Powerhammering: Can a power cable be used in air-gapped attacks?

Researchers from Israel's Ben-Gurion University of the Negev showed how a power cable could enable hackers to steal data from air-gapped computers. What is this vulnerability, and how can it be exploited?

PowerHammer is a proof-of-concept malware program the researchers created to take advantage of a vulnerability in power lines that enables attackers to exfiltrate data from air-gapped computers. When the PowerHammer proof of concept is implanted on an air-gapped computer, it monitors and measures the fluctuations in the current flow being transmitted through the power lines.

The researchers showed that the malware can transmit data by regulating the system's power consumption by controlling the workload of the CPU; an attacker would be able to receive the exfiltrated data by monitoring changes in the current flow along the power line. Binary data is modulated, encoded and transmitted through the power lines in the form of current flow fluctuations.

The researchers demonstrated data exfiltration from a PC powered by an Intel Haswell-era quad-core processor, achieving a transfer rate of 1,000 bits per second (bps). When targeting a server running an Intel Xeon E5-2620 processor, the researchers were able to exfiltrate data at 100 bps.

Depending on where powerhammering attacks against air-gapped computers occur, the speed at which attackers can exfiltrate data ranges from 10 to 1,000 bps. Higher exfiltration speeds are possible when using power lines attached to electrical outlets inside the target building. This type of attack is known as line-level powerhammering.

Power lines that are outside the building are attached to a main electrical service panel that divides electrical power into subsidiary phases. In these cases, the attack offers much lower throughput.

The researchers showed that the powerhammering attack is still possible if the power line is tapped at the phase level, but exfiltration would occur at up to 10 bps. The slower speed is due to background noise on the exterior cables caused by the sharing of the power supply with appliances, lights and any other electrical devices connected to the power supply. This type of attack is known as phase-level powerhammering.

In both cases, attackers measure emissions on power lines to exfiltrate data.

Ask the expert:
Want to ask Judith Myerson a question about security? Submit your question now via email. (All questions are anonymous.)