PowerHammer lets hackers steal data from air-gapped computers through power lines

Researchers exfiltrated data at 1000 bits per second by listening in on the electrical connection of a computer.

These are the security challenges facing industrial control systems
Building a slide deck, pitch, or presentation? Here are the big takeaways:
  • PowerHammer has two variants, one that targets power lines inside the target building, and one that targets the outside electrical service panel.
  • Mitigations are possible using EMI filters, though such filters are typically designed for higher frequencies than are used in the attack.

Researchers at the Ben-Gurion University of the Negev (BGU) have identified a method to exfiltrate data from computers using a combination of malware and a hardware implant to monitor the signal being transmitted through the power lines. The method--which the authors dubbed PowerHammer in a report--is yet another attack against so-called air-gapped computers, which are physically and logically isolated from unsecured networks.

The PowerHammer method has two variants, the report said. The "line-level" variant is the faster of the two, and is possible to exploit if attackers can compromise the power lines inside the target building. The "phase-level" variant is substantially slower, though can be exploited from the outside electrical service panel. Both variants require a given device to be compromised by malware in order to encode the data into a format that the line-level or phase-level implant can record and decode.

Specifically, PowerHammer is not itself a security exploit, in the sense that it requires a computer to already be compromised in order to work. For comparison, the practice of Van Eck phreaking also relies on the interception of electromagnetic emissions, though that method simply reads the operating state of the system. Van Eck phreaking does not require a malware implant, and is therefore necessarily limited to intercepting the RF signal given off by CRT or LCD monitors.

SEE: Cybersecurity strategy research: Common tactics, issues with implementation, and effectiveness (Tech Pro Research)

For the line-level variant, the researchers were able to exfiltrate data from a computer running an Intel Haswell-era quad-core processor at 1000 bits per second, with a zero percent error rate. Other tests were not nearly as successful, which underlie the limitations of the PowerHammer attacks, the report said.

A test of an Intel Xeon E5-2620-powered server could achieve rates of 100 bits per second with a zero percent error rate, though transmitting at 500 bits per second resulted in a 26% error rate. According to the researchers, the number of cores used to transmit data influences the power usage of the computer, and therefore the speed at which data can be transferred. Because of this, using all of the available cores would strain the system resources in a way that could make the attack evident to the operator of the computer.

Further, the efficacy of the attack decreases sharply with lower-power systems. A test of the Raspberry Pi 3B allowed the researchers to exfiltrate data at a speed of 5 bits per second with a 1.9% error rate. Attempting to transmit at 20 bits per second generated an error rate of 18.2%.

The phase-level variant attack suffers similar performance degradation. The researchers note that background noise with the phase-level is substantially higher, as power is shared with everything else connected, such as appliances and lights. The researchers could achieve speeds up to 3 bits per second at a zero percent error rate, though this increased to 4.2% at speeds of 10 bits per second.

Additionally, the operating differences in virtual machines hamper this attack. While the researchers observed frequencies between 0 and 24 kHz in CPUs without virtualization, virtual machines operated only between 0 and 7 kHz. According to the report, the virtual machine manager "initiates a periodical context switch which suspends the transmitting process (and its threads), in order to transfer the control to the host machine," which limits the operating frequency to 7 kHz.

The researchers indicate a variety of mitigations in the report, including the use of EMI filters installed in either the power outlets, or the power supply itself, though caution that EMI filters are typically designed to filter higher frequencies than are used in the attack.

Also see

Image: iStockphoto/AntonioGuillem