Author Topic: Rubbish Claim - Data leak through power line by throttling CPU cores.  (Read 5533 times)

0 Members and 1 Guest are viewing this topic.

Offline Vendicar DecarianTopic starter

  • Newbie
  • Posts: 5
  • Country: ca
PowerHammer: Exfiltrating Data from Air-Gapped Computers through Power Lines

Mordechai Guri, Boris Zadov, Dima Bykhovsky, Yuval Elovici

10 Apr 2018

In this paper we provide an implementation, evaluation, and analysis of PowerHammer, a malware (bridgeware [1]) that uses power lines to exfiltrate data from air-gapped computers. In this case, a malicious code running on a compromised computer can control the power consumption of the system by intentionally regulating the CPU utilization. Data is modulated, encoded, and transmitted on top of the current flow fluctuations, and then it is conducted and propagated through the power lines. This phenomena is known as a 'conducted emission'. We present two versions of the attack. Line level powerhammering: In this attack, the attacker taps the in-home power lines1 that are directly attached to the electrical outlet. Phase level power-hammering: In this attack, the attacker taps the power lines at the phase level, in the main electrical service panel. In both versions of the attack, the attacker measures the emission conducted and then decodes the exfiltrated data. We describe the adversarial attack model and present modulations and encoding schemes along with a transmission protocol. We evaluate the covert channel in different scenarios and discuss signal-to-noise (SNR), signal processing, and forms of interference. We also present a set of defensive countermeasures. Our results show that binary data can be covertly exfiltrated from air-gapped computers through the power lines at bit rates of 1000 bit/sec for the line level power-hammering attack and 10 bit/sec for the phase level power-hammering attack.
 

Offline ebastler

  • Super Contributor
  • ***
  • Posts: 6202
  • Country: de
Re: Rubbish Claim - Data leak through power line by throttling CPU cores.
« Reply #1 on: April 14, 2018, 01:36:13 pm »
Why do you think this is "rubbish"?
Have you read the full paper? It seems viable to me. https://arxiv.org/pdf/1804.04014.pdf

Please elaborate on why you think this won't work.
« Last Edit: April 14, 2018, 03:56:57 pm by ebastler »
 

Online Marco

  • Super Contributor
  • ***
  • Posts: 6692
  • Country: nl
Re: Rubbish Claim - Data leak through power line by throttling CPU cores.
« Reply #2 on: April 14, 2018, 01:46:07 pm »
It's not rubbish, but it's also not terribly significant.

An air gap crossing side channel which can run on two rooted but otherwise unmodified computers can be useful, something which requires you to put a current monitor somewhere in the building and even then only manages 1 bit/s ... less so.
 

Offline ebastler

  • Super Contributor
  • ***
  • Posts: 6202
  • Country: de
Re: Rubbish Claim - Data leak through power line by throttling CPU cores.
« Reply #3 on: April 14, 2018, 02:07:20 pm »
It's not rubbish, but it's also not terribly significant.

An air gap crossing side channel which can run on two rooted but otherwise unmodified computers can be useful, something which requires you to put a current monitor somewhere in the building and even then only manages 1 bit/s ... less so.

I think this could very well be used in practice. Not if physical access to the whole target building is controlled, of course; but if you want to tap into a flat or an office floor, and have access e.g. to the electricity meters in the basement?

And somewhat more than 1 bit/s seems feasible -- 10 bit/s minus some margin for error-correcting checksums, to deal with the 4% bit error rate. Certainly enough for a keylogger, for example, or for slowly trickling out some file contents.
 

Offline ogden

  • Super Contributor
  • ***
  • Posts: 3731
  • Country: lv
Re: Rubbish Claim - Data leak through power line by throttling CPU cores.
« Reply #4 on: April 14, 2018, 04:04:19 pm »
And somewhat more than 1 bit/s seems feasible -- 10 bit/s minus some margin for error-correcting checksums, to deal with the 4% bit error rate. Certainly enough for a keylogger, for example, or for slowly trickling out some file contents.

Conclusion chapter: The results show that data can be exfiltrated from air-gapped computers through the power lines at bit rates of 1000 bit/sec for line level powerhammering, and 10 bit/sec for phase level power-hammering.

Particular approach is good when use of faster, but requiring close proximity transmitters such as AirHopper, is not possible.
 

Offline ebastler

  • Super Contributor
  • ***
  • Posts: 6202
  • Country: de
Re: Rubbish Claim - Data leak through power line by throttling CPU cores.
« Reply #5 on: April 14, 2018, 04:17:59 pm »
Conclusion chapter: The results show that data can be exfiltrated from air-gapped computers through the power lines at bit rates of 1000 bit/sec for line level powerhammering, and 10 bit/sec for phase level power-hammering.

