Malicious code is capable of evolving, and so has proved a team of researchers from Ben-Gurion University of the Negev in Israel that successfully created and tested malware able to exfiltrate data from air-gapped machines through power lines. Тhe newly invented malware has been dubbed PowerHammer.
What Is PowerHammer Malware?
Simply put, the malware infects air-gapped computers and seeks to alter CPU utilization levels. This way the infected machine would consume more or less electrical power, meaning that the malicious code can control the power consumption of the system by intentionally regulating the CPU usage, the researchers explained in their paper “PowerHammer: Exfiltrating Data from Air-Gapped Computers through Power Lines”.
Data is modulated, encoded, and transmitted on top of the current flow fluctuations, and then it is conducted and propagated through the power lines. This phenomena is known as a ‘conducted emission’.
The researchers demonstrated two versions of the PowerHammer attack. Version one is called line level power-hammering. In this case, the attacker would have to tap the in-home power lines directly attached to the electrical outlet. The other version of the attack is the phase level power-hammering where the attacker taps the power lines at the phase level in the main electrical service panel.
On top of that, the tapping device can also send the recorded data to a nearby computer over WiFi. This fact makes the data collection more efficient even from distance, as the attacker doesn’t need to physically connect to the tapping device.
In both versions of the attack, the attacker measures the emission conducted and then decodes the exfiltrated data, the researchers said. In their paper they also describe the adversarial attack model and exhibit modulations and encoding schemes, as well as a transmission protocol. Their work also focuses on various attack scenarios and review signal-to-noise signal processing along with the forms of interference. However, defensive countermeasures are also presented.
“Our results show that binary data can be covertly exfiltrated from air-gapped computers through the power lines at bit rates of 1000 bit/sec for the line level power-hammering attack and 10 bit/sec for the phase level power-hammering attack”, the team concluded.