Power-Supplay: Leaking Data From Air-Gapped Systems by Turning The Power-Supplies Into Speakers

Download as pdf or txt
Download as pdf or txt
You are on page 1of 14

POWER-SUPPLaY: Leaking Data from

Air-Gapped Systems by Turning the Power-Supplies


Into Speakers
Mordechai Guri
Ben-Gurion University of the Negev, Israel
Cyber-Security Research Center
[email protected]
Air-Gap research page: http://www.covertchannels.com
arXiv:2005.00395v1 [cs.CR] 1 May 2020

Demo video: http://www.covertchannels.com

Abstract—It is known that attackers can exfiltrate data from insiders. Famous air-gap breaching cases include Stuxnet [4]
air-gapped computers through their speakers via sonic and and Agent.BTZ [5], but other incidents have also been reported
ultrasonic waves. To eliminate the threat of such acoustic covert [6], [7]. In 2018, The US Department of Homeland Security
channels in sensitive systems, audio hardware can be disabled and
the use of loudspeakers can be strictly forbidden. Such audio-less accused Russian government hackers of penetrating America’s
systems are considered to be audio-gapped, and hence immune power utilities [8]. Due to reports in the Washington Post
to acoustic covert channels. in November 2019, the Nuclear Power Corporation of India
In this paper, we introduce a technique that enable attackers Limited (NPCIL) confirmed that the Kudankulam Nuclear
leak data acoustically from air-gapped and audio-gapped systems. Power Plant suffered a cyber-attack earlier that year [9].
Our developed malware can exploit the computer power supply
unit (PSU) to play sounds and use it as an out-of-band, secondary A. Air-Gap Covert Channels
speaker with limited capabilities. The malicious code manipulates
the internal switching frequency of the power supply and hence While the infiltration of such networks has been shown to be
controls the sound waveforms generated from its capacitors and feasible, the exfiltration of data from non-networked computers
transformers. Our technique enables producing audio tones in or those without physical access is considered a challenging
a frequency band of 0-24khz and playing audio streams (e.g.,
WAV) from a computer power supply without the need for audio task. Over the years, different types of out-of-band covert
hardware or speakers. Binary data (files, keylogging, encryption channels have been proposed, exploring the feasibility of data
keys, etc.) can be modulated over the acoustic signals and sent exfiltration through an air-gap. Electromagnetic methods that
to a nearby receiver (e.g., smartphone). We show that our exploit electromagnetic radiation from different components
technique works with various types of systems: PC workstations of the computer are likely the oldest kind of air-gap covert
and servers, as well as embedded systems and IoT devices that
have no audio hardware at all. We provide technical background channel researched [10], [11], [12], [13], [14]. Other types of
and discuss implementation details such as signal generation and optical [15], [16] and thermal [17] out-of-band channels have
data modulation. We show that the POWER-SUPPLaY code can also been studied. Acoustic exfiltration of data using inaudible
operate from an ordinary user-mode process and doesn’t need sound has also been explored in many studies [18], [19], [20],
any hardware access or special privileges. Our evaluation shows [21]. The existing acoustic methods suggest transmitting data
that using POWER-SUPPLaY, sensitive data can be exfiltrated
from air-gapped and audio-gapped systems from a distance of through the air-gap via high frequency sound waves generated
five meters away at a maximal bit rates of 50 bit/sec. by computer loudspeakers. Note that existing acoustic covert
channels rely on the presence of audio hardware and loud-
I. I NTRODUCTION speakers in the compromised computer.
Air-gapped computers are kept isolated from the Internet or
other less secure networks. Such isolation is often enforced B. Audio-Gap: Speaker-less, Audio-less Systems
when sensitive or confidential data is involved, in order to To cope with acoustic covert channels, common practices
reduce the risk of data leakage. Military networks such as and security policies strictly prohibit the use of speakers on
the Joint Worldwide Intelligence Communications System sensitive computers, in order to create a so-called ’audio-
(JWICS) [1], as well as networks within financial organiza- gapped’ environment [22], [23]. As an additional defensive
tions, critical infrastructure, and commercial industries [2], measure, the audio chip may be disabled in the UEFI/BIOS
[3], are known to be air-gapped due to the sensitive data they to cope with the accidental attachment of loudspeakers to the
handle. line-out connectors. Obviously, disabling the audio hardware
Despite the high degree of isolation, even air-gapped net- and keeping speakers disconnected from computers can effec-
works can be breached using complex attack vectors such tively mitigate the acoustic covert channels presented thus far
as supply chain attacks, malicious insiders, and deceived [24].
C. Our Contribution
In this paper, we introduce a new acoustic channel which
doesn’t require speakers or other audio related hardware. We
show that malware running on a PC can exploit its power
supply unit (PSU) and use it as an out-of-band speaker with
limited capabilities. The malicious code intentionally manipu-
lates the internal switching frequency of the power supply and B
hence controls the waveform generated from its capacitors and A
transformers. This technique enables playing audio streams
from a computer even when audio hardware is disabled and
speakers are not present. We show that our technique works Fig. 1: Exfiltration scenario: malware within the infected air-
with various types of systems: PC workstations and servers, gapped, audio-gapped (speaker-less) computer (A) leaks a
as well as embedded systems and IoT devices that have no file through inaudible sound waves played through the power
audio hardware. Binary data can be modulated and transmitted supply. The file is received by a nearby smartphone (B).
out via the acoustic signals. The acoustic signals can then be
intercepted by a nearby receiver (e.g., a smartphone), which
mobile phones of employees are identified, possibly by social
demodulates and decodes the data and sends it to the attacker
engineering techniques. The employees are assumed to carry
via the Internet.
their mobile phones around the workplace. These devices are
The proposed method has the following unique characteris-
then infected, either online, by exploiting a device’s vulnerabil-
tics:
ities, or by physical contact when possible. Infecting a mobile
• Requires no audio hardware. The method allows mal- phone can be accomplished via different attack vectors, using
ware to play audible and inaudible sounds from systems emails, SMS/MMS, malicious apps, malicious websites, and
which are completely audio-gapped (e.g., speakers are so on [26], [27], [28], [29], [30].
disconnected) or systems that doesn’t have any type of 2) Exfiltration phase: In the exfiltration phase, the malware
audio hardware (e.g., embedded devices). in the compromised computer gathers sensitive data of interest.
• Requires no special privileges. The method doesn’t
The data can be files, keystroke logging, credentials (e.g.,
require special privileges or access to hardware resources. passwords), or encryption keys. The malware then modulates
The transmitting code can be initiated from an ordinary and transmits the data using the acoustic sound waves emitted
user-space process and is highly evasive. from the computer’s power supply (Figure 2). A nearby
The rest of this paper is organized as follows: The attack infected mobile phone detects the transmission, demodulates
model is discussed in Section II. Related work is presented and decodes the data, and transfers it to the attacker via
in Section III. Background on the power supply acoustics is the Internet using mobile data or Wi-Fi. Note that in this
provided in Section IV. Section V and Section VII, respec- paper, we demonstrate the attack model using a mobile phone
tively, contain details on The transmitter and receiver. Section receiver, a device which is commonly located in the vicinity
VIII describes the analysis and evaluation. Countermeasures of a computer. Other types of receivers are devices with
are discussed in Section IX. We conclude in Section X. internal or external microphones such as laptops and desktop
workstations.
II. ATTACK M ODEL
The capability of generating acoustic tones through power III. R ELATED W ORK
supplies can be considered a general contribution to the field Covert channels in networked environments have been
of acoustic covert channels, regardless of its connection to widely discussed in professional literature for years [31], [32],
the air-gap. However, in this paper, we investigate it as a [33]. In these covert channels, attackers may hide data within
method of exfiltrating information from air-gapped, audio- existing network protocols (such as HTTPS, SMTP and DNS),
gapped systems. Similar to other covert communication chan- conceal data within images (stenography), encode it in packet
nels, the adversarial attack model consists of a transmitter and timings and so on.
a receiver. Typically in such scenarios, the transmitter is a Our work focuses on the challenge of leaking data from
computer, and the receiver is a nearby mobile phone belonging computers that have no network connectivity (air-gapped com-
to an employee or visitor (Figure 1). puters). Over the years different types of out-of-band covert
1) Infection phase: In a preliminary stage, the transmitter channels have been proposed, allowing the attacker to bridge
and receiver are compromised by the attacker. Infecting highly the air-gap isolation. The methods can be mainly catego-
secure networks can be accomplished, as demonstrated by the rized into electromagnetic and magnetic, optical, thermal, and
attacks involving Stuxnet [4] and Agent.Btz [5], and other acoustic covert channels.
attacks [25], [6], [7]. In our case, the infected computer must Electromagnetic emissions are probably the oldest type of
be equipped with an internal power supply which exists in methods that have been explored academically with regard to
virtually every computerized system today. In addition, the air-gap communication. In a pioneer work in this field, Kuhn
TABLE I: Summary of existing air-gap covert channels