Yes, I've read the paper. I think the "line level" attack is not too relevant in practice, since you need to place your current sensor physically quite close to the computer. The "phase level" detection can be done from a more realistic distance.

In the conclusion, the authors neglect to mention the 4% bit error rate they showed earlier in the paper for phase sensing at 10 bit/s. Hence the usable data rate will be a bit lower.
 

Online Ian.M

  • Super Contributor
  • ***
  • Posts: 12805
Re: Rubbish Claim - Data leak through power line by throttling CPU cores.
« Reply #6 on: April 14, 2018, 05:18:35 pm »
However if you can supply machines with compromised power supplies, (to get at the load current of the supply to the motherboard's Vcore regulator) and a preinstalled rootkit, you are in like Flynn, and can exfiltrate the data at a reasonable baud rate on command using powerline networking techniques.    That's certainly of interest to three letter agencies.

The gold standard for an airgapped machine will henceforth include a full teardown of the PSU, + an always on battery backup system or a rotary converter with a *LARGE* flywheel to lower the possible bit rate to millibaud levels.

Another possible attack would be thermal signalling - I doubt the possible bit rate would be higher than 1 bit per hour,  but that would be good enough to exfiltrate a 256 bit AES key in under two weeks with robust error correction.

 

Offline bd139

  • Super Contributor
  • ***
  • Posts: 23017
  • Country: gb
Re: Rubbish Claim - Data leak through power line by throttling CPU cores.
« Reply #7 on: April 14, 2018, 07:37:09 pm »
This has been known about for years in certain sectors. There were massive banks of “power filters” in a facility I was in once which were supposedly to stop information leaking. They were also worried about CRT emissions at the time so CRTs were only allowed in rooms with no windows and shielded lined walls. 
 

Online BrianHG

  • Super Contributor
  • ***
  • Posts: 7660
  • Country: ca
Re: Rubbish Claim - Data leak through power line by throttling CPU cores.
« Reply #8 on: April 14, 2018, 07:45:20 pm »
What about the kid who pointed a telescope at a keyboard's 'Num Lock' led & with a photodiode, measuring the minute ripple in current generated in the frequency band of the keyboard bitrate, decoded the keystrokes perfectly.

There must be 100s of ways to extract information from a remote PC.
 

Offline ebastler

  • Super Contributor
  • ***
  • Posts: 6202
  • Country: de
Re: Rubbish Claim - Data leak through power line by throttling CPU cores.
« Reply #9 on: April 14, 2018, 08:01:07 pm »
What about the kid who pointed a telescope at a keyboard's 'Num Lock' led & with a photodiode, measuring the minute ripple in current generated in the frequency band of the keyboard bitrate, decoded the keystrokes perfectly.

If I have a telescope pointed at the keyboard, I can think of a more direct way of monitoring the keystrokes.  ;)
 
The following users thanked this post: Circlotron

Offline RoGeorge

  • Super Contributor
  • ***
  • Posts: 6146
  • Country: ro
Re: Rubbish Claim - Data leak through power line by throttling CPU cores.
« Reply #10 on: April 14, 2018, 08:19:39 pm »
I don't think it's rubbish. Another known attack by CPU throttling (combined with other side channels attacks) was breaking the anonymity on Tor network.

The idea was to throttle the CPU (of a victim PC) in order to create temperature variations inside the victim's PC. Temperature variations inside the victim PC will lead to very small frequency variations of any clock inside that PC. Statistics of the clock skew were collected from the anonymized data packets traveling inside the Tor network, thus identifying the victim's data packets inside Tor. It's not instant, but fast enough and reliable enough to make it in an automated way.

Note that a victim's PC can be throttled without breaking into the victim's PC, e.g. by making the victim to stay on a web page or a website that throttle the PC in a known way.

Online BrianHG

  • Super Contributor
  • ***
  • Posts: 7660
  • Country: ca
Re: Rubbish Claim - Data leak through power line by throttling CPU cores.
« Reply #11 on: April 14, 2018, 08:30:24 pm »
What about the kid who pointed a telescope at a keyboard's 'Num Lock' led & with a photodiode, measuring the minute ripple in current generated in the frequency band of the keyboard bitrate, decoded the keystrokes perfectly.

If I have a telescope pointed at the keyboard, I can think of a more direct way of monitoring the keystrokes.  ;)
Not in the dark...
Or at an off angle... Like pointing the telescope through an apartment across the street through into an office building's window.  You might get 1 hand's keystrokes if you are visually fast enough.  The LED thing can just record all ASCII text throughout the day free of visual decoding.  The LED doesn't even need to be centered or focused in the middle for it to work.

