Information is the most critical asset of modern organizations, and accordingly coveted by adversaries. When highly sensitive data is involved, an organization may resort to air-gap isolation, in which there is no networking connection between the inner network and the external world. While infiltrating an air-gapped network has been proven feasible in recent years (e.g., Stuxnet), data exfiltration from an air-gapped network is still considered to be one of the most challenging phases of an advanced cyberattack.In this paper we present "AirHopper", a bifurcated malware that bridges the air-gap between an isolated network and nearby infected mobile phones using FM signals. While it is known that software can intentionally create radio emissions from a video display unit, this is the first time that mobile phones are considered in an attack model as the intended receivers of maliciously crafted radio signals. We examine the attack model and its limitations, and discuss implementation considerations such as stealth and modulation methods. Finally, we evaluate AirHopper and demonstrate how textual and binary data can be exfiltrated from physically isolated computer to mobile phones at a distance of 1-7 meters, with effective bandwidth of 13-60 Bps (Bytes per second).
In this paper we provide an implementation, evaluation, and analysis of PowerHammer, a malware (bridgeware [1]) that uses power lines to exfiltrate data from air-gapped computers. In this case, a malicious code running on a compromised computer can control the power consumption of the system by intentionally regulating the CPU utilization. Data is modulated, encoded, and transmitted on top of the current flow fluctuations, and then it is conducted and propagated through the power lines. This phenomena is known as a 'conducted emission'. We present two versions of the attack. Line level powerhammering: In this attack, the attacker taps the in-home power lines 1 that are directly attached to the electrical outlet. Phase level power-hammering: In this attack, the attacker taps the power lines at the phase level, in the main electrical service panel. In both versions of the attack, the attacker measures the emission conducted and then decodes the exfiltrated data. We describe the adversarial attack model and present modulations and encoding schemes along with a transmission protocol. We evaluate the covert channel in different scenarios and discuss signal-to-noise (SNR), signal processing, and forms of interference. We also present a set of defensive countermeasures. Our results show that binary data can be covertly exfiltrated from air-gapped computers through the power lines at bit rates of 1000 bit/sec for the line level power-hammering attack and 10 bit/sec for the phase level power-hammering attack.
Power stationStep up transformerStep down transformerStep down transformer Residential building 22kV output 400 kV 132 kV 11 kV Fig. 1: A (simplified) schematic diagram of the electricity network
C. Exfiltration through Power LinesIn this paper, we present a new type of electric (current flow) covert channel. The method, dubbed PowerHammer, enables attackers to exfiltrate information from air-gapped networks through AC power lines. We show that a malware running on a computer can regulate the power consumption of the system by controlling the workload of the CPU. Binary data can be modulated on the changes of the current flow, propagated through the power lines, and intercepted by an attacker. We present two versions of the attack. In line level power-hammering the adversary taps the power cables feeding the transmitting computer. In phase level power-hammering the adversary taps the power lines at the phase level, in the main electrical service panel. Using a non-invasive tap, the attacker measures the emission conducted on the power cables. Based on the signal received, the transmitted data is demodulated and decoded back to a binary form.
scite is a Brooklyn-based organization that helps researchers better discover and understand research articles through Smart Citations–citations that display the context of the citation and describe whether the article provides supporting or contrasting evidence. scite is used by students and researchers from around the world and is funded in part by the National Science Foundation and the National Institute on Drug Abuse of the National Institutes of Health.