April 16, 2018 // 10:40 a.m.
Researchers have released details of a new technique for exfiltrating data from a computer otherwise disconnected from communication systems, a process known as 'air-gapping': PowerHammer.
Mordechai Guri, Boris Zadov, Dima Bykhovsky and Yuval Elovici of the Ben_Gurion University of the Negev in Israel came up with PowerHammer as a demonstration of how traditional air-gapping - a process by which a secure computer is disconnected from networking, including 'sneakernet' via anything from USB flash drives to floppy disks - may not be sufficient to protect data.
PowerHammer works, as its name implies, by installing malware on the target machine - by far the most challenging part of the process, if the secure computer is indeed secure - then using it to adjust the power consumption of the system's processor. This modulated power draw can then be measured, the team found, either by connecting receiving equipment to the same power line or to the same power phase at the electrical service panel.
In operation, then, PowerHammer is not dissimilar to the HomePlug Powerline standard, but is exclusively unidirectional and requires no additional hardware on the sending computer. Its performance is also somewhat slow, with the line-level version of the attack measured at 1kb/s and the phase-level version at 10b/s - enough to walk away with something like a set of passwords or private keys in a reasonable amount of time.
The attack is only the latest in a string of techniques for exfiltrating data from air-gapped computers, including listening to the noise made by the hard drive, recreating the display by capturing leaked radiation from the monitor, watching status LEDs, and generating ultrasonic signals on built-in speakers - the latter a technique claimed to be part of the badBIOS malware.
The team's full research paper, PowerHammer: Exfiltrating Data from Air-Gapped Computers through Power Lines, is available now on arXiv.org (PDF warning).