Audio-gapped defenses breached by covert channel hack

Hacking power supplies allows data to be lifted from air-gapped systems

A security researcher has developed an leftfield technique for extracting data from air-gapped systems that relies on hacking power supplies.

The Mission Impossible-style approach, dubbed ‘POWER-SUPPLaY’, relies on creating an acoustic covert channel by turning a PC’s power supplies into speakers.

The technique, developed by Israeli security researcher Dr Mordechai Guri, is capable of working on secure air-gapped PCs, even in cases where the owners have taken the extra precaution of disabling audio hardware and forbidding the use of loudspeakers.

Providing attackers can first get the POWER-SUPPLaY malware onto the hardware then servers, PCs and IoT devices might still leak data – even if cases where they are both air-gapped and audio-gapped, as Dr Guri explains in a paper.

“Our developed malware can exploit the computer power supply unit (PSU) to play sounds and use it as an out-of-band, secondary speaker with limited capabilities,” the researcher explains.

“The malicious code manipulates the internal ‘switching frequency’ of the power supply and hence controls the sound waveforms generated from its capacitors and transformers.”

Sound technique, but caveats apply

Using the POWER-SUPPLaY technique, data files (including keystrokes and encryption keys) can be modulated onto an audio signal and sent to a nearby receiver, such as a smartphone.

The researchers we able to get the approach to work against a wide range of systems, albeit with severe inherent limitations.

One major downside is that the attack is hampered by background noise that may impact the transmission’s quality.

The computer scientist was able to get the technique to work, but only over distances of less than five metres and with data speeds that maxed out at the sluggish 50 bit/sec.

Dr Guri, the head of R&D at the Ben-Gurion University of the Negev’s Cyber-Security Research Center, told The Daily Swig that despite its limitations the technique he developed was nonetheless practical.

“The acoustic method is effective in term of distance,” he explained. “It can reach several meters away. In term of speed is not the fastest covert channel, but [it] is enough for transmitting brief amount of data.”

Dr Guri has built up a body of previous research on other covert techniques to extract data from systems on air-gapped networks.

The latest technique relies on planting malicious code on a targeted network. This can be accomplished by introducing malware on systems as they are built through supply chain attacks, according to Dr Guri.

A short video clip available through YouTube offers a demo of the POWER-SUPPLaY attack in practice.

RECOMMENDED Introducing PwnDrop: A self-deployable file hosting service for red teamers