SS7
Power supply radiation can make air-gapped computers vulnerable to data theft
COVID bit, a new attack technique, uses electromagnetic waves to send data over air-gapped networks, which are separated from the internet at a distance between two and six meters. Once it reaches a receiver, it is captured.
Even though a wall may be separating them, the information from an isolated device might still be available to a nearby laptop or smartphone.
Mordechai, a Ben-Gurion University researcher, developed the COVID-bit hack. He has previously devised multiple ways to steal sensitive information from air-gapped networks stealthily. Previous work includes ” “, and ” ” attacks.
Initial compromise
Systems that are physically air-gapped are systems which are located in high-risk areas such as government and energy infrastructure. They are therefore isolated from public networks and the internet for security purposes.
A rogue intruder or an opportunist intrusion must first install custom-made malware onto the targeted computers via physical access to the network or device.
Even though it may seem impossible or farfetched, attacks like this have occurred. These include the Stuxnet virus in Iran’s Uranium Enrichment Facility at Natanz and Agent.BTZ infected an American military base. Remsec also has a modular backdoor which collected data from government networks that were air-gapped for more than five years.
Researchers created malware to transmit data during the COVID bit attack. It regulates core frequency and CPU load in order for power supplies of air-gapped computers emit electromagnetic radiation in a low-frequency range (0 – 48 KHz).
Mordechai Guuri explains that SMPS’ primary source of electromagnetic radiation is due to their switching characteristics and internal design in the .
The researcher explains that the square waves are created by MOSFET switching elements turning on and off at certain frequencies in the AC-DC conversion.
After a strain consisting of 8 bits, the electromagnetic wave may carry raw data as a payload.
CPU frequency changes and payload spectrograms
(arxiv.org)
The receiver can be a laptop or smartphone using a small loop antenna connected to the 3.5mm audio jack, which can be easily spoofed in the form of headphones/earphones.
Smartphones can record the transmission and apply noise reduction filters to demodulate raw data. Finally, the smartphone will be able decode the secret.
Attacker in a less secure area receiving secret data
(arxiv.org)
These are the results
Guri tested three PCs on a desktop and one laptop with Raspberry Pi 3. Guri maintained zero error rates for all bit rates. The Raspberry Pi 3 and PCs had up to 200 bps, while the laptop was able to handle 100 bps.
Devices used for testing COVID-bit
(arxiv.org)
Laptops are worse due to their more efficient CPU cores and energy-saving profile. Their PSUs don’t generate enough signal strength.
Desktop PCs can reach 500 bps transmission rates for bit errors between 0.1% and 0.8%, and 1000 bps for an acceptable bit error rate up to 1.788%.
Due to the Raspberry Pi’s weak power supply, the distance between the Raspberry Pi and the machine was very limited. However, the signal-to noise ratio for the laptop was worse as the probes were moved farther away.
Measured signal-to-noise ratio
(arxiv.org)
A 10KB file could be transmitted at the highest transmission speed (1,000 bps) in just 80 seconds. An encrypted key of 4096 bits RSA encryption would take as long as four seconds to transmit, or more than ten minutes. The raw data from keylogging one hour ago would then be sent back to the receiver within 20 seconds.
Keylogging live would be possible in real time, at transmission speeds as low as 5 bits per second.
Time (in seconds) needed for payload transmission
(arxiv.org)
Researchers also tried virtual machines. They found that interrupts in VM exit traps to hypervisor handlers cause signal degradations between 2 dB-8 dB.
Protection against COVID-bit
To prevent installation of malware, the best defense against COVID-bit attacks would be to restrict air-gapped device access. This does not shield you against insider threats.
Researchers recommend that you monitor CPU usage to detect suspicious loading patterns and other unusual behavior.
This countermeasure has the drawback of generating many false positives. It also adds an extra data processing overhead, which reduces performance and causes more energy use.
A countermeasure is to set a fixed frequency for the CPU core, making it harder to generate the data-carrying signal, even stopping it completely.
This technique has the disadvantage of reducing processor performance and high energy consumption, depending upon the lock frequency.