EEVblog Electronics Community Forum
Products => Dodgy Technology => Topic started by: Vendicar Decarian on April 14, 2018, 10:05:38 am
-
PowerHammer: Exfiltrating Data from Air-Gapped Computers through Power Lines
Mordechai Guri, Boris Zadov, Dima Bykhovsky, Yuval Elovici
10 Apr 2018
In this paper we provide an implementation, evaluation, and analysis of PowerHammer, a malware (bridgeware [1]) that uses power lines to exfiltrate data from air-gapped computers. In this case, a malicious code running on a compromised computer can control the power consumption of the system by intentionally regulating the CPU utilization. Data is modulated, encoded, and transmitted on top of the current flow fluctuations, and then it is conducted and propagated through the power lines. This phenomena is known as a 'conducted emission'. We present two versions of the attack. Line level powerhammering: In this attack, the attacker taps the in-home power lines1 that are directly attached to the electrical outlet. Phase level power-hammering: In this attack, the attacker taps the power lines at the phase level, in the main electrical service panel. In both versions of the attack, the attacker measures the emission conducted and then decodes the exfiltrated data. We describe the adversarial attack model and present modulations and encoding schemes along with a transmission protocol. We evaluate the covert channel in different scenarios and discuss signal-to-noise (SNR), signal processing, and forms of interference. We also present a set of defensive countermeasures. Our results show that binary data can be covertly exfiltrated from air-gapped computers through the power lines at bit rates of 1000 bit/sec for the line level power-hammering attack and 10 bit/sec for the phase level power-hammering attack.
-
Why do you think this is "rubbish"?
Have you read the full paper? It seems viable to me. https://arxiv.org/pdf/1804.04014.pdf
Please elaborate on why you think this won't work.
-
It's not rubbish, but it's also not terribly significant.
An air gap crossing side channel which can run on two rooted but otherwise unmodified computers can be useful, something which requires you to put a current monitor somewhere in the building and even then only manages 1 bit/s ... less so.
-
It's not rubbish, but it's also not terribly significant.
An air gap crossing side channel which can run on two rooted but otherwise unmodified computers can be useful, something which requires you to put a current monitor somewhere in the building and even then only manages 1 bit/s ... less so.
I think this could very well be used in practice. Not if physical access to the whole target building is controlled, of course; but if you want to tap into a flat or an office floor, and have access e.g. to the electricity meters in the basement?
And somewhat more than 1 bit/s seems feasible -- 10 bit/s minus some margin for error-correcting checksums, to deal with the 4% bit error rate. Certainly enough for a keylogger, for example, or for slowly trickling out some file contents.
-
And somewhat more than 1 bit/s seems feasible -- 10 bit/s minus some margin for error-correcting checksums, to deal with the 4% bit error rate. Certainly enough for a keylogger, for example, or for slowly trickling out some file contents.
Conclusion chapter: The results show that data can be exfiltrated from air-gapped computers through the power lines at bit rates of 1000 bit/sec for line level powerhammering, and 10 bit/sec for phase level power-hammering.
Particular approach is good when use of faster, but requiring close proximity transmitters such as AirHopper, is not possible.
-
Conclusion chapter: The results show that data can be exfiltrated from air-gapped computers through the power lines at bit rates of 1000 bit/sec for line level powerhammering, and 10 bit/sec for phase level power-hammering.
Yes, I've read the paper. I think the "line level" attack is not too relevant in practice, since you need to place your current sensor physically quite close to the computer. The "phase level" detection can be done from a more realistic distance.
In the conclusion, the authors neglect to mention the 4% bit error rate they showed earlier in the paper for phase sensing at 10 bit/s. Hence the usable data rate will be a bit lower.
-
However if you can supply machines with compromised power supplies, (to get at the load current of the supply to the motherboard's Vcore regulator) and a preinstalled rootkit, you are in like Flynn, and can exfiltrate the data at a reasonable baud rate on command using powerline networking techniques. That's certainly of interest to three letter agencies.
The gold standard for an airgapped machine will henceforth include a full teardown of the PSU, + an always on battery backup system or a rotary converter with a *LARGE* flywheel to lower the possible bit rate to millibaud levels.
Another possible attack would be thermal signalling - I doubt the possible bit rate would be higher than 1 bit per hour, but that would be good enough to exfiltrate a 256 bit AES key in under two weeks with robust error correction.
