SoylentNews is people
SoylentNews
OK, so you've air-gapped that PC. Cut the speakers. Covered the LEDs. Disconnected the monitor. Now, about the data-leaking power supply unit...
Video Israeli cyber-security side-channel expert Mordechai Guri has devised a way to pilfer data from devices that have been air-gapped and silenced.
[...] An obvious defense against acoustic data transmission is to disable any speakers on the protected device, a practice known as audio-gapping.
But Guri's latest research shows that's not enough. He and his team have found a way to turn the power supply in an isolated, muted machine into a speaker of sorts, one capable of transmitting data at a rate of 50 bits/sec.
He calls the attack POWER-SUPPLaY. The technique has the potential to be used against PC workstations and servers, as well as embedded systems and IoT devices that have no addressable audio hardware.
"We show that malware running on a PC can exploit its power supply unit (PSU) and use it as an out-of-band speaker with limited capabilities," a paper [PDF] detailing the technique explained. "The malicious code intentionally manipulates the internal switching frequency of the power supply and hence controls the waveform generated from its capacitors and transformers."
[...] Guri and others have developed a handful of similar TEMPEST attack schemes, such as luminance signaling via LCD screen fluctuations (BRIGHTNESS), acoustic signaling using fan modulation (FANSMITTER), data exfiltration via power cables (POWERHAMMER), and covert signaling via keyboard lights (CTRL-ALT-LED).
(Score: 5, Interesting) by edIII on Wednesday May 06 2020, @01:12AM (6 children)
Realistically? Probably not.
If anyone is air gapping a machine these days, it's because it's probably too old to be connected to the Internet anymore. Like a Windows XP machine running a very specific program, and you can no longer update the web browsers, firmware, etc. to have a usable machine.
Intentional air gapping for security is not very likely to be susceptible here. Side channel attacks like these are well known, and TEMPEST is old news. The power supply isn't the only "speaker", so is the CPU. Just depends on the sensitivity of your sensors. More than likely it will be in its own secure room, one that is shielded against "leaking audio". Does the malware have to be there first? Even less likely in most scenarios then. A lot of air gapped machines no longer receive outside input, or it is heavily validated and secured.
Finally, even assuming the malware is running on the air gapped machine, how close to you have to be? This would not have worked in the Mission Impossible air gap setup, or would've required Tom Cruise to place it next to the machine.
Call me when they find out how to install malware on an air gapped machine remotely.
Technically, lunchtime is at any moment. It's just a wave function.
(Score: 4, Insightful) by Runaway1956 on Wednesday May 06 2020, @01:36AM (2 children)
My own thoughts are, if someone is looking closely enough at you to exploit something like this, you are probably pwned anyway. The antagonists are already so close to you that they can monitor very limited tell-tales such as the brightness of your screen, signals from the PSU, and all the rest mentioned above? Well, if they are that close, the first time you go out to buy Cheetos, they're going to break in to your home/office and gain physical access to your machine, along with your network. Upon your return home from the Cheetos run, your screen is going to be mirrored at NSA headquarters anyway.
A bit of paranoia is good, maybe more paranoia is better, but it can be overdone.
(Score: 0) by Anonymous Coward on Wednesday May 06 2020, @01:52AM
Just not "close" enough to use other methods to get the desired data out. Where the desired data is of quantities that can be practically transferred at 50 bits/sec[1].
[1] It takes 5 years to transfer 1GB at 50 bits/sec.
(Score: 2) by All Your Lawn Are Belong To Us on Thursday May 07 2020, @03:41PM
Interesting. Sort of a wrench solution [xkcd.com]. Moderated that if it is indeed nation-state intelligence agency internal level security then it may be the only exploit possible, not unlike when the laser microphone [wikipedia.org] technique was developed.
This sig for rent.
(Score: 5, Touché) by maxwell demon on Wednesday May 06 2020, @07:09AM (1 child)
PC viruses existed long before PCs were routinely connected to networks. That is, virtually every PC of the time was airgapped, and yet the malware could spread.
The Tao of math: The numbers you can count are not the real numbers.
(Score: 0) by Anonymous Coward on Thursday May 07 2020, @03:53PM
My first college campus job in school, about 1989-1990, was for computing services and I was assigned in my second semester to a Mac lab of 30 Macs (maybe SE/30's?) They were networked for print services. One of the things we could do (it was pretty boring most of the time) was scan the computers for viruses. I'd get three or four hits out of 30 machines per week. The data discs were the mechanism. They were also usually the same machines, or one right next to it. Person uses same machine whenever in the lab, slots the offending disk and machine gets the virus, scan it and disinfect it, person comes back two days later slots the same infected disk and re-infects the machine. IIRC they were propagation-only, and I don't remember anybody seriously worrying about them.
(Score: 1, Funny) by Anonymous Coward on Wednesday May 06 2020, @07:38AM
It's not realistic as only plebs do not vacuum-gap their PCs!
(Score: 3, Insightful) by Mojibake Tengu on Wednesday May 06 2020, @01:46AM (2 children)
Any observable controlled change is a communication.
