This got to be just clickbait for the news...

[rune72]

POWER-SUPPLaY technique uses "singing capacitor" phenomenon for data exfiltration.

https://www.zdnet.com/article/academics-turn-pc-power-unit-into-a-speaker-to-leak-secrets-from-air-gapped-systems/

How can a CPU cores piggyback information on a pretty good filtered DC powerrail back to a PC Powersupply and have a tiny capacitor "sing"... and then use a cellphone's microphone to receive this minute ultrasonic vibrations....

Had he used a good directional microphone and a spectrum analyzer to display this leakage - maybe.... but.. hmmm...

[Haenk]

"subject to background noise" but working from up to 6 meters away

Surely, that guy never came close to a server or went into a server room. There is a lot of noise, but certainly no singing capacitors.

I smell a lot of BS going on.

[amyk]

As the title clearly says, "academics". That says all you need to know.

[Gregg]

I think this should be thoroughly investigated by Linus Tech Tips.  Linus has the audience and big money to jump into this rabbit hole and maybe even compare ‘singing capacitors’ and ‘audio grade capacitors’.    
I’d stock up on popcorn for this. 

[MK14]

Let's pretend (or be nice) and say it works.
But, they admit:

Guri has only developed and studied the data exfiltration technique. Guri's work does not focus on planting the malware on air-gapped systems or getting near to an air-gapped system to steal data. This is out of scope of his project.]

You would somehow have to plant malware on the high (physical) security, possibly secret server(s), which isn't connected to the internet.

You would somehow have to plant (and somehow hide), a secret mobile phone (or similar), to record the sounds, fairly near the applicable server(s).

I suspect the maximum baud rate, would be rather low indeed. I.e. probably a lot worse than the old audio cassette tape decks, on vintage home computers. Which would take 5 minutes to load a massive 8K program (values are estimates).
So, how long would many gigabytes or even terabytes of secret military plane data take to transfer ?

E.g. If 8K takes 5 minutes.
Then each terabyte would take 1T/8k x 5 minutes = Well over a thousand years!
Per terabyte of transfer.

Also, servers usually have two power supplies (for redundancy), which presumably complicates things further. Server rooms can be really, really noisy (already mentioned in this thread). Like being near a jet aircraft, with the engines roaring. Which also, makes this sound somewhat impracticable, even if theoretically possibly.

[MK14]

I'd only skimmed the article. Reading it further.

0-10 bits/sec when the data needs to travel for more than 2 meters.

At that rate, it would probably only be useful for getting passwords and other very short information.
Not terabytes!

[Cyberdragon]

I'd only skimmed the article. Reading it further.

0-10 bits/sec when the data needs to travel for more than 2 meters.

At that rate, it would probably only be useful for getting passwords and other very short information.
Not terabytes!

Except this isn't an ancient core memory machine, they're talking about modern PCs. There's way more than 10 bits wizzing around just to keep a picture on the screen, let alone for typing anything.

[ZigmundRat]

Well, they didn’t think TEMPEST and Van Eck phreaking were real either...

[Weston]

POWER-SUPPLaY technique uses "singing capacitor" phenomenon for data exfiltration.

https://www.zdnet.com/article/academics-turn-pc-power-unit-into-a-speaker-to-leak-secrets-from-air-gapped-systems/

How can a CPU cores piggyback information on a pretty good filtered DC powerrail back to a PC Powersupply and have a tiny capacitor "sing"... and then use a cellphone's microphone to receive this minute ultrasonic vibrations....

Had he used a good directional microphone and a spectrum analyzer to display this leakage - maybe.... but.. hmmm...

Have you never had a computer with microphonic capacitors? High capacitance ceramic caps are prone to it and some computer manufactures spend a lot of effort trying to prevent it in the name of "user experience". My last laptop (thinkpad) had strong enough microphonics where I could hear ticks as I scrolled down web pages. It's distinct from coil whine, which could also be modulated and falls under this same risk model.

Given enough signal processing techniques you should be able to recover some modulated signal with a smartphone microphone, even from a distance. For example, GPS signals are recoverable from below the RF noise floor because of lots of signal processing and a known structure of the signal.

The use case for this would probably be exfiltrating passwords or encryption keys. Not to say its practical, especially in its current form, but for security related things all it takes is a proof of concept for something to get added as a threat model. Some organizations are super paranoid about these things due to security (government) or economic (something like a cryptocurrency exchange).

As an easy example, wallets for cryptocurrency exchanges can hold many millions of dollars in cryptocurrency. On a per bit basis, those keys are worth thousands or millions of dollars. The hardware to sign transactions with those keys is typically air gapped and access controlled. Now, if you manage to get the exchange to use altered hardware and get a microphone close enough you can exfiltrate those keys. Given the key is so small, it does not matter what you data rate is.

[rune72]

I have to acknowledge that this phenomenon exists and it is always possible to exploit these. Dave even tried this with hacking the safe lock in video #771.

Looking at the YT video again a few times, I start to understand more about what happens, it's not realtime as it might seems, it does take a while before the modulation happens, so his Ubuntu machine is making a profile that manipulates the CPU power usage and then makes the PSU work harder and can either use this other methods using the FAN speed or powerusage of the computer to slowly send data that can be picked up without have physical access to device.

[T3sl4co1l]

A boring story to illustrate the point:

Just a few weeks ago, I had an extended power outage, and was running my modem, router and laptop charger on an inverter of my own design.  The inverter is of the "modified sine" type, plus current limiting, with filtered outputs (enough filtering just to take the edge off and allow the current limiting to work -- the mains waveform is still very chunky).  Well, the filter inductors buzz, or maybe it's the capacitors, but it doesn't really matter.  What's important is they buzz louder under load.

So, say I'm flipping through a static web page: there's a big rush of power consumption as the page loads, then a little here or there as the CPU renders more of the page.  Say I'm flipping through an infinite-scrolling web page: the CPU is constantly pulling in more content, formatting and rendering it.  Every scroll causes a buzz, louder and longer, and more sporadic (as content is loaded piecemeal), than the other example.

You'd need a keylogger or other kind of trojan to trap keystrokes and convert them to moderate CPU usage, but this is absolutely a fine way to exfiltrate small amounts of data.

Keep in mind that comparable data flows are responsible for all the Spectre, Meltdown, etc. vulnerabilities.  A malicious program might execute millions or billions of loops, extracting mere bytes or kB in the process; but that's all that's necessary to snoop around suspected user or kernel data structures, and locate and exfiltrate keys.

Time doesn't really matter, if the system and attack are persistent.  A few kB key is easily read out over several days at some bits/second.  Well, heck, hours even at that.  Doesn't matter if it requires patience.  A good attacker has that.  What matters is whether it's possible at all.

Now, noteworthy that my example is air-gapped in one respect: it's battery powered, so a lot of that information is lost by merely discharging the battery an incremental amount.  If it were on a float charger at the same time, the load fluctuations will pass through it, into the mains; that would be a mistake.  However, if I designed a random cycling charger (which responds only very gradually, to keep up average charge level), that would again not only destroy the signal, but allow it to be masked as well.

Or actually, just swapping two batteries would be the better idea.  It would still be difficult to separate load current from charge current, and thus the information leakage would merely be conditional on the charger being active.  It becomes merely an intermittent channel.  Swapping batteries ensures that load and charge currents are wholly separate.

And not that I have any particular need or expectation of such levels of secrecy; this is not at all intended as part of a proper air-gapped system, just a coincidental example, a part among many others that is necessary to ensure proper isolation of such systems.

Tim

[dropkick]

Why not just use the speaker??