Type Method

AirHopper [10], [2] (FM radio)


GSMem [14] (cellular frequencies)
Electromagnetic USBee [36] (USB bus emission)
Funthenna [35] (GPIO emission)
PowerHammer (power lines) [39]

MAGNETO [38] (CPU-generated


Magnetic magnetic fields)
ODINI [37] (Faraday shields bypass)

Ultrasonic (speaker-to-mic) [18], [45]


MOSQUITO [21] (speaker-to-speaker)
Acoustic
Fansmitter [46] (fans noise)
DiskFiltration [47] (hard disk noise)

Thermal BitWhisper [17] (heat emission)


Fig. 2: The information has been exfiltrated via covert ultra- LED-it-GO [16] (hard drive LED)
sonic sound signals played from the power supply. As can be VisiSploit [43] (invisible pixels)
seen in the spectrogram, four different frequencies are used Fast blinking images [44]
for modulation. Optical Keyboard LEDs [15]
CTRL-ALT-LED: keyboard LEDs [40]
Router LEDs [41]
Spectrum
-30
aIR-Jumper [42] (Infrared, security cameras)
9
Vibrations (Seismic) AiR-ViBeR [48] (Surface vibrations)
-35

-40

data from Faraday caged air-gapped computers [37], [38]. In


Frequency (kHz)

8.5
-45
2018, Guri et al also introduced PowerHammer, a method
Power (dB)

-50
in which malware on air-gapped computers exfiltrates data
through the main power lines using conducted emissions [39].
-55 Several studies have proposed the use of optical emanation
8 for air-gap communication. In 2002, Loughry and Umphress
-60 proposed the exfiltration of data by blinking the LEDs on
the PC keyboard [15]. in 2019, Guri et al presented CTRL-
-65
ALT-LED, a malware which can exfiltrate data from an air-
7.5
gapped computer via the keyboard LEDs of modern USB
5 10 15 20 25 keyboards [40]. In 2016, Shamir et al demonstrated how to
Time (s) establish a covert channel through the air-gap using a malware,
Fig. 3: Part of the song ’Happy Birthday’ as played through remote lasers, and scanners [23]. Guri et al also presented
the power supply. covert channels that use the hard drive indicator LED [16],
the router LEDs [41], and security camera IR LEDs [42] to
leak data from air-gapped networks. VisiSploit [43] is another
and Anderson [11] discuss hidden data transmission using optical covert channel in which data is leaked through a hidden
electromagnetic emissions from video cards. Back in 2001, image projected on an LCD screen. Guri also showed how
Thiele [34] utilized the computer monitor to transmit radio to exfiltrate data from air-gapped computers via fast blinking
signals to a nearby AM radio receiver. AirHopper malware images [44]. BitWhisper [17] is a thermal based covert channel
[10], [2] introduced in 2014 by Guri et al, exploits video card which enables covert communication between two adjacent
emissions to bridge the air-gap between isolated computers air-gapped computers via the exchange of so-called ’thermal-
and nearby mobile phones via FM radio signals. In a similar pings.’
manner, GSMem [14], Funthenna [35] and USBee [36], intro- In acoustic covert channels, data is transmitted via audible
duce attack scenarios in which attackers use different sources or inaudible sound waves. In 2005, Madhavapeddy et al [20]
of electromagnetic radiation on a computer’s motherboard, as discuss ’audio networking,’ which allows data transmission be-
covert exfiltration channels. More recently, Guri et al proposed tween a pair of desktop computers, using off-the-shelf speakers
using the low-frequency magnetic fields emitted from the and a microphone. In 2013, Hanspach and Goetz [18] extended
computer CPU for covert data exfiltration in order to leak this method for near-ultrasonic covert networking between
Vibrations
air-gapped laptops using built-in speakers and microphones.
They created a mesh network and used it to implement an
air-gapped key-logger which demonstrates the covert chan- Capacitor
nel. The concept of communicating over inaudible sounds
has been extended for different scenarios using laptops and
smartphones [19]. In 2018, researchers presented MOSQUITO
[21], a covert communication channel between two air-gapped Fig. 4: Illustration of the singing capacitor phenomenon
computers (without microphones) via so-called ’speaker-to-
speaker’ communication. In 2020, researcher presented a new emission of SMPSs and describe the signal generation.
type of vibrational (seismic) covert channel dubbed AiR-
ViBeR. In this technique, data is modulated in unnoticeable A. Switch-Mode Power Supplies
vibrations generated by the computer fans. The vibrations Computers consume power using their power supplies.
can be received and decoded by nearby smartphones via the Modern SMPS are used in all types of electronic equipment
integrated, sensitive accelerometers. today, including computers, TVs, printers, Internet of Things
(IoT) and embedded devices, and cell phone chargers. The
A. Speaker-less Methods
advantages of SMPSs over the older linear power supplies
All of the acoustic methods described above require the include their higher efficiency, smaller size, and lighter weight.
presence of external or internal speakers in the transmitting An in-depth discussion on the design of SMPSs is beyond
computer. This is considered a restrictive requirement, since the scope of this paper, and we refer the interested reader to
loudspeakers are commonly forbidden in air-gapped computers handbooks on this topic [50]. Briefly, an SMPS transfers power
[24], [22]. The elimination of loudspeakers is the most effec- from a 220V AC source to several DC loads while converting
tive defense against the speaker-to-microphone and speaker- voltage and current characteristics. In the SMPS, the AC power
to-speaker covert channels discussed above [49]. passes through fuses and a line filter, and is then rectified by
In 2016, Guri et al presented DiskFiltration, a method a full-wave bridge rectifier. The rectified voltage is applied to
that uses the acoustic signals emitted from the hard disk the power factor correction module and regulated via DC to
drive (HDD) to exfiltrate data from air-gapped computers DC converters.
[47]. Although this method doesn’t need a speaker, it is
limited in terms of distance (up to two meters), and it doesn’t B. SMPS Acoustic Emission
work on newer technologies such as solid-state drives (SSDs). The DC supply from a rectifier or battery is fed to the
In 2016, Guri et al also introduced Fansmitter, malware inverter where it is turned on and off at high rates by the
which facilitates the exfiltration of data from an air-gapped switching MOSFET or power transistors. This switching rate
computer via noise intentionally emitted from PC fans [46]. is also known as the switching frequency of the SMPS. The
In this method, the transmitting computer does not need to typical switching frequency of a computer power supply is
be equipped with audio hardware or an internal or external between 20 kHz and 20 MHz.
speaker. This method uses the internal fans, that exist in most The switching frequency affects, among others components
laptops, desktops and server computers, and it is effective for in the SMPS, the transformers and capacitors. These are the
longer distances of 6-7 meters and more. POWER-SUPPLaY primary sources of the acoustic noise generated by the SMPS.
differs from DiskFiltration and Fansmitter methods in two • Transformers’ Audible Noise. Transformers produce au-
aspects. First, it uses only basic CPU instructions and does dible noise, since they contain many physically movable
not use system resources like the HDD (DiskFiltration) or elements, such as coils, isolation tapes, and bobbins. The
fans (Fansmitter). This makes it difficult for detection systems current in the coils, which occurs at the switching fre-
to identify the malicious activity of the transmitter. Second, quency, produces electromagnetic fields which generate
POWER-SUPPLaY can operate at bit rates of 50 bit/sec which repulsive and/or attractive forces between the coils. This
is much faster than Fansmitter (1 bit/sec) and DiskFiltration can produce a mechanical vibration in the coils, ferrite
(3 bit/sec). In addition, POWER-SUPPLaY has the flexibility cores, or isolation tapes.
of generating acoustic tones in the 0-24 kHz frequency band, • Capacitors Audible Noise. Ceramic capacitors can pro-
which implies that it is capable of generating both audible and duce audible noise, since they have Piezoelectric char-
inaudible sounds. Figure 3 shows the spectrogram of a part of acteristics. The Piezoelectric acoustic effect on the ca-
the song ’Happy Birthday’ as played form the power supply pacitor is commonly described as ”singing capacitors”.
using the POWER-SUPPLaY technique. This noise is actually the result of vibrations of the
Table 1 summarizes the existing covert channels for air- capacitor on the Printed Circuit Board (PCB) that occur
gapped computers. in normal working conditions. These vibrations causes
capacitor displacement, as shown in Figure 4. The fre-
IV. T ECHNICAL BACKGROUND quency and amplitude of the displacement determine the
In this section we provide the technical background on acoustic waveform generated from the capacitors. When
switch-mode power supplies (SMPSs), discuss the acoustic the vibration frequency occurs within the audible range,
approximately 20 Hz 20 kHz, it may also be heard as an Algorithm 2 worker (threadState)
audible hum. The range between 20 kHz and 24 kHz is 1: while true do
considered as ’near-ultrasonic’ and can not be heard by 2: //sync threads on end of LO half cycle
most humans. 3: pthread barrier wait(&half CycleBarrierLO)
The typical switching frequency of SMPS during its normal 4: //HI half cycle − busy loop
operation is within the range of 20kHz-20MHz. Thus, the 5: while !LO do
acoustic signal generated by SMPS is mainly in a frequency 6: end while
range of 20kHz and higher. This range is at the upper bound 7: //sync threads on end of HI half cycle
of human hearing and considered inaudible to adult humans. 8: pthread barrier wait(&half CycleBarrierHI)
9: end while
V. T RANSMISSION
A. Signal Generation
Since modern CPUs are energy efficient, the momentary 𝑓
workload of the CPU directly affects the dynamic changes in Busy Busy
its power consumption [51]. By regulating the workload of the loop loop

