Stories
Slash Boxes
Comments

SoylentNews is people

posted by chromas on Saturday April 14 2018, @01:23AM   Printer-friendly
from the about-that-thing-you-thought-was-air-gapped... dept.

El Reg reports:

Data exfiltrators send info over PCs' power supply cables

Malware tickles unused cores to put signals in current

If you want your computer to be really secure, disconnect its power cable.
So says Mordechai Guri and his team of side-channel sleuths at the Ben-Gurion University of the Negev.

The crew have penned a paper titled PowerHammer: Exfiltrating Data from Air-Gapped Computers through Power Lines that explains how attackers could install malware that regulates CPU utilisation and creates fluctuations in the current flow that could modulate and encode data. The variations would be "propagated through the power lines" to the outside world.

Depending on the attacker's approach, data could be exfiltrated at between 10 and 1,000 bits-per-second. The higher speed would work if attackers can get at the cable connected to the computer's power supply. The slower speed works if attackers can only access a building's electrical services panel.

The PowerHammer malware spikes the CPU utilisation by choosing cores that aren't currently in use by user operations (to make it less noticeable).

Guri and his pals use frequency shift keying to encode data onto the line.

After that, it's pretty simple, because all the attacker needs is to decide where to put the receiver current clamp: near the target machine if you can get away with it, behind the switchboard if you have to.

This seems hinky to me.

First, there's the point that the bad guys will need PHYSICAL ACCESS to the premises or even to the individual machine.

Next, if the current clamp is put around the typical line cord, the sum of the current in the hot wire and the neutral (return) wire will be zero. (An inductive current sensor is typically put over only one of the wires, so they will need to do some surgery on that cable — which will be obvious.)

Putting a 100% online UPS between the computer and the AC power supply will also interfere. [ed.]


Original Submission

 
This discussion has been archived. No new comments can be posted.
Display Options Threshold/Breakthrough Mark All as Read Mark All as Unread
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.
  • (Score: 2) by MichaelDavidCrawford on Saturday April 14 2018, @03:38AM (3 children)

    by MichaelDavidCrawford (2339) Subscriber Badge <mdcrawford@gmail.com> on Saturday April 14 2018, @03:38AM (#666771) Homepage Journal

    The DOD only requires 7 but the media must be inspected afterwards. If any classified data remains the media must then be incinerated

    --
    Yes I Have No Bananas. [gofundme.com]
    Starting Score:    1  point
    Karma-Bonus Modifier   +1  

    Total Score:   2  
  • (Score: 0) by Anonymous Coward on Saturday April 14 2018, @02:19PM (1 child)

    by Anonymous Coward on Saturday April 14 2018, @02:19PM (#666932)

    When I worked for the DoN we wiped and shipped then to the NSA for destruction. The last time I had to get rid of classified drive we used the degauss and bend method.

    • (Score: 2) by MichaelDavidCrawford on Saturday April 14 2018, @08:15PM

      by MichaelDavidCrawford (2339) Subscriber Badge <mdcrawford@gmail.com> on Saturday April 14 2018, @08:15PM (#667019) Homepage Journal

      I wrote an unclassified component - a small component - of some firmware for a defense hardware board. My clients told me to FTP a certain unclassified MIL-SPEC from an air force base.

      That document had the advice to wipe seven times, inspect then maybe incinerate.

      I readily agreed that the NSA would be a far more diligent disk-decomissioner though.

      --
      Yes I Have No Bananas. [gofundme.com]
  • (Score: 3, Informative) by pipedwho on Saturday April 14 2018, @10:15PM

    by pipedwho (2032) on Saturday April 14 2018, @10:15PM (#667074)

    It is highly improbable they can recover anything in modern hardware after even a proper single erasure.

    The NSA is not just about defending against real attacks, but also theoretical attacks, even if those attacks are not currently possible (eg. see quantum computers and classical crypto). Some of those theoretical attacks are on old hardware (20+ years old) that _may_ be susceptible to some edge case attacks that have a non-zero (albeit potentially small) chance of working per each individual circumstance. The cost of this overkill data destruction procedure is infinitesimal compared to their overall operating budget, so no need to optimise for an incredibly minimal cost saving. Keep in mind the NSA is looking forward to defending against possible technology that might not be available for 50+ years. Doesn't mean that have a proof of concept, or that in 50 years it will even be possible; as the technology may not have evolved in the expected direction, there may be too much additional physical deterioration of the original media, or the data is no longer pertinent/valuable.

    Agencies with policies tied to the above procedures are stuck with it, even if it doesn't add any actual additional protection from recovery.

    For everyone else, it is beyond excessive. The cost associated with attempting to recover data like this on such a wide variety of hardware is huge with the overwhelming likelihood of a null result. This is assuming the hardware/drive hasn't been backdoored - either targeted, or en masse due to NSA influence at the drive manufacturer(s) - and if that is the case, then nothing short of physical destruction is going to be sufficient anyway.