A researcher at Israel’s Ben-Gurion University in the Negev recently demonstrated a new type of malware capable of secretly stealing highly sensitive data from aircraft and audio tagging systems using a new acoustic function in the power supply of modern computer equipment.
The latest POWER-SUPPLaY duplicate searches are based on a number of methods that use hidden electromagnetic, acoustic, thermal, optical and even electrical channels to filter data from computers outside the network.
The malware we have developed can use the computer’s power supply to transmit sounds and use it as an out-of-band secondary loudspeaker with a disability, as Dr. Mordechai Guri described in an article published today and forwarded to The Hacker News.
The malicious code manipulates the internal switching frequency of the power supply, controlling the sound waveforms generated by the capacitors and transformers.
We show that our technology works with different types of systems: PC workstations and servers, but also embedded systems and IoT devices without audio equipment. Binary data can be modulated and transmitted by acoustic signals.
Using the power supply as an out-of-band speaker
Air suspension systems are considered necessary when confidential data is used to reduce the risk of data loss. Usually audio devices are turned off to prevent enemies from using the built-in speakers and microphones to steal information via sound and ultrasonic waves.
It also requires that the transmitting and receiving devices are physically close together and that they are infected with the right malware to create a communication channel, for example through social engineering campaigns that exploit the weaknesses in the target device.
The power supply works in the same way as malware running on a PC and can use the power supply as an out-of-band speaker, eliminating the need for special audio equipment.
According to the researcher, this technique makes it possible to play audio streams from the computer even when the audio equipment is switched off and the speakers are not present. Binary data can be modulated and transmitted by acoustic signals. The acoustic signals can then be intercepted by the nearest receiver (e.g. a smartphone), which demodulates and decodes the data and sends it to the intruder via the Internet.
In other words: A malicious air gap program controls the load on modern CPUs to control their power consumption and the switching frequency of the power supply to emit an acoustic signal in the range of 0 to 24 kHz and to modulate the binary data above it.
Air gap bypass and tracking devices
The malware on the compromised computer not only collects confidential data (files, URLs, keystrokes, encryption keys, etc.), but also transmits data in WAV format using acoustic sound waves emitted by the computer’s power source and decoded by the receiver – in this case an application running on an Android smartphone.
According to the researcher, an intruder at a distance of 2.5 metres can filter data from the audio systems to a nearby telephone at a maximum speed of 50 bit/s. The intruder can also filter data from the audio systems to a nearby telephone.
One of the consequences of this attack, which violates confidentiality, is the cross-reference between devices, because this technique allows the malware to intercept the browsing history on the compromised system and send the information to the recipient.
In response, the researcher proposes to split sensitive systems into zones in restricted areas where mobile phones and other electronic devices are prohibited. An intrusion detection system to monitor suspicious behavior of the processor and the installation of hardware signal detectors and silencers can also help protect against the proposed hidden channel.
While the airlift exposes nuclear facilities in Iran and India to security breaches, the new study reminds us once again that complex attacks on supply systems can also target isolated systems.
The POWER SUPPLIAY code can run in normal user mode and does not require any hardware access or root privileges, the researcher concluded. The proposed method does not require special system calls or access to hardware resources and is therefore highly evasive.