CPU, it is possible to govern its power consumption, and hence


control the momentary switching frequency of the SMPS. By
Core 1
intentionally starting and stopping the CPU workload, we are
able to set the SMPS so it switches at a specified frequency …
and hence emit an acoustic signal and modulate binary data Core n

over it.
To generate a switching frequency fc , we control the
utilization of the CPU at a frequency correlated to fc . To Barrier high Barrier low
(half cycle) (half cycle)
that end, n worker threads are created where each thread is
bound to a specific core. To generate the carrier wave, each Fig. 5: n cores utilization during a transmission
worker thread overloads its core at a frequency fc repeatedly
alternating between applying a continuous workload on its
core for a time period of 1/2fc and putting its core in an
idle state for a time period of 1/2fc . cores. At the beginning we initiate (nCores) threads and
bound each thread to a specific core. The switching frequency
Algorithm 1 transmit (cores, freq, time) is generated by each worker thread by employing busy loops
and barrier objects. We overload the core using the busy
1: pthread barrier init(&half CycleBarrierHI, N U LL, cores)
waiting technique. This causes full utilization of the core for
2: pthread barrier init(&half CycleBarrierLO, N U LL, cores)
3: for i ← 1 to cores do
the time period and returns. The worker threads are synchro-
4: threadCreate(worker) nized with barrier objects, allowing them to start and stop
5: end for
the switching frequency altogether. The main thread governs
6: end = clock gettime() + time
the synchronization of the worker threads, changing the cycle
7: half CycleN ano ← 0.5 ∗ state flag according to the barrier timing. This ensures that
N AN O P ER SECON D/f req the generation of the duty cycles are precisely timed between
8: cycleN ano ← N AN O P ER SECON D/f req
the cores. Figure 5 illustrates the cores’ utilization during the
9: while clock gettime() < end do
generation of a carrier wave fc . Note that the power of the
10: LO ← 0 generated signal is correlated to the number of cores that
11: pthread barrier wait(&half CycleBarrierLO) participate in the transmission. The utilization of more cores
12: while clock gettime()%cycleN ano < yields more power consumption and hence more ’dancing
half CycleN ano do capacitors’.
13: end while Based on the algorithm above, we implemented a trans-
14: LO ← 1 mitter for Linux Ubuntu (version 16.04, 64 bit). We
15: pthread barrier wait(&half CycleBarrierHI) used the sched setaffinity system call to bind each
16: while clock gettime()%cycleN ano >= thread to a CPU core. The affinity is the thread level
half CycleN ano do attribute that is configured independently for each worker
17: end while thread. To synchronize the initiation and termination of the
18: end while worker threads, we used the thread barrier objects with
pthread_barrier_wait() [52]. Note that the precision
Algorithms 1 shows the generation of acoustic tone (f req) of sleep() is is not sufficient for our needs given the
for a time duration of (time) milliseconds, using (nCores) frequencies of the carrier waves which are at 24kHz or lower.
Acoustic tone Core Switching
Subcarrier 𝑓 frequencies
CPU Switching Power Supply 1
frequency 𝑓 Power Supply
Subcarrier
𝑓 Threads
2
Malware
𝑓 Subcarrier
3
𝑓

𝑓 OFDM
Fig. 6: The signal generation Subcarrier
4

Fig. 8: Illustration of the OFDM modulation

Cores 1-4

Cores 1-4
4 subcarriers

Core 1
Core 2
Core 3
Fig. 7: Spectrogram of the FSK modulation. The acousti
signals generated from the PC power supply. Core 4

