The electromagnetic waves emitted by offline machines' power supplies are being used in a novel technique for stealing data from them.
Experts have cautioned that someone using a smartphone or laptop equipped with a particular receiver may steal data from so-called "air-gapped" PCs, those disconnected from the public internet, at distances of over six feet and even through walls.
The method was created by Mordechai Guri, a researcher at Ben-Gurion University in Beersheba, Israel. Guri gave it the name COVID-bit, possibly in reference to social distance norms that forbid people from being close to one another.
This new approach is concerning since air-gapped systems are typically used in organizations that handle highly sensitive data and tasks, such as those related to energy, government, and military weaponry.
First, specific malware must be pre-installed on the targeted system, which can only be done by physically accessing the machine. The CPU load and core frequencies are managed by this malware such that the power supply generates electromagnetic waves between 0 and 48 kHz.
According to Guri, during the AC/DC conversion, the switching components inside these systems produce a square wave of electromagnetic radiation at particular frequencies as they turn on and off.
The 3.5mm audio connector of a mobile device can be used to attach an antenna to this wave, which can transmit