« Last Edit: April 14, 2018, 08:33:10 pm by BrianHG »
 

Offline ogden

  • Super Contributor
  • ***
  • Posts: 3731
  • Country: lv
Re: Rubbish Claim - Data leak through power line by throttling CPU cores.
« Reply #12 on: April 14, 2018, 08:43:52 pm »
What about the kid who pointed a telescope at a keyboard's 'Num Lock' led & with a photodiode, measuring the minute ripple in current generated in the frequency band of the keyboard bitrate, decoded the keystrokes perfectly.

What about URL to original source you forget to provide.

Another known attack by CPU throttling (combined with other side channels attacks) was breaking the anonymity on Tor network.

Again - no URL.
 

Offline RoGeorge

  • Super Contributor
  • ***
  • Posts: 6146
  • Country: ro
Re: Rubbish Claim - Data leak through power line by throttling CPU cores.
« Reply #13 on: April 14, 2018, 09:12:54 pm »
Another known attack by CPU throttling (combined with other side channels attacks) was breaking the anonymity on Tor network.

Again - no URL.

http://lmgtfy.com/?q=Tor+clock+skew+attack

This paper (and references) is a good starting point for further researches about throttling based attacks:
http://sec.cs.ucl.ac.uk/users/smurdoch/papers/ccs06hotornot.pdf

Online BrianHG

  • Super Contributor
  • ***
  • Posts: 7660
  • Country: ca
Re: Rubbish Claim - Data leak through power line by throttling CPU cores.
« Reply #14 on: April 14, 2018, 11:47:44 pm »
What about the kid who pointed a telescope at a keyboard's 'Num Lock' led & with a photodiode, measuring the minute ripple in current generated in the frequency band of the keyboard bitrate, decoded the keystrokes perfectly.

What about URL to original source you forget to provide.
This was from the DOS era early-mid 90s, when the keyboard processor took enough current to send serial data, at a slow rate, on an old PS1 large DIN connector that the led had measurable ripple current noise in it's light source.  I cannot find any google modern equivalent.  At the time, it was reported on a tech news TV show.
« Last Edit: April 14, 2018, 11:49:31 pm by BrianHG »
 
The following users thanked this post: ogden

Offline ogden

  • Super Contributor
  • ***
  • Posts: 3731
  • Country: lv
Re: Rubbish Claim - Data leak through power line by throttling CPU cores.
« Reply #15 on: April 14, 2018, 11:47:53 pm »
Another known attack by CPU throttling (combined with other side channels attacks) was breaking the anonymity on Tor network.

Again - no URL.

http://lmgtfy.com/?q=Tor+clock+skew+attack

This paper (and references) is a good starting point for further researches about throttling based attacks:
http://sec.cs.ucl.ac.uk/users/smurdoch/papers/ccs06hotornot.pdf

Initially you said "CPU throttling" , now it's "clock skew attack" which actually works by "inducing (traffic) load on node". And you lmgtfy me. come on.
 

Online dmills

  • Super Contributor
  • ***
  • Posts: 2093
  • Country: gb
Re: Rubbish Claim - Data leak through power line by throttling CPU cores.
« Reply #16 on: April 15, 2018, 04:21:24 pm »
The power sidechannel is OLD news, we did it to the soviet embassy crypto suite back in the teleprinter days (According to Peter Wright, in his (awful) book "Spycatcher"), I see no reason to disbelieve him.

Regards, Dan.




 

Online mikerj

  • Super Contributor
  • ***
  • Posts: 3233
  • Country: gb
Re: Rubbish Claim - Data leak through power line by throttling CPU cores.
« Reply #17 on: April 16, 2018, 02:58:46 pm »
Another known attack by CPU throttling (combined with other side channels attacks) was breaking the anonymity on Tor network.

Again - no URL.

http://lmgtfy.com/?q=Tor+clock+skew+attack

This paper (and references) is a good starting point for further researches about throttling based attacks:
http://sec.cs.ucl.ac.uk/users/smurdoch/papers/ccs06hotornot.pdf

Initially you said "CPU throttling" , now it's "clock skew attack" which actually works by "inducing (traffic) load on node". And you lmgtfy me. come on.

The VERY FIRST result on Google links to a paper that describes the attack in detail, maybe try reading it?

 

Offline ogden

  • Super Contributor
  • ***
  • Posts: 3731
  • Country: lv
Re: Rubbish Claim - Data leak through power line by throttling CPU cores.
« Reply #18 on: April 16, 2018, 04:22:22 pm »
Another known attack by CPU throttling (combined with other side channels attacks) was breaking the anonymity on Tor network.