B. Data Transfer
The acoustic signal can be used to carry digital information
using modulation schemes. For the data transfer we used the Fig. 9: Spectrogram of the OFDM modulation
Frequency-Shift Keying (FSK) and the more advanced Orthog-
onal Frequency-Division Multiplexing (OFDM) modulation
schemes. in parallel, the maximal number of sub-carriers is equal to the
1) Frequency-Shift Keying: In frequency-shift keying number of cores available for the transmissions.
(FSK) the data is represented by a change in the frequency of Figure 8 illustrates the generation of OFDM signals. In this
a carrier wave. Recall that the transmitting code can determine case, 4 threads are bounded to the 4 CPU cores. Each thread
the frequency of the generated signal. In FSK, each frequency transmits in different sub-carrier, and hence generates different
represents a different symbol. switching frequency. The acoustic tone is compound from all
Figure 6 illustrates the generation of FSK signals. In this the switching frequencies generated by the sub-carriers.
case, n threads are bounded to the CPU cores. All threads Figure 9 presents a binary sequence modulated with OFDM
are transmitting in the same carrier at given time, and hence with four sub-carriers as transmitted from a PC with four
generating a distinct switching frequency for each symbol. cores. In this modulation, 8000Hz (core 1), 8200Hz (core
The generates acoustic tone is correlated with this switching 2), 8400Hz (core 3) and 8600Hz (core 4) have been used to
frequency. encode the symbols ’00’, ’01’, ’10’ and ’11’, respectively.
Figure 7 shows the time-frequency spectrogram of a binary
sequence (’010101010’) modulated with two frequency FSK C. Transmission Protocol
(B-FSK) as transmitted from a PC with four cores. In this
modulation, the frequencies 8500Hz and 8750Hz have been We transmit the data in small packets composed of a
used to encode the symbols ’0’, ’1’, respectively. preamble, a payload, and a cyclic redundancy check (CRC)
2) Orthogonal Frequency-Division Multiplexing: We de- code.
veloped a fine-grained approach, in which we control the • Preamble. A preamble header is transmitted at the be-
workload of each of the CPU cores independently from the ginning of every packet. It consists of a sequence of eight
other cores. Regulating the workload of each core separately alternating bits (’10101010’) which helps the receiver
enables greater control of the momentary switching frequency. determine the carrier wave frequency and amplitude. In
By controlling the workload of each core separately, we can addition, the preamble allows the receiver to detect the
use a different sub-carrier for each transmitting core. This beginning of a transmission. Note that in our covert
allows us to employ a more efficient modulation scheme such channel the amplitude of the carrier wave is unknown
as orthogonal frequency-division multiplexing (OFDM). to the receiver in advance, and it mainly depends on
In orthogonal frequency-division multiplexing data is repre- what type of transmitting computer is used, the num-
sented by multiple carrier frequencies in parallel. In our case, ber of cores participating in the transmission, and the
we use different cores to transmit data in different sub-carriers. distance between the transmitter and the receiver. These
In each sub-carrier, we used on-off keying (OOK) to modulate parameters are synchronized with the receiver during the
the data. Note that since the sub-carriers’ signals are generated preamble.
be represented in an audio file is half of the sample rate.
Most sound cards can play audio streams at 48kHz, which
is the sample rate used for DVDs. In the case of SMPS,
the maximum playing frequency depends on the maximum
rate at which we can start and stop utilizing the CPU cores,
which directly affects the SMPS switching frequency. Using
the barriers and busy loop technique described above, we could
switch each CPU core at 100kHz, and hence are capable of
playing audio streams at lower rates of 48kHz.
B. Bit Depth
In digital audio the bit-depth represents the number of
possible amplitude values for a sample. The amplitude of
each sample is encoded by the number of bits, which is the
bit depth of the audio stream. In standard sound cards, the
amplitude of a sample is sent to the digital-to-analog converter
(DAC) component and played through the loudspeakers. The
Fig. 10: Spectrogram of a frame modulated with B-FSK as loudspeakers’ membranes vibrate in a power correlated to the
transmitted from a PC power supply amplitude that produces the desired signal. In the case of
SMPS, the amplitude of the signal generated from the ca-
pacitors is constant and produces square acoustic waves. This
PREAMBLE PAYLOAD CRC represents a simple audio stream with a depth of only 1-bit
(signal/no-signal). In order to play complex audio streams with
a wider bit depth, we implemented two different modulation
Sync bits techniques; (1) amplitude modulation (AM), and (2) pulse
(01010101)
width modulation (PWM).
1) Amplitude Modulation: As described in the signal gener-
ation section, the number of cores used for signal generation
Fig. 11: Spectrogram of a frame modulated with B-FSK as affects the strength of the signal. This is because the more
transmitted from a PC power supply cores that are utilized, the more capacitors and transformers
that are switched in the SMPS. This enables some control
of the amplitude generated for each sample. Given N virtual
• Payload. The payload is the raw data to be transmitted.
cores, it is possible to play each sample at N different
In our case, we arbitrarily choose 32 bits as the payload
amplitudes and hence play audio streams with a bit depth of
size.
roughly N . Figure 12 shows the waveform of a signal with
• CRC. For error detection, an eight bit CRC (cyclic
three amplitudes generated with the AM technique. In this
redundancy check) is added to the end of the frame.
case, the signal is generated using four, two and one cores.
The receiver calculates the CRC for the received payload,
and if it differs from the received CRC bit, an error is 50
detected. A spectrogram of a full frame transmitted from 45
a computer is presented in Figure 11. In this case, a B-
40
FSK was used with frequencies of 8400Hz and 8600Hz.
35
Magnitude (dB)

VI. AUDIO F ORMATS 30

We implemented a program which plays digital audio 25

streams through the power supply. Our implementation sup- 20

ports the Waveform Audio File (WAV) format. The most com- 15

mon WAV format encodes uncompressed audio in pulse code 10


modulation (PCM). There are two fundamental parameters 5
which should be considered when playing audio streams: the
0
sample rate and the bit depth. We briefly discuss each with 0 2 4 6 8 10 12
Time (s)
regard to playing audio through the power supply.
Fig. 12: Three amplitudes generated with the AM technique
A. Sample Rate
The sampling rate (measured in kHz) of an audio file is the 2) Pulse Width Modulation: PWM is a method of reduc-
number of samples of audio carried per second. According ing the average power delivered by an electrical signal, by
to the Nyquist Theorem, the maximum frequency that can effectively breaking it into discrete parts. The average value
75% 25% the signal, (2) performing signal processing, (3) detecting
Busy Busy the preamble header, (4) demodulating the payload, and (5)
loop loop
handling errors.
The main functionality of the receiver is run in a separate
thread. It is responsible for data sampling, signal processing,
and data demodulation. An outline of the receiver is presented
in Algorithm 1; this is followed by a description.

