Researchers Turn Power Supplies into Speakers, Leaking Data from Air-Gapped and Audio-Gapped Systems

Mordechai Guri, a cybersecurity researcher from Ben Gurion University in Israel, has acquainted the world to a new way for bad actors to steal sensitive data acoustically, from air-gapped and audio-gapped systems.

While breaching and leaking data from air-gapped or audio-gapped systems is a complex task that usually requires the assistance of malicious insiders, various incidents have been reported in previous years. For example, the 2019 attack on the Kudankulam Nuclear Power Plant, where a malware-infected personal computer was connected to the plant’s administrative network .

Researchers introduced a piece of malware that “can exploit the computer power supply unit (PSU) to play sounds and use it as an out-of-band, secondary speaker with limited capabilities.”

POWER-SUPPLaY was able to exfiltrate sensitive data from air-gapped and audio-gapped systems from a distance of 5 meters at a rate of 50 bit per second, without requiring hardware access or any other special privileges.

The mind-bending discovery also shows that binary data such as files and encryption keys can be “modulated over the acoustic signals and sent to a nearby receiver” such as a smartphone. Using POWER-SUPPLaY, data exfiltration was possible on PC workstations, servers, embedded systems and IoT devices with no audio hardware.

In one attack scenario listed in the research paper, an attacker wishing to steal sensitive information from a PC (equipped with an internal power supply) must compromise the system along with the victim’s smartphone. After gathering required data from the targeted system, POWER-SUPPLaY modulates and transmits the information “using the acoustic sound waves emitted from the computer’s power supply” while the “infected mobile phone detects the transmission, demodulates and decodes the data, and transfers it to the attacker via the Internet using mobile data or Wi-Fi.”

Since the code makes use of basic CPU operations without showing malicious behavior, POWER-SUPPLaY was not detected by security solutions, making it a dangerous tool for cybercriminals.

The research paper offers four countermeasures that can be used to protect systems such as zoning or restricting the use of electronic devices or smartphones near sensitive computers, signal detection, signal jamming and signal blocking.