A new method of stealing data from offline machines has been developed utilizing the electromagnetic waves given off by their power supplies.
So-called “air-gapped” PCs – those isolated from the public internet – could have their data stolen at distances of over six feet, and even through walls, by someone with a smartphone or laptop equipped with a special receiver, experts have warned.
The method was developed by Mordechai Guri, a researcher at Ben-Gurion University in Beersheba, Israel, who called it COVID-bit, perhaps in reference to common social distancing rules preventing people from being in close proximity to one another.
Bridging the (air) gap
Air-gapped systems are most commonly deployed in institutions where highly sensitive data and tasks are handled, such as those related to energy, government and military weaponry, making this new method a worrying prospect.
Firstly, the targeted system must have certain malware pre-installed on it, which can only be done via physical access to the machine. This malware controls the CPU load and frequencies of its cores in order for the power supply to produce electromagnetic waves between 0-48kHz.
Guri explained that the switching components inside these systems create a square wave of electromagnetic radiation at specific frequencies, as they switch on and off during AC/DC conversion.
This wave can carry raw data, which can be decoded by those away from the machine with an antenna that can be easily connected to a mobile device’s 3.5mm audio jack. A program on the device can then decode the raw data by applying a noise filter.
Guri tested his method on desktops, a laptop and a Raspberry Pi 3, and found laptops were the trickiest to hack, since their energy saving credentials meant that they didn’t output a strong enough electromagnetic signal.
The desktops, on the other hand, could transmit 500 bits per second (bps) with an error rate between 0.01% and 0.8%, and 1000bps with an error rate of up to 1.78%, which is still accurate enough for effective data harvesting.
At this speed, a 10KB file could be transmitted in under 90 seconds, and raw data pertaining to an hour’s worth of activity on the target machine could be sent in just 20 seconds. Such keylogging could also be transmitted live in real time.
When it came to the Pi 3, its weak power supply meant that receiver distances were limited for successful data transmission.
Guri recommends that air-gapped systems stay safe by monitoring CPU loads and frequencies for any suspicious or unusual activity. However, this can lead to many false positives as such parameters can vary widely during normal usage scenarios.
In addition, such monitoring adds to the processing cost, meaning the potential for reduced performance and increased energy usage.
An alternative solution is to lock the CPU to certain core frequencies, to prevent data from being decoded by their associated electromagnetic radiation. The disadvantage here, though, is that, as aforementioned, natural fluctuations of core frequencies are to be expected, so locking them will result in reduced performance at certain times and overuse at others.