Algorithm 1
1: procedure R ECEIVER
2: raw signal = sample(44.1kHz)
Fig. 13: Illustration of a PWM modulated signal
3: signal = F F T (raw signal)
4: if (state == P REAM BLE) then
of voltage (and current) fed to the load is controlled by turning 5: if (DetectP reamble(signal) == true) then
the switch between the supply and load on and off at a fast 6: T, f0 , f1 = ExtractChannelP arams(signal)
rate. The longer the switch is on compared to the time it is 7: SetState(DEM ODU LAT E)
off, the greater the total amount of power supplied to the load. 8: end if
By carefully timing a short pulse (i.e., going from one 9: end if
output level to the other and back), the end result corresponds 10: if (state == DEM ODU LAT E) then
to intermediate sound levels, functioning as a crude DAC. 11: bit = Demodulate(signal)
PWM allows an approximate playback of WAV and PCM 12: data.add(bit)
audio. 13: if (data.size%(32 + 8) == 0) then
The sound level of a sample is determined by the duration 14: SetState(P REAM BLE)
of the CPU utilization. This is the duty cycle of the signal. 15: end if
A short duty cycle corresponds to low power (low volume), 16: if (SignalLost(signal) then
because the power is off for most of the time, while a long duty 17: SetState(P REAM BLE)
cycle corresponds to high power (high volume). We calculate 18: end if
the duty cycle required for each sample given its amplitude 19: end if
value. Figure 13 illustrates a signal generated with a duty 20: end procedure
cycle of 75% which implies a signal which is 25% stronger
than an average signal in the stream. Figure 14 contains the 1) Signal Sampling and Downsampling: In order to analyze
spectrogram of a signal with eight decreasing amplitudes, the waveforms in the frequency domain, we record data at a
generated with the PWM technique. In this case, the signal is rate of 44.1kHz and save it to a temporary buffer.
generated using eight duty cycles which decrease over time. 2) Signal Processing: The first step is to measure the
signal and transfer it to the frequency domain. This step
includes performing a fast Fourier transform (FFT) on the
sampled signal. The signal measured is stored in a buffer after
applying a filter for noise mitigation. This data is used later
in the demodulation routines. The noise mitigation function is
applied to the current sample by averaging it with the last w
samples.
3) Preamble Detection: In the P REAM BLE state the
receiver searches for a preamble sequence to identify a frame
Fig. 14: Eight levels of sound using the PWM technique
header (lines 5-8). If the preamble sequence ’10101010’ is
detected, the state is changed to DEM ODU LAT E to initiate
C. Play WAV via Power-Supply the demodulation process. Based on the preamble sequence,
Based on the AM and PWM techniques described above, the receiver determines the channel parameters, signal time,
we implemented a program which plays PCM and WAV (T ) and frequencies f0 and f1 .
files through the power supply. Our PowerSupplay [AM 4) Demodulation: In the DEM ODU LAT E state the pay-
| PWM] wav_file.wav program determines which type load is demodulated given the signal parameters retrieved in
of modulation to use and plays the wav file using the corre- the P REAM BLE state. The demodulated bit is added to the
sponding technique. current payload. When the payload of 32 bits and the 8-bit
CRC are received, the algorithm returns back to the preamble
VII. R ECEPTION detection state (P REAM BLE).
We implemented a receiver as an app for the Android 5) Error Handling: The SignalLost() function returns true
OS. The main functionality of the receiver is (1) sampling if, during the data reception, the signal power measured in
2.4·104

Frequency (Hz)
0
0 26
Time (s)

Fig. 16: The sweep signal recorded from PC-1 (spectrogram


view)
Fig. 15: The raw signal and the demodulated bits
2.4·104

the carrier frequency is weaker than the amplitude of the


’0’s from the preamble for three seconds straight. In this
case, any partially received data is discarded, and the function
returns to the P REAM BLE state. Signal loss may occur if
Frequency (Hz)

the malware stops the transmission (e.g., for stealth or due


to the computer shutting down). Signal loss may also occur
if the receiving smartphone has been moved away from the
transmitting computer.
The demodulation is depicted in Figure 15. The upper
image presents the raw acoustic signal recorded by a nearby
smartphone. The spectrogram in the lower image shows the 0
demodulated bits. 0 27.2
Time (s)

VIII. E VALUATION Fig. 17: The sweep signal recorded from NUK (spectrogram
view)
In this section we provide an analysis and evaluation of the
acoustic waveforms generated through the power supply. We
also present the experimental setup and discuss the measure- B. Spectral View
ments and results. Power supplies are not intended to generate sound and hence
are limited in terms of the acoustic signal they can produce.
A. Measurements Setup Unlike loudspeakers which can generate sound waves in the
entire spectrum of 0-24kHz, a good quality signal generated
1) Transmitters: We examined the acoustic signal gener- from the PSU transformers and capacitors is only obtained at
ated from six types of computers: three standard desktop certain fragmented bands of the spectrum. These ranges are
workstations (PC-1, PC-2, and PC-3), a server machine with largely specific to each PSU, and dependent on their internal
multi-core processors (Server), a small form factor computer design, structure, and the type of transformers and capacitors.
(NUK), and a low power embedded device (IOT). A detailed We examined the frequency bands of each of the six PSUs
list of the computers tested and their technical specifications by analyzing the chirp signal they generate. This signal, also
is provided in Table II. known as a sweep signal, is generated by gradually increasing
2) Receiver: During the tests, the acoustic signals were the switching frequencies of the PSU from the minimum to the
recorded with a Samsung Galaxy S7 (G930F) smartphone, maximum in a specific range. In our case, we examined the
running the Android OS. The audio sampling was performed sweep signal in the band of 0-24kHz which can be received by
using the smartphone’s internal microphone at a sampling rate a nearby smartphone. For the analysis of the chirp signal, the
of 44.1kHz. We used the MathWorks MATLAB environment recording smartphone was located 20 cm away from the tested
for signal processing, and the Praat framework for additional device. Table III summarizes the analysis of the sweep signals
spectral analysis [53]. recorded from the six computers. It presents the frequency
TABLE II: The computers used in the experiments
# Type Model PSU CPU
PC-1 Desktop PC Silverstone FSP300-50HMN 300W Intel Core i7-4770 CPU@ 3.4GHz (4 cores)
PC-2 Desktop PC Infinity PK-450 450W Intel Core i7-4770 CPU 3.4GHz (4 cores)
PC-3 Desktop PC Lenovo ATX POWER SUPPLY 280 WATT Intel Core Quad-Q9550 CPU @2.83GHz (4 cores)
Server Server IBM DPS-750AB A 750Wx2 Intel Xeon CPUE5-2620 12 cores (24 threads)
NUK Small form factor Lenovo ThinkCentre PA-1650-72 20V 3.25A Intel Core i7 -4785T (4 cores)
IOT Embedded/IoT Raspberry Pi 3 DSA-13 PFC-05, 5V 2.5A Quad Core Broadcom BCM2837, 64-bit, ARMv8, processor Cortex A53

2.4·104 45
PC-1
40 NUK
IOT
35

30

SNR (dB)
Frequency (Hz)