-
This has been known about for years in certain sectors. There were massive banks of “power filters” in a facility I was in once which were supposedly to stop information leaking. They were also worried about CRT emissions at the time so CRTs were only allowed in rooms with no windows and shielded lined walls.
-
What about the kid who pointed a telescope at a keyboard's 'Num Lock' led & with a photodiode, measuring the minute ripple in current generated in the frequency band of the keyboard bitrate, decoded the keystrokes perfectly.
There must be 100s of ways to extract information from a remote PC.
-
What about the kid who pointed a telescope at a keyboard's 'Num Lock' led & with a photodiode, measuring the minute ripple in current generated in the frequency band of the keyboard bitrate, decoded the keystrokes perfectly.
If I have a telescope pointed at the keyboard, I can think of a more direct way of monitoring the keystrokes. ;)
-
I don't think it's rubbish. Another known attack by CPU throttling (combined with other side channels attacks) was breaking the anonymity on Tor network.
The idea was to throttle the CPU (of a victim PC) in order to create temperature variations inside the victim's PC. Temperature variations inside the victim PC will lead to very small frequency variations of any clock inside that PC. Statistics of the clock skew were collected from the anonymized data packets traveling inside the Tor network, thus identifying the victim's data packets inside Tor. It's not instant, but fast enough and reliable enough to make it in an automated way.
Note that a victim's PC can be throttled without breaking into the victim's PC, e.g. by making the victim to stay on a web page or a website that throttle the PC in a known way.
-
What about the kid who pointed a telescope at a keyboard's 'Num Lock' led & with a photodiode, measuring the minute ripple in current generated in the frequency band of the keyboard bitrate, decoded the keystrokes perfectly.
If I have a telescope pointed at the keyboard, I can think of a more direct way of monitoring the keystrokes. ;)
Not in the dark...
Or at an off angle... Like pointing the telescope through an apartment across the street through into an office building's window. You might get 1 hand's keystrokes if you are visually fast enough. The LED thing can just record all ASCII text throughout the day free of visual decoding. The LED doesn't even need to be centered or focused in the middle for it to work.
-
What about the kid who pointed a telescope at a keyboard's 'Num Lock' led & with a photodiode, measuring the minute ripple in current generated in the frequency band of the keyboard bitrate, decoded the keystrokes perfectly.
What about URL to original source you forget to provide.
Another known attack by CPU throttling (combined with other side channels attacks) was breaking the anonymity on Tor network.
Again - no URL.
-
Another known attack by CPU throttling (combined with other side channels attacks) was breaking the anonymity on Tor network.
Again - no URL.
http://lmgtfy.com/?q=Tor+clock+skew+attack (http://lmgtfy.com/?q=Tor+clock+skew+attack)
This paper (and references) is a good starting point for further researches about throttling based attacks:
http://sec.cs.ucl.ac.uk/users/smurdoch/papers/ccs06hotornot.pdf (http://sec.cs.ucl.ac.uk/users/smurdoch/papers/ccs06hotornot.pdf)
-
What about the kid who pointed a telescope at a keyboard's 'Num Lock' led & with a photodiode, measuring the minute ripple in current generated in the frequency band of the keyboard bitrate, decoded the keystrokes perfectly.
What about URL to original source you forget to provide.
This was from the DOS era early-mid 90s, when the keyboard processor took enough current to send serial data, at a slow rate, on an old PS1 large DIN connector that the led had measurable ripple current noise in it's light source. I cannot find any google modern equivalent. At the time, it was reported on a tech news TV show.
-
Another known attack by CPU throttling (combined with other side channels attacks) was breaking the anonymity on Tor network.
Again - no URL.
http://lmgtfy.com/?q=Tor+clock+skew+attack (http://lmgtfy.com/?q=Tor+clock+skew+attack)
This paper (and references) is a good starting point for further researches about throttling based attacks:
http://sec.cs.ucl.ac.uk/users/smurdoch/papers/ccs06hotornot.pdf (http://sec.cs.ucl.ac.uk/users/smurdoch/papers/ccs06hotornot.pdf)
Initially you said "CPU throttling" , now it's "clock skew attack" which actually works by "inducing (traffic) load on node". And you lmgtfy me. come on.