What's so difficult to understand about it so you need a side channel expert?
The more unnecessary contraptions you put added to the system, the more side channels from the system you get.
Respect Authorities. Know your social status. Woke responsibly.
(Score: 0) by Anonymous Coward on Wednesday May 06 2020, @11:07AM (1 child)
Yeah! Power supplies are completely unnecessary, and are contraptions to boot!
You go, Tengu San!
(Score: 2, Informative) by khallow on Wednesday May 06 2020, @02:21PM
Power supplies are necessary. Power supplies whose timing can be controlled by the system definitely qualify as unnecessary contraptions. You probably can remove a lot of the information channel by putting passive low-pass/band-pass filters on the input power too.
(Score: 3, Touché) by drussell on Wednesday May 06 2020, @01:48AM (3 children)
Isn't is usually just easier to smack the target with a wrench than setting up be spying that closely on an individual workstation or PC?
https://xkcd.com/538/ [xkcd.com]
Who knows, I guess....
(Score: 2, Touché) by Anonymous Coward on Wednesday May 06 2020, @02:27AM (2 children)
Depends. I use air-gapped systems in special rooms with all sorts of protections. To get useful data off of that through my head would be almost impossible, as my memory isn't reliable enough to get it of, and accessing it too often as a way to get around that would set off auditing alarms. Also, kidnapping and bruises leave evidence but a properly done exfiltration should leave none.
(Score: 0) by Anonymous Coward on Thursday May 07 2020, @03:58PM
Take it at a remove: It's probably easier to compromise the people operating that machine or those familiar with the inputs and outputs. Doesn't take just bruising, but finding out what the drivers are of those people and then offering to supply whatever they are lacking in that area (money, sex, excitement, and ideology to name four).
(Score: 0) by Anonymous Coward on Thursday May 07 2020, @04:03PM
Adding to my above, it doesn't take finding out what the operator knows, although that may be an element of wind-up to develop a suitable acquisition package. It takes compromising the operator who is able to plug in a USB, or daisy chain in a SATA drive or custom card (if the machine has been proofed against USB's), or whatever it takes to acquire and then export the data. Maybe it takes compromising the level above or someone in security who would nominally spot the individual's cracking the case open, to provide a window where a compromised operator may work.
And maybe the security is in fact functional and works. But very few companies actually bake in security on both the functional and operational levels.
(Score: 3, Insightful) by Snotnose on Wednesday May 06 2020, @01:49AM (5 children)
A) Any data you get is going to be very low rate, probably 1200 baud or less.
B) If you can install this on a computer, you've compromised the computer. There is no reason you can't get much better data rates via other methods.
When the dust settled America realized it was saved by a porn star.
(Score: 3, Informative) by drussell on Wednesday May 06 2020, @01:57AM (2 children)
TFS above says approximately 50 baud...
(Score: 1, Informative) by Anonymous Coward on Wednesday May 06 2020, @02:01AM (1 child)
That's fast enough to download an mp3 in 173 years.
(Score: 2, Touché) by Anonymous Coward on Wednesday May 06 2020, @04:27AM
Or a 256 bit key in 5 seconds.
(Score: 2) by FatPhil on Wednesday May 06 2020, @08:55AM (1 child)
Great minds discuss ideas; average minds discuss events; small minds discuss people; the smallest discuss themselves
(Score: 1) by shrewdsheep on Wednesday May 06 2020, @10:27AM
For most "use cases" it seems sheer stupidity. However, think of a stuxnet type operation. You need to keep in stealth mode. If other computers do have microphones, you can build your own network. Use it for slow updates, getting the critical signal through.
(Score: 0) by Anonymous Coward on Wednesday May 06 2020, @01:58AM (2 children)
I call it the BATTERY
(Score: 1, Touché) by Anonymous Coward on Wednesday May 06 2020, @02:29AM
Still runs through a power supply to create the necessary power rails.
(Score: 0) by Anonymous Coward on Wednesday May 06 2020, @04:15AM
This guy and his team are guaranteed next going to write a PDF about using the battery API to exfiltrate data.
This truly is trash academia. They have been doing the same shit for years now and beating it through the technical press. Though looking at the Register article, at least it seems to end up on Arxiv only, and not actually wasting paper in the academic press.
(Score: 5, Funny) by dwilson on Wednesday May 06 2020, @02:26AM
I think that the first priority should be finding the twit(s) who come up with these cutesy-but-convoluted acronyms, and patch them so they knock it off.
Then, we can focus on the other potential problems.
- D
(Score: -1, Troll) by Anonymous Coward on Wednesday May 06 2020, @02:39AM (1 child)
Khazar jewish rats stealing stuff. What else is new?
Haven't they already included a 5G modem inside the intel processor yet? Or another transceiver of sorts?
We need to stop these khazar jew rats before they destroy the world with more viruses and data stealing.