25

20

15

10

0
0 50 100 150 200 250

0 Distance (cm)
0 28.24
Time (s) Fig. 19: SNR levels measured at distances of 0-240cm
Fig. 18: The sweep signal recorded from IOT (spectrogram
view)
factor computer, and a low-power IoT device. The spectrogram
of their chirp signals can be seen in Figures 16, 17, and 18,
band generated from each computer and an estimation of the respectively.
signal quality based on the SNR ranges measured from the C. Signal-to-Noise Ratio (SNR)
entire sweep signal.
The acoustic signals generated from the PSU transformers
TABLE III: The frequencies of the audible bands of for six and capacitors are limited in terms of strength. We measured
PSUs under test the signal-to-noise ratio (SNR) to compare the level of a
generated signal (S) to the level of the background noise
# Best audible band Signal quality (SNR range) (N ) at different distances. This measure is correlated to the
PC-1 2300Hz - 22000Hz High (30-35dB) quality of the audible signal, e.g., an S/N ratio greater than
PC-2 2200Hz - 22000Hz High (30-35dB) one indicates there is more signal than noise. We generated a
PC-3 5491Hz - 6223Hz, 8300Hz - 9000HZ Low (20-30dB)
Server 8000Hz - 17000Hz Low (10-20dB) signal for a time period of one second and compared it with
NUK 1800Hz - 24000Hz High (30-40dB) the background noise. For the SNR measurements, we used the
IOT 3100Hz - 24000Hz Intermediate (20-30dB) frequency band with the strongest signal for each PSU. The
signals were recorded with the smartphone receiver located
The results show that the quality of the acoustic signal at distances of 0-250cm from the computer. The results are
may vary among different types of computers. PC-1 and presented in Figure 19.
PC-2 generated a detectable signal in a band of 2300Hz- As can be seen, the acoustic signal emanating from the IOT
22000Hz, while PC-3 could only generate a weak signal on device could be received from a distance of about 150cm with
the fragmented bands of approximately 5500Hz-6220Hz and an SNR of 10dB. With PC-1 and NUK, the good quality
8300Hz-9000Hz. The server computer generated a weak signal signals could be received from a distance of 250cm with 22dB
in a band of 8000Hz-17000Hz. The NUK computer generated and 17dB, respectively.
a strong signal in the entire band of 1800Hz-24000Hz, and
the IOT generated a intermediate signal in a band of 3100Hz- D. Number of Cores
24000Hz. It is important to note that the strength of the signals As discussed, the number of cores used for signal generation
across the spectrum are not uniform; the signal may be strong directly influences the strength (amplitude) of the signal (i.e.,
in certain frequency bands and weak in others. Based on the more transmitting threads yield a stronger signal). Figure 20
results, we chose PC-1, NUK, and IOT for the reminder of the presents the SNR measurements of PC-1 with one, two, and
evaluation. These computers produce strong signals, and they four cores used for signal generation. In this test, we used one
represent the common cases of a PC workstation, small form thread per core. The signal recorded at a distance of 20cm
30

1m
files, keylogging, 5m
25
passwords, encryption keys, pings
SNR (dB)

Fig. 21: The distances and relevant data for exfiltration

20
maintain data transmission at short distances of 20cm with a
maximum BER of 0%.
3) IOT: With bit rates of 1 bit/sec, 20 bit/sec, and 40 bit/sec,
15
1 2 3 4 5 6 7 8
we could maintain data transmission at distances of 100cm
# of cores with a maximum BER of 2-3%. With a bit rate of 80 bit/sec,
Fig. 20: SNR levels measured with 1 to 8 cores we could maintain data transmission at distances of 20cm with
a maximum BER of 10%.

from the computers showed a gradual increase as the number F. Greater Distance
of cores used for the signal generation increased (this ranged
We found that some power supplies produce strong acoustic
from an SNR of 15dB with one core to an SNR of 27dB with
signals in certain frequency bands. We were be able to receive
eight cores).
acoustic signals up to six meters away from PC-4. However,
a) Hyper-Threading: Note that modern Intel CPUs sup- the quality of the signal significantly decreases with the
port hyper-threading technology [54]. With this technology, distance. From 4m,5m and 6m away we were able to receive
each physical core exposes two logical (virtual) cores to the the signals at maximal frequencies of 14kHz, 12kHz and
operating system. The CPU shares the workload between 9kHz, respectively. Table VII shows the results of PC-4. With
the logical cores when possible for better utilization. In the bit rates of 5 bit/sec we could maintain data transmission at
experiments, we bound the transmitting threads to the systems’ distances of 6m away with a maximum BER of 1.2%.
logical cores rather than the physical cores, i.e., in a system
with four physical cores and eight virtual cores we can
potentially run eight concurrent transmitting threads. G. Threat Radius
The above results indicates that the covert channel can
E. Bit-Error-Rate (BER) be used to transfer data with bit rates of 0-40 bit/sec at
short distances of 0-100cm. Such bit rates could be used to
As discussed in Section V-B, the acoustic signal can be transmit binary data, keystrokes logging, text files, and so on.
used for data transfer. We measured the bit error rate for PC- With slower bit rates of 1-10 bit/sec, the covert channel is
1, NUK, and IOT at distances of 0-240cm for PC-1 and NUK effective for even greater distances (200-300cm with PC-1 and
and 100cm for the IOT device. For the tests, we used B- NUK, 200cm-600cm with PC-4). The slower bit rates could
FSK modulation and the frequency band with the strongest be used to transfer a small amount of data, such as short texts,
signal for each PSU. We transmitted sequences of random encryption keys, passwords, and keystroke logging, as seen in
bits, decoded them, and compared the results with the original Figure 21.
data. The tests were repeated three times. The results for PC-
1, NUK, and IOT are summarized in Tables IV, V, and VI,
respectively, as described below. H. Stealth
1) PC-1: With bit rWith bit rates of 1 bit/sec to 10 The transmitting code shown above requires no elevated
bit/sec we could maintain data transmission at distances of privileges and can be initiated from an ordinary user space
240cm with a maximum BER of 5%.ate of 30 bit/sec we process. The code consists of basic CPU operations such as
could maintain data transmission at distances of 100cm with busy loops, which do not expose malicious behavior, making
a maximum BER of 10%. With bit rate of 60 bit/sec we it highly evasive an unable to detect by static and dynamic
could maintain data transmission at distances of 60cm with (runtime) malware detection solutions.
a maximum BER of 0%.
2) NUK: With bit rates of 1 bit/sec to 20 bit/sec we IX. C OUNTERMEASURES
could maintain data transmission at distances of 220cm with
a maximum BER of 5% and distances of 240cm with a There are four main categories of countermeasures that
maximum BER of 8%. With a bit rate of 50 bit/sec we could can be used to defend against the proposed covert channel:
maintain data transmissions at distances of 100cm with a zones separation, signal detection, signal jamming, and signal
maximum BER of 10%. With a bit rate of 60 bit/sec we could blocking.
TABLE IV: Bit error rates (BER) for PC-1
# bps 0 20 40 60 80 100 120 140 160 180 200 220 240
PC-1 1 0% 0% 0% 0% 0% 0% 0% 0% 0% 0% 0% 0% 5%
PC-1 10 0% 0% 0% 0% 0% 0% 0% 0% 0% 0% 0% 0% 5%
PC-1 30 0% 0% 0% 0% 5% 10% - - - - - - -
PC-1 60 0% 0% 0% 0% - - - - - - - - -

TABLE V: Bit error rates (BER) for NUK


# bps 0 20 40 60 80 100 120 140 160 180 200 220 240
NUK 1 0% 0% 0% 0% 0% 0% 0% 0% 0% 0% 0% 5% 8%
NUK 20 0% 0% 0% 0% 0% 0% 0% 0% 0% 0% 0% 5% -
NUK 50 0% 0% 0% 0% 5% 10% - - - - - - -
NUK 60 0% 0% - - - - - - - - - - -

