Steal Data Sonically, Sans Speaker?
Steal Data Sonically, Sans Speaker?A university researcher has figured out how to get a PC’s power supply to make noises. Why’s that interesting? Because it could be used to transmit and steal data.
Yes, the irrepressible Mordechai Guri has found another weird way to exfiltrate data from an air-gapped machine: using singing capacitors. I bet the CIA is quaking in its boots at his “POWER-SUPPLaY” scheme.
But there is a serious side to all this. In today’s SB Blogwatch, we squeal like a condensed hog.
Your humble blogwatcher curated these bloggy bits for your entertainment. Not to mention: 1977 TV was awful.
Sonic the EMSEChog
What’s the craic? Catalin Cimpanu reports—“Academics turn PC power units into speakers to leak secrets from air-gapped systems”:
The trick behind the POWER-SUPPLaY technique is to manipulate power inside a PSU’s capacitors to trigger a “singing capacitor phenomenon.” This … generates acoustic waves when current passes through a capacitor at various frequencies. By controlling the power frequencies, the … malicious code can also control the audio waves, and hence, hide data inside it.
…
The technique, named POWER-SUPPLaY, is the work of Mordechai Guri [who] over the last half-decade … has been pioneering research into new covert data exfiltration channels … specifically for extracting data from air-gapped systems—computers isolated on local networks with no internet access. Such computers are often used … to store sensitive data, such as classified files or intellectual property.
…
The Israeli academic said … exfiltration speeds can vary between 0-40 bits/sec at short distances of up to 1 meter or 0-10 bits/sec when the data needs to travel [up to] 6 meters. … Basically, the closer an attacker can place a smartphone to record the sounds coming from the infected computer, the better the speed and lower the transmission error rates.
Not so fast. Thomas Claburn channels Ellison (not that one)—“I have no mouth, and I must scream”:
Perhaps the most widely reported air gap attack of this sort is said to have involved the covert introduction of the Stuxnet centrifuge-knackering malware … to the nuclear fuel enrichment lab in Natanz, Iran. … An obvious defense against acoustic data transmission is to disable any speakers on the protected device.
…
An evil maid attack is required to make the attack feasible. The attacker also needs a nearby receiver, which in this scenario would be a smartphone, compromised with malware to listen for data or knowingly operated by an insider.
…
POWER-SUPPLaY is fun though not a practical threat [for] most of us. … You have to detect the sounds from the power supply unit over any noise in the surrounding environment, and you have to be close enough to pick it up, or have malware on a nearby machine that can listen out for the bits.
Who comes up with this stuff? Mordechai Guri papers over the cracks—“Leaking Data from Air-Gapped Systems by Turning the Power-Supplies Into Speakers”:
The malicious code manipulates the internal switching frequency of the power supply and hence controls the sound waveforms generated from its capacitors and transformers. Our technique enables producing audio tones in a frequency band of 0-24kHz … without the need for audio
hardware or speakers.
Binary data (files, keylogging, encryption keys, etc.) can be modulated over the acoustic signals and sent to a nearby receiver (e.g., smartphone). [The] code can operate from an ordinary user-mode process and doesn’t need any hardware access or special privileges.
Perhaps you don’t even need an Evil Maid. Heed Duhavid:
Your trusted people—the ones with access—have to get parts (and even entire computers) from somewhere. If the supply chain to them is compromised, singing power supplies, disk drives, etc. can be sent to [you] without direct physical access.
And Dave 126 reminds us why we’re even talking about this:
Security researchers need to research potential attack vectors before deciding whether or not they could be used by genuine bad actors. Note that the research comes before the decision, which is the correct way round.
But Malays2 bowman sounds slightly sarcastic:
Oh no, the sky is falling. … Once again, the “academics” do another proof of concept which in the real world would make a really piss poor spying tool.
…
That’s not to say what they are doing does not work, or does not pique my interest, but the last thing this world needs is more needless panic. Why would a spy even mess around with this when he has this kind of physical access to the systems and he can get what he wants with a $15 … thumbdrive?
…
They can just sneak a keylogger/key press generator between the keyboard and port. Or they can open the case and install a malicious device on one of the USB header pins on the motherboard if they have that kind of access. Much faster and more reliable.
…
Yes, this is an interesting tech demo, but it will see no use in the real world.
Similarly, martinusher utters:
I’m not quaking in my boots too much about this. … Not that I wouldn’t take notice—there’s a reason why Tempest was invented—but I’d be more likely to asking awarkward questions like “where’s that unauthorized transmssion coming from?” and “why is there a cellphone in this facility?”
Meanwhile, BeerFartMoron imagines the ultimate countermeasure:
Boss just told us to remove the PSUs from the secure systems, “just to be sure.”
And Finally:
Imagine sheltering-in-place in 1977—this is what you’d be binge-watching
You have been reading SB Blogwatch by Richi Jennings. Richi curates the best bloggy bits, finest forums, and weirdest websites … so you don’t have to. Hate mail may be directed to @RiCHi or [email protected]. Ask your doctor before reading. Your mileage may vary. E&OE.
Image sauce: Phil Kallahar (Pexels)