Again - no URL.

http://lmgtfy.com/?q=Tor+clock+skew+attack

This paper (and references) is a good starting point for further researches about throttling based attacks:
http://sec.cs.ucl.ac.uk/users/smurdoch/papers/ccs06hotornot.pdf

Initially you said "CPU throttling" , now it's "clock skew attack" which actually works by "inducing (traffic) load on node". And you lmgtfy me. come on.

The VERY FIRST result on Google links to a paper that describes the attack in detail, maybe try reading it?

Yes I did read. - AFTER you provided correct keywords, insulting way. Using information and keywords "cpu throttling tor anonymity"  from your original post did not result in any meaningful results.
 

Offline Vendicar DecarianTopic starter

  • Newbie
  • Posts: 5
  • Country: ca
Re: Rubbish Claim - Data leak through power line by throttling CPU cores.
« Reply #19 on: April 18, 2018, 06:51:51 am »
Why do you think this is "rubbish"?

Because to be true it would require that the filtering capacitors in the power supply and motherboard are not capable of providing sufficient smoothing to to prevent a 1/1000th to 1/10th of a second power increase of at best 20 watts.

The input stage capacitors provide enough current to average the current delivery during every half wave at either 50 or 60 Hz.

For the claim is that these capacitors are not sufficient to provide smoothing over a 25% increase in power consumption over a period of 1/1000th to 1/10th of a second.

A similar argument must be made for the energy storage capacity for the primary transformer which hold just as much energy.

ATX power supplies are according to spec, required to continue to provide their maximum output current for 17ms with a complete loss of power.  This alone limits the available baud rate to 60 bps with 500 Watt throttling on a 500 Watt power supply.  Core throttling is going to produce a 20 watt change on a 500 watt power supply which the power supply internal energy will be able to easily provide.

1000 bps... absolute Rubbish.  10 bps... Rubbish.  1 bps... maybe.  1 bps in a typical environment... Rubbish.


Looking at it another way, a baud rate of 1/1000th of a second would mean that the Power supply would not be capable of providing any output if the input power was interrupted for as little as several thousanths of a second, when in fact this happens 50 to 60 times a second.



The claim seems like absolute Bullshit to me.  Lets see some measurements.

« Last Edit: April 18, 2018, 07:33:25 am by Vendicar Decarian »
 

Offline Vendicar DecarianTopic starter

  • Newbie
  • Posts: 5
  • Country: ca
Re: Rubbish Claim - Data leak through power line by throttling CPU cores.
« Reply #20 on: April 18, 2018, 06:53:48 am »
The claim is 10 to 1000 bps, not 1 bps or longer.

I fully admit that data transmission at exceptionally low baud rates is possible,  10 to 1000 bps is a bogus claim.
 

Offline Vendicar DecarianTopic starter

  • Newbie
  • Posts: 5
  • Country: ca
Re: Rubbish Claim - Data leak through power line by throttling CPU cores.
« Reply #21 on: April 18, 2018, 06:57:17 am »
"access to meters in the basement"

That is even more pointless as there are undoubtedly multiple CPU's running in the building, each switching their power consumption more or less at random.  Due to like in the building wiring is going to cause signal noise due to variances in current flow closer to the source of the power.

 

Offline Vendicar DecarianTopic starter

  • Newbie
  • Posts: 5
  • Country: ca
Re: Rubbish Claim - Data leak through power line by throttling CPU cores.
« Reply #22 on: April 18, 2018, 06:58:47 am »
"However if you can supply machines with compromised power supplies"

And if your mother had wheels......
 

Offline bd139

  • Super Contributor
  • ***
  • Posts: 23017
  • Country: gb
Re: Rubbish Claim - Data leak through power line by throttling CPU cores.
« Reply #23 on: April 18, 2018, 07:18:03 am »
I take it people realise those little power line ethernet things will quite happily pair a few doors up the street. Power lines is a big vector.
 

Offline ogden

  • Super Contributor
  • ***
  • Posts: 3731
  • Country: lv
Re: Rubbish Claim - Data leak through power line by throttling CPU cores.
« Reply #24 on: April 18, 2018, 09:08:38 am »
The claim seems like absolute Bullshit to me.  Lets see some measurements.

Everything is in the paper. Seems you did not even read it :palm:

Unless you prove that their scientific research & paper is fake, your "seems like absolute Bullshit to me" is just uneducated & emotional  :blah:  :blah:  or using your words - bullshit.
 


Share me

Digg  Facebook  SlashDot  Delicious  Technorati  Twitter  Google  Yahoo
Smf