TABLE VI: Bit error rates (BER) for IOT frequencies. Such products exist [58] but are prone to false
# bps 0 20 40 60 80 100 alarms due to natural environmental noises [56]. Jamming
IOT 1 0% 0% 0% 0% 0% 2% the PSU signal by the generating background noise at a
IOT 20 0% 0% 0% 0% 0% 3%
IOT 40 0% 0% 0% 0% 3% 3%
specific ranges [59] is also possible but not applicable in some
IOT 80 0% 10% - - - - environments, particularly in quiet settings. In our case, the
frequency band is 0-24kHz which is include the audible region.
TABLE VII: Bit error rates (BER) for PC-4 with 5 bps c) Signal Jamming: Jamming the whole frequency band
will generate a noticeable amount of environmental noise
# 1m 2m 3m 4m 5m 6m
which may disturb users. Physical isolation in which the
PC-4 0% 0% 1.1% 1.2% 1.2% 1.2% computer chassis is built with special noise blocking cover
is also an option, but it is costly and impractical on a large-
scale. Carrara [45] suggested monitoring the audio channel for
a) Zoning: In procedural countermeasures the ’zoning’ abnormally energy peaks, in order to detect hidden transmis-
approach may be used. In this approach sensitive computers sions in the area. In our case, the ultrasonic frequency range
are kept in restricted areas in which mobile phones, micro- above 18kHz should be scanned (continuously) and analyzed.
phones, and electronic equipment are banned. The zoning ap- However, as noted in [45], if the monitoring devuce is far from
proach (also referred to as ’red/black separation’) is discussed the transmitter this approach may not be effective.
in [55] as a means of handling various types of acoustic, d) Signal Limiting/Blocking: Although there are quiet
electromagnetic, and optical threats. However, zoning is not PSUs that limit the acoustic noise emitted from their inter-
always possible, due to practical limitations such as space and nal components, this feature does not hermetically prevent
cost. In our case, recording devices such as mobile phones the emission of noise [50]. Physical isolation in which the
should be banned from the area of air-gapped systems or be computer chassis is enclosed within a special noise blocking
kept at a certain distance from them. cover is also an option, but it is costly and impractical on a
b) Signal Detection: Host based intrusion detection sys- large scale.
tems (HIDS) may continuously trace the activities of running
processes in order to detect suspicious behavior; in our case, X. C ONCLUSION
a group of threads that abnormally regulates the switching In this paper, we show that malware running on a computer
frequency would be reported and inspected. Such a detection can use the power supply as an out-of-band speaker. A code
approach would likely suffer from false alarms, since many executed in the system can intentionally regulate the internal
legitimate processes use CPU intensive calculations that affect switching frequency of the power supply, and hence control
the processor’s workload [56]. Another problem in the runtime the waveform generated from its capacitors and transformers.
detection approach is that the signal generation algorithm This technique allows sonic and ultrasonic audio tones to be
(presented in Section V) involves only non-privileged CPU generated from a various types of computers and devices even
instructions (e.g., busy loops). Monitoring non-privileged CPU when audio hardware is blocked, disabled, or not present.
instructions at runtime necessitates that entering the monitored We show that the POWER-SUPPLaY code can operate from
processes enter a step-by-step mode, which severely degrades an ordinary user-mode process and doesn’t need hardware
performance [14]. Software based detection also suffers from access or root-privileges. This proposed method doesn’t invoke
an inherent weakness in that it can easily be bypassed by special system calls or access hardware resources, and hence
malware using evasion techniques [57]. In our case, the is highly evasive. We present the implementation details and
malware may inject the transmitting threads into a legitimate, evaluation, and provide the measurement results. By using
trusted process to bypass the security mechanisms. POWER-SUPPLaY, we could acoustically exfiltrated data
Hardware-based countermeasures may include noise de- from audio-less systems to a nearby mobile phone at a distance
tector devices which monitor the spectrum at a range of of 2.5 meters with a maximal bit rate of 50 bit/sec.
R EFERENCES [25] “The epic turla (snake/uroburos) attacks — virus definition —
kaspersky lab,” https://www.kaspersky.com/resource-center/threats/
[1] “Classified united states website - wikipedia,” https://en.wikipedia. epic-turla-snake-malware-attacks, 2018, (Accessed on 12/03/2017).
org/wiki/Classified United States website, 2018, (Accessed on [26] N. Provos, D. McNamee, P. Mavrommatis, K. Wang, N. Modadugu
12/03/2017). et al., “The ghost in the browser: Analysis of web-based malware.”
[2] M. Guri, M. Monitz, and Y. Elovici, “Bridging the air gap between HotBots, vol. 7, pp. 4–4, 2007.
isolated networks and mobile phones in a practical cyber-attack,” ACM [27] M. Cova, C. Kruegel, and G. Vigna, “Detection and analysis of drive-
Transactions on Intelligent Systems and Technology (TIST), vol. 8, no. 4, by-download attacks and malicious javascript code,” in Proceedings of
p. 50, 2017. the 19th international conference on World wide web. ACM, 2010, pp.
[3] E. Byres, “The air gap: Scada’s enduring security myth,” Communica- 281–290.
tions of the ACM, vol. 56, no. 8, pp. 29–31, 2013. [28] A. K. Sood and R. J. Enbody, “Malvertising–exploiting web advertising,”
[4] R. Langner, “Stuxnet: Dissecting a cyberwarfare weapon,” IEEE Security Computer Fraud & Security, vol. 2011, no. 4, pp. 11–16, 2011.
& Privacy, vol. 9, no. 3, pp. 49–51, 2011. [29] T. R. Peltier, “Social engineering: Concepts and solutions,” Information
[5] R. Grant, “The cyber menace,” Air Force Magazine, vol. 92, no. 3, 2009. Systems Security, vol. 15, no. 5, pp. 13–21, 2006.
[6] K. ZAO, “Red october diplomatic cyber attacks investigation,” 2018. [30] C. Smutz and A. Stavrou, “Malicious pdf detection using metadata and
[7] “A fanny equation: ”i am your father, stuxnet” - securelist,” https: structural features,” in Proceedings of the 28th annual computer security
//securelist.com/a-fanny-equation-i-am-your-father-stuxnet/68787/, applications conference. ACM, 2012, pp. 239–248.
2018, (Accessed on 12/03/2017). [31] A. Giani, V. H. Berk, and G. V. Cybenko, “Data exfiltration and covert
[8] “No big deal... kremlin hackers ’jumped air-gapped networks’ to pwn channels,” in Defense and Security Symposium. International Society
us power utilities the register,” https://www.theregister.co.uk/2018/07/ for Optics and Photonics, 2006, pp. 620 103–620 103.
24/russia us energy grid hackers/, (Accessed on 02/12/2020). [32] S. J. Murdoch and S. Lewis, “Embedding covert channels into tcp/ip,”
[9] “An indian nuclear power plant suffered a cyberat- in Information hiding, vol. 3727. Springer, 2005, pp. 247–261.
tack. heres what you need to know. - the washington [33] S. Zander, G. Armitage, and P. Branch, “A survey of covert channels
post,” https://www.washingtonpost.com/politics/2019/11/04/ and countermeasures in computer network protocols,” IEEE Communi-
