a depressingly large amount of the time.

      1. GIRZiM

        Re: Surely

        > Succeeds a depressingly large amount of the time.

        It does, doesn't it?

  21. jelabarre59

    Frame power ports

    As I remember, there are server racks with remotely-controllable power control units. Years back when working on IBM pSeries systems, the power distribution for the rack actually contained an embedded Linux system, accessible through the rack's own ethernet hub. So there would be a remotely-accessible access to the power system. Of course, then you'd have to know how to program a PPC CPU, and who knows that anymore?

  22. Sandtitz Silver badge
    Holmes

    it's possible

    Considering that (at least) HPE Proliants have optional PLC enabled power supplies which provide identification including IP address and host name, they could be hacked to deliver more than just that since the article assumes that the exfiltration would require a compromized host anyway.

    1. Dawgboy

      Re: it's possible

      Seen this on a Dell M1000 chassis a couple years ago. Hacked the PLC for 2 blades.

  23. Anonymous Coward
    Anonymous Coward

    Is this why my Dell laptop complains...

    If I don't use the "official" Dell power adapter?

    1. Anonymous Coward
      Anonymous Coward

      Re: Is this why my Dell laptop complains...

      Yes,this is the (shuffle paper) "TEMPEST mitigation secure power system installation standard, aka TEMPSIS" Its done on purpose so that the delicate circuitry isn't contaminated with out of specification DC waves that might affect safety, as there is a theoretical risk of low power causing the charging circuits to become unstable. Actually had a near miss here with a similar situation, on a "universal" screw terminal used with a too-small 12V adaptor and the battery got hot and bulged up like a faulty LiPo cell.

      There's actually a special 3 pin chip and that centre pin is used primarily for this purpose.

  24. Dawgboy

    Ethernet over power is old tech

    I was using Ethernet over power across the 220VAC slip rings at the Palomar mountain Observatory back in 2009 for all the dome mounted data acquisition and weather systems, as well as an Allsky camera and UV laser systems in 2009. Frankly, I am surprised it took this long for an outgrowth of that old "Homepower" tech to be used in this way. Even back then I was able to get a very solid 700KBPS in both directions...

    1. TrumpSlurp the Troll
      Trollface

      Re: Ethernet over power is old tech

      My first take was that the whole scheme would be much more difficult if there was a "Homeplug" Ethernet running random data between two points on the local power wiring.

      I assume that this low bandwidth connection similar in speed to the old dial up modems would rely on a relatively stable supply (as in relatively noise free phone line) and would have similar problems to trying to use the same phone line for two simultaneous competing modem connections. I do remember that you can share a line between multiple modems if they are aware of this and cooperate.

      Are they selling random mains noise generators by any chance?

      Or special oxygen free mains cables which only allow pulses to propogate in one direction towards the PSU?

  25. John Doe 6

    A Solid State PSU (a big iron core transformer with large capacitors, min. 10000µF) or a good UPS would fix that.

  26. Anonymous Coward
    Anonymous Coward

    Verran AC Datalink

    Who remembers them?

    Was anything patented?

    Does an opportunity for intellectual property rights solicitors exist here?

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like