Also remember that one way the khazar jew rat operates is through suggestion. They keep telling you they have compromised processors, power supplies, keyboards and others so that humans will self-censor and not attack the khazar jew rats for the crimes they commit. Hence the 50 bps stealing rate.
Khazar jew is a destructive, harmful evil that needs to be put back in its cage.
(Score: 1, Redundant) by gawdonblue on Wednesday May 06 2020, @07:39AM
Oy vey!
(Score: 2, Interesting) by Anonymous Coward on Wednesday May 06 2020, @02:52AM (1 child)
Would that be 50 baud in countries with 50Hz power mains, and 60 baud in countries with 60Hz power mains?
(Score: 2) by Osamabobama on Wednesday May 06 2020, @09:25PM
Come to America and your side-channel attacks will be 20% faster than in Europe!
Appended to the end of comments you post. Max: 120 chars.
(Score: 0) by Anonymous Coward on Wednesday May 06 2020, @08:15AM (3 children)
With all these loops to go through to completely silence a system. Why not install a second (air-gapped) system in the room, with speakers, where input from /dev/random (or some other randomness generater) outputs into the speaker? This way you create a lot of random noise, making the signal you want to detect harder to snoop from.
(Score: 2) by Dr Spin on Wednesday May 06 2020, @09:09AM
Why not install a second (air-gapped) system in the room
Or run a second thread on the same machine? - preferably hacking large blocks of contiguous ffs or 00s to deliberately create surges in the PSU load?
Or, just run N concurrent tasks? (You might already be doing this - check with "ps -ax" - This might not work if you are using Windows, but if you are using
Windows and expecting security, you should apply for a brain transplant immediately).
Warning: Opening your mouth may invalidate your brain!
(Score: 0) by Anonymous Coward on Wednesday May 06 2020, @09:16AM (1 child)
We already do that with three layers. Every system and cage has sound dampening insulation. Every fan runs at full speed. And there is the noise generator that makes a sound I cannot really describe as it somehow goes beyond static, to the point where that doesn't really describe what comes out of it.
(Score: 1, Interesting) by Anonymous Coward on Wednesday May 06 2020, @08:04PM
I asked a coworker and the term I was looking for was https://en.wikipedia.org/wiki/Colors_of_noise [wikipedia.org]
(Score: 2, Funny) by Anonymous Coward on Wednesday May 06 2020, @11:04AM
How is a "Video Israeli" different from any other sort of Israeli?
Is that some sort of Max Headroom type thing?
(Score: 2) by looorg on Wednesday May 06 2020, @11:32AM
So this is just for Switching PSU:s? You could just get a linear psu and be "safe"? So they cost more, make more noice and produce more heat and are generally less efficient but still -- they are "spy safe"?
(Score: 2) by Rupert Pupnick on Wednesday May 06 2020, @12:13PM
So what’s the path in the infected computer that goes from the file system to the power supply control system? In any system I’ve ever heard of, there isn’t one. If you are designing a system for low cost and reliability, why would you ever put a control path there? The power supply control system should be entirely self-sufficient.
Also, note the photo in the paper that shows the receiving device (a mobile phone) sitting on the same desk as the computer being targeted. If you have that kind of (even momentary) physical access, why bother with all this BS?
(Score: -1, Troll) by Anonymous Coward on Wednesday May 06 2020, @06:42PM
Has anyone noticed that the only ones vying to prove how much smarter than everyone else they are, are the recently graduated Jews, from Unit 8200?
Yes, I know, what about the Russians? Hate to tell you this - they are RUSSIAN Jews.
Nobody else thinks it's OK to break into computers. Everyone else is ashamed to do it, ashamed to get caught doing it.
The only reason the Chinese and the REST of the Russians are doing it is to protect themselves against the Jews. And everyone else. That's what's behind the 5G brouhaha, too. It all goes back to the Jews bugging the White House, back in the 1990s. Comverse Infosys. Etc.
Putin had the right idea - he had the KGB go back to using typewriters.
Amazingly, no Jew freshly graduated from Unit 8200 has announced that he is going to start a dot com based upon analyzing the acoustics of typewriters. Why is that? It should be easy.
I think we ought to start cutting the hands off hackers who are caught violating other peoples' privacy. It's no different from being caught trying to break into someone's diary, desk, dresser, piggy bank, bedroom, closet, or house. They need to be shot in the act and strung up as a lesson to others - "this is what comes of being too smart".
First offense: 24 hours in the stocks.
Second offense: your typing hand.
Third offense: your OTHER typing hand.
Fourth offense: your head.
(Score: 0) by Anonymous Coward on Wednesday May 06 2020, @11:05PM
If you went through all the trouble to air-gap the computer wouldn't it make sense to put it in a Faraday Cage as well?
I wonder if it's possible to manipulate the power supply so that it drains the power in a patterned sequence that can then be used by someone monitoring the power to look for the sequences and extract useful information from it.
Could putting the computer behind a line conditioner make this more difficult? Or perhaps running the computer on a battery and cycling recharged batteries over and over so that the computer is not connected to a power source that links to the outside power.