an-indian-nuclear-power-plant-suffered-cyberattack-heres-what-you-need-know/,cations Surveys & Tutorials, vol. 9, no. 3, pp. 44–57, 2007.
(Accessed on 02/12/2020). [34] “Tempest for eliza,” http://www.erikyyy.de/tempest/, 2018, (Accessed on
[10] M. Guri, G. Kedma, A. Kachlon, and Y. Elovici, “Airhopper: Bridging 12/03/2017).
the air-gap between isolated networks and mobile phones using radio [35] “funtenna - github,” https://github.com/funtenna, 2016, (Accessed on
frequencies,” in Malicious and Unwanted Software: The Americas 14/06/2018).
(MALWARE), 2014 9th International Conference on. IEEE, 2014, pp. [36] M. Guri, M. Monitz, and Y. Elovici, “Usbee: Air-gap covert-channel
58–67. via electromagnetic emission from usb,” in Privacy, Security and Trust
[11] M. G. Kuhn and R. J. Anderson, “Soft tempest: Hidden data transmission (PST), 2016 14th Annual Conference on. IEEE, 2016, pp. 264–268.
using electromagnetic emanations.” in Information hiding, vol. 1525. [37] M. Guri, B. Zadov, and Y. Elovici, “Odini: Escaping sensitive data
Springer, 1998, pp. 124–142. from faraday-caged, air-gapped computers via magnetic fields,” IEEE
[12] M. G. Kuhn, “Compromising emanations: eavesdropping risks of com- Transactions on Information Forensics and Security, vol. 15, pp. 1190–
puter displays,” Ph.D. dissertation, University of Cambridge, 2002. 1203, 2019.
[13] M. Vuagnoux and S. Pasini, “Compromising electromagnetic emanations [38] M. Guri, A. Daidakulov, and Y. Elovici, “Magneto: Covert channel
of wired and wireless keyboards.” in USENIX security symposium, 2009, between air-gapped systems and nearby smartphones via cpu-generated
pp. 1–16. magnetic fields,” arXiv preprint arXiv:1802.02317, 2018.
[14] M. Guri, A. Kachlon, O. Hasson, G. Kedma, Y. Mirsky, and Y. Elovici, [39] M. Guri, B. Zadov, D. Bykhovsky, and Y. Elovici, “Powerhammer:
“Gsmem: Data exfiltration from air-gapped computers over gsm frequen- Exfiltrating data from air-gapped computers through power lines,” IEEE
cies.” in USENIX Security Symposium, 2015, pp. 849–864. Transactions on Information Forensics and Security, 2019.
[15] J. Loughry and D. A. Umphress, “Information leakage from optical [40] ——, “Ctrl-alt-led: Leaking data from air-gapped computers via key-
emanations,” ACM Transactions on Information and System Security board leds,” in 2019 IEEE 43rd Annual Computer Software and Appli-
(TISSEC), vol. 5, no. 3, pp. 262–289, 2002. cations Conference (COMPSAC), vol. 1. IEEE, 2019, pp. 801–810.
[16] M. Guri, B. Zadov, and Y. Elovici, LED-it-GO: Leaking (A Lot of) Data [41] M. Guri, B. Zadov, A. Daidakulov, and Y. Elovici, “xled: Covert data
from Air-Gapped Computers via the (Small) Hard Drive LED. Cham: exfiltration from air-gapped networks via switch and router leds,” in
Springer International Publishing, 2017, pp. 161–184. 2018 16th Annual Conference on Privacy, Security and Trust (PST).
[17] M. Guri, M. Monitz, Y. Mirski, and Y. Elovici, “Bitwhisper: Covert IEEE, 2018, pp. 1–12.
signaling channel between air-gapped computers using thermal manip- [42] M. Guri and D. Bykhovsky, “air-jumper: Covert air-gap exfiltra-
ulations,” in Computer Security Foundations Symposium (CSF), 2015 tion/infiltration via security cameras & infrared (ir),” Computers &
IEEE 28th. IEEE, 2015, pp. 276–289. Security, vol. 82, pp. 15–29, 2019.
[18] M. Hanspach and M. Goetz, “On covert acoustical mesh networks in [43] M. Guri, O. Hasson, G. Kedma, and Y. Elovici, “An optical covert-
air,” arXiv preprint arXiv:1406.1213, 2014. channel to leak data through an air-gap,” in Privacy, Security and Trust
[19] L. Deshotels, “Inaudible sound as a covert channel in mobile devices.” (PST), 2016 14th Annual Conference on. IEEE, 2016, pp. 642–649.
in WOOT, 2014. [44] M. Guri, “Optical air-gap exfiltration attack via invisible images,”
[20] A. Madhavapeddy, R. Sharp, D. Scott, and A. Tse, “Audio networking: Journal of Information Security and Applications, vol. 46, pp. 222–230,
the forgotten wireless technology,” IEEE Pervasive Computing, vol. 4, 2019.
no. 3, pp. 55–60, 2005. [45] B. Carrara and C. Adams, “On acoustic covert channels between
[21] M. Guri, Y. Solewicz, and Y. Elovici, “Mosquito: Covert ultrasonic trans- air-gapped systems,” in International Symposium on Foundations and
missions between two air-gapped computers using speaker-to-speaker Practice of Security. Springer, 2014, pp. 3–16.
communication,” in 2018 IEEE Conference on Dependable and Secure [46] M. Guri, Y. Solewicz, and Y. Elovici, “Fansmitter: Acoustic data
Computing (DSC). IEEE, 2018, pp. 1–8. exfiltration from air-gapped computers via fans noise,” Computers &
[22] “Air gap computer network security - notary colorado Security, p. 101721, 2020.
springs,” http://abclegaldocs.com/blog-Colorado-Notary/ [47] M. Guri, Y. Solewicz, A. Daidakulov, and Y. Elovici, “Acoustic data
air-gap-computer-network-security/, 2018, (Accessed on 06/14/2018). exfiltration from speakerless air-gapped computers via covert hard-drive
[23] M. Guri and Y. Elovici, “Bridgeware: The air-gap malware,” Commun. noise (diskfiltration),” in European Symposium on Research in Computer
ACM, vol. 61, no. 4, pp. 74–82, Mar. 2018. [Online]. Available: Security. Springer, 2017, pp. 98–115.
http://doi.acm.org/10.1145/3177230 [48] M. Guri, “Air-viber: Exfiltrating data from air-gapped computers via
[24] “Mind the gap: Are air-gapped systems safe from breaches? — covert surface vibrations,” arXiv preprint arXiv:2004.06195, 2020.
symantec connect community,” https://www.symantec.com/connect/ [49] J. Dean, “Jumping the airgap,” https://thoughtworksnc.com/2017/03/16/
blogs/mind-gap-are-air-gapped-systems-safe-breaches, 2018, (Accessed jumping-the-airgap/, 03 2017, (Accessed on 02/27/2018).
on 06/14/2018). [50] K. H. Billings and T. Morey, Switchmode power supply handbook.
McGraw-Hill, 2011.
[51] J. von Kistowski, H. Block, J. Beckett, C. Spradling, K.-D. Lange, detection and measurement of covert channels,” in Proceedings of the
and S. Kounev, “Variations in cpu power consumption,” in Proceedings 4th ACM Workshop on Information Hiding and Multimedia Security.
of the 7th ACM/SPEC on International Conference on Performance ACM, 2016, pp. 115–126.
Engineering. ACM, 2016, pp. 147–158. [57] A. A. Cárdenas, S. Amin, Z.-S. Lin, Y.-L. Huang, C.-Y. Huang, and
[52] “pthread mutex lock(3): lock/unlock mutex - linux man page,” https: S. Sastry, “Attacks against process control systems: risk assessment,
//linux.die.net/man/3/pthread mutex lock, (Accessed on 12/03/2017). detection, and response,” in Proceedings of the 6th ACM symposium
[53] “Praat: doing phonetics by computer,” http://www.fon.hum.uva.nl/praat/, on information, computer and communications security. ACM, 2011,
2018, (Accessed on 02/27/2018). pp. 355–366.
[54] D. Marr, F. Binns, D. Hill, G. Hinton, D. Koufaty et al., “Hyper- [58] “Products - pulsar instruments plc,” https://pulsarinstruments.com/en/
threading technology in the netburst R microarchitecture,” 14th Hot categories, 2018, (Accessed on 06/14/2018).
Chips, 2002. [59] “Audio jammer — counter surveillance systems,” https:
[55] https://cryptome.org, “Nstissam tempest/2-95,” https://cryptome.org/ //www.brickhousesecurity.com/counter-surveillance/audio-jammers/,
tempest-2-95.htm, 2000, (Accessed on 02/27/2018). 2018, (Accessed on 06/14/2018).
[56] B. Carrara and C. Adams, “A survey and taxonomy aimed at the

You might also like