-
The power sidechannel is OLD news, we did it to the soviet embassy crypto suite back in the teleprinter days (According to Peter Wright, in his (awful) book "Spycatcher"), I see no reason to disbelieve him.
Regards, Dan.
-
Another known attack by CPU throttling (combined with other side channels attacks) was breaking the anonymity on Tor network.
Again - no URL.
http://lmgtfy.com/?q=Tor+clock+skew+attack (http://lmgtfy.com/?q=Tor+clock+skew+attack)
This paper (and references) is a good starting point for further researches about throttling based attacks:
http://sec.cs.ucl.ac.uk/users/smurdoch/papers/ccs06hotornot.pdf (http://sec.cs.ucl.ac.uk/users/smurdoch/papers/ccs06hotornot.pdf)
Initially you said "CPU throttling" , now it's "clock skew attack" which actually works by "inducing (traffic) load on node". And you lmgtfy me. come on.
The VERY FIRST result (http://sec.cs.ucl.ac.uk/users/smurdoch/papers/ccs06hotornot.pdf) on Google links to a paper that describes the attack in detail, maybe try reading it?
-
Another known attack by CPU throttling (combined with other side channels attacks) was breaking the anonymity on Tor network.
Again - no URL.
http://lmgtfy.com/?q=Tor+clock+skew+attack (http://lmgtfy.com/?q=Tor+clock+skew+attack)
This paper (and references) is a good starting point for further researches about throttling based attacks:
http://sec.cs.ucl.ac.uk/users/smurdoch/papers/ccs06hotornot.pdf (http://sec.cs.ucl.ac.uk/users/smurdoch/papers/ccs06hotornot.pdf)
Initially you said "CPU throttling" , now it's "clock skew attack" which actually works by "inducing (traffic) load on node". And you lmgtfy me. come on.
The VERY FIRST result (http://sec.cs.ucl.ac.uk/users/smurdoch/papers/ccs06hotornot.pdf) on Google links to a paper that describes the attack in detail, maybe try reading it?
Yes I did read. - AFTER you provided correct keywords, insulting way. Using information and keywords "cpu throttling tor anonymity" from your original post did not result in any meaningful results.
-
Why do you think this is "rubbish"?
Because to be true it would require that the filtering capacitors in the power supply and motherboard are not capable of providing sufficient smoothing to to prevent a 1/1000th to 1/10th of a second power increase of at best 20 watts.
The input stage capacitors provide enough current to average the current delivery during every half wave at either 50 or 60 Hz.
For the claim is that these capacitors are not sufficient to provide smoothing over a 25% increase in power consumption over a period of 1/1000th to 1/10th of a second.
A similar argument must be made for the energy storage capacity for the primary transformer which hold just as much energy.
ATX power supplies are according to spec, required to continue to provide their maximum output current for 17ms with a complete loss of power. This alone limits the available baud rate to 60 bps with 500 Watt throttling on a 500 Watt power supply. Core throttling is going to produce a 20 watt change on a 500 watt power supply which the power supply internal energy will be able to easily provide.
1000 bps... absolute Rubbish. 10 bps... Rubbish. 1 bps... maybe. 1 bps in a typical environment... Rubbish.
Looking at it another way, a baud rate of 1/1000th of a second would mean that the Power supply would not be capable of providing any output if the input power was interrupted for as little as several thousanths of a second, when in fact this happens 50 to 60 times a second.
The claim seems like absolute Bullshit to me. Lets see some measurements.
-
The claim is 10 to 1000 bps, not 1 bps or longer.
I fully admit that data transmission at exceptionally low baud rates is possible, 10 to 1000 bps is a bogus claim.
-
"access to meters in the basement"
That is even more pointless as there are undoubtedly multiple CPU's running in the building, each switching their power consumption more or less at random. Due to like in the building wiring is going to cause signal noise due to variances in current flow closer to the source of the power.
-
"However if you can supply machines with compromised power supplies"
And if your mother had wheels......
-
I take it people realise those little power line ethernet things will quite happily pair a few doors up the street. Power lines is a big vector.
-
The claim seems like absolute Bullshit to me. Lets see some measurements.
Everything is in the paper. Seems you did not even read it :palm:
Unless you prove that their scientific research & paper is fake, your "seems like absolute Bullshit to me" is just uneducated & emotional :blah: :blah: or using your words - bullshit.
