A new method has been developed to steal data from offline machines, using the electromagnetic waves given off by their power supplies.
So-called “air-gapped” PCs – PCs isolated from the public internet – could have their data stolen at distances of more than six feet, and even through walls, by someone with a smartphone or laptop equipped with a special receiver, experts have warned.
The method was developed by Mordechai Guri, a researcher at Ben-Gurion University in Beersheba, Israel, who called it COVID-bit, perhaps referring to general social distancing rules that prevent people from being close together.
Bridging the (air) gap
Air-gapped systems are typically deployed in settings handling highly sensitive data and tasks, such as those related to energy, government and military weapons, making this new method a worrying prospect.
First, the attacked system must have pre-installed certain malware, which is only possible through physical access to the machine. This malware controls the CPU load and frequencies of the cores so that the power supply can produce electromagnetic waves between 0 and 48 kHz.
Guri explained that the switching components in these systems create a square wave of electromagnetic radiation at specific frequencies as they switch on and off during AC/DC conversion.
This wave can carry raw data, which can be decoded by those away from the machine with an antenna that simply plugs into a mobile device’s 3.5mm audio jack. A program on the device can then decode the raw data by applying a noise filter.
Guri tested his method on desktops, a laptop, and a Raspberry Pi 3, and found that laptops were the most difficult to hack because their power-saving data didn’t give off a strong enough electromagnetic signal.
The desktops, on the other hand, could transmit 500 bits per second (bps) with an error rate between 0.01% and 0.8%, and 1000bps with an error rate of up to 1.78%, which is still accurate enough for effective data collection.
At this speed, a 10 KB file can be sent in less than 90 seconds, and raw data related to an hour of activity on the target machine can be sent in just 20 seconds. Such keylogging can also be sent live in real time.
When it came to the Pi 3, the weak power supply meant that receiver distances were limited for successful data transfers.
Guri recommends keeping air-gapped systems safe by monitoring CPU load and frequencies for suspicious or unusual activity. However, this can lead to many false positives as such parameters can vary greatly during normal usage scenarios.
In addition, such monitoring increases processing costs, which means that performance may decrease and energy consumption increases.
An alternative solution is to lock the CPU to certain core frequencies, to prevent data from being decoded by the associated electromagnetic radiation. However, the downside here is that, as mentioned earlier, natural fluctuations of core frequencies are to be expected, so locking them will result in reduced performance at certain times and overuse at others.