The investigator has shown that by misusing the power supply, attackers can transmit data from the device through the acoustic channel with an air trap, even if the device they are targeting has no speakers.
In some isolated systems, audio devices can be turned off to prevent subtle data leaks. However, researcher Mordechai Guri from the Cybersecurity Research Center at Ben Gurion University in the Israeli Negev showed that a malicious program could cause the device to generate power to generate sounds that could be picked up by a nearby receiver.
A malicious program that does not require special authorization can modulate the transmitter’s information with audio signals and send it to the listening smartphone. This method can be used to filter passwords, encryption keys and files from PCs, servers and even IoT devices that do not have audio hardware.
Tests conducted by Guri have shown that the attack method they call POWER-SUPPLaY can be used to steal data from an air suspension system at a distance of up to 5 metres (16 feet) with a maximum transfer rate of 50 bps – the transfer rate decreases as the distance increases.
The attack consists of starting and stopping the CPU, which affects the switching frequency of the power supply, which in turn affects the transformers and capacitors of the power supply. These transformers and capacitors generate acoustic signals (i.e. noise).
Guri has shown that a malicious program capable of controlling the load on the CPU of the device can cause both audible and inaudible noise in the power supply. The researcher showed that with this method the power supply can play a Happy Birthday song.
Of course, a malicious program that tacitly filters data will not produce any attention-grabbing sounds. Instead, it emits audible or inaudible sounds at two or more different frequencies, each frequency representing 0 bit, 1 bit or a sequence of bits (e.g. 00, 01, 10, 11) detected by the receiver.
The receiving smartphone may belong to an attacker, or it may be a compromised device belonging to someone working for the target organization.
It is not the first time that a researcher from Ben-Gurion University has demonstrated the method of filtering data obtained from airborne devices in the Negev. In recent years, they have demonstrated methods of silent data theft using fan vibration, heat radiation, hard drive LEDs, infrared cameras, magnetic fields, power cables, router LEDs, scanners, screen brightness, USB devices and sound from hard drives and fans.
That’s what it looks like: Hackers can use the brightness of the screen to steal data from computers connected to the open air.
That’s what it looks like: Chinese shredders are equipped with pneumatic systems: Report to .
That’s what it looks like: Hackers can steal coded money from wallets with air instruments: Researchers
@EduardKovacs – Publisher of the Safety Week. He worked for two years as a high school computer science teacher before starting a career in journalism as a security reporter for Softpedia. Edouard has a bachelor’s degree in industrial computer sciences and a master’s degree in computer engineering for electrical engineering.
Previous chronicles of Eduard Kovacs :