-
This has been known about for years in certain sectors. There were massive banks of “power filters” in a facility I was in once which were supposedly to stop information leaking. They were also worried about CRT emissions at the time so CRTs were only allowed in rooms with no windows and shielded lined walls.
At my first job after college, for some reason my group bought a TEMPEST-compliant PC (with associated keyboard and display). It was an absurdly-expensive 80286 machine.
-
@Vendicar Decarian
I'm no expert, but judging from your comment, you might know even less, so just some points out of my memory, about PC PSUs (and a bit of motherboard). My apologies if I'm just stating what you already know.
* The motherboard caps, inductors and related circuits are designed to keep the voltages for the CPU well regulated; they are not designed to hide load (current) change from the PSU. The caps' task is to keep the voltage steady, and have pretty much no say about the current. The inductors' typical job is to just filter the high frequency switching currents (typically at least 60kHz, but I think I've seen 1MHz+). The circuitry does not do much about hiding the <1kHz changes; it only needs to hold things steady long enough that the PSU has time to react. Anything longer is wasted money (and PCB area).
* The PSU main "filter"/smoothing caps, their task is to keep the rest of the circuitry happy enough that the PC keeps running. Their task is not to filter out noise (or data signals). Thus, they are optimized for doing that voltage leveling/energy storage task "good enough" at the cheapest price, and filtering noise is just a side-effect. They do not keep the voltage 100% constant, not even close. Any load change applied to them will change the dV/dt, which in turn is seen as input voltage/current/power change after PFC has had its work done (as it tries to keep both the main cap voltage and line loading in check). Which change in turn can be seen at varying level past the EMI filters.
* The EMI filters would attenuate noise/data. But not at low frequencies; their main interest is to attenuate (note, not 100% removal) the typically >60kHz switching noise, and to let the 50-60Hz AC get through. Again, attenuation is done "just enough" to satisfy both the regulators and company profits (i.e. barely within requirements). How the attenuation varies in the 3-4 decades of frequencies in between can affect how much bandwidth would be available for noise/data.
* The main transformer does not need to hold as much energy as the main filter cap(s), due to >1000x higher frequency on the transformer.
* The secondary side capacitors are designed to smooth out all types of changes in voltage or load, but within their limits. Especially, lower frequency load changes will slip right through them. They are typically designed to smooth things out just long enough that the PWM controller and other circuitry has time to catch up, which typically doesn't take that many switching cycles. The control loop will transfer those slower changes to primary side, too.
* Various noises (or data in this case) through the PSU can happen in different ways at different frequencies (bit rates). Low enough can be seen as slow change in load current, medium frequencies might come through as voltage and/or current noise (EMI filters not being very good at lower frequencies, noises/data perhaps coupling in various ways all the way from the secondary side).
There is of course lots of smaller effects and details (attenuations, different means for noise/data to move through the circuits), but I won't even try to get into those. And there are of course PSUs and motherboards that are better in the filtering and/or keeping voltages steadier than a "typical" version.
I didn't read that paper. I've read enough many similar papers before, using even more exotic methods, and can also draw info from other contexts, that I've come to understand that if there is a parameter that is not fully isolated, and that parameter can be affected, it can be used to transmit data. Only the maximum rate and how far the data can be transmitted varies.
-
Yes, I've read the paper. I think the "line level" attack is not too relevant in practice, since you need to place your current sensor physically quite close to the computer. The "phase level" detection can be done from a more realistic distance.
In the conclusion, the authors neglect to mention the 4% bit error rate they showed earlier in the paper for phase sensing at 10 bit/s. Hence the usable data rate will be a bit lower.
So you don't consider it a rubbish claim, just of limited application in the real world.
-
Yes, I've read the paper. I think the "line level" attack is not too relevant in practice, since you need to place your current sensor physically quite close to the computer. The "phase level" detection can be done from a more realistic distance.
In the conclusion, the authors neglect to mention the 4% bit error rate they showed earlier in the paper for phase sensing at 10 bit/s. Hence the usable data rate will be a bit lower.
So you don't consider it a rubbish claim, just of limited application in the real world.
Right. I think that the claims in the publication are plausible (and they are supported by measurements), so they are certainly not "rubbish claims". There are constraints which limit the use in the real world -- most notably the attacker needing access to the power line not too far from the attacked computers, and the limited data rate even under favorable conditions. But those constraints are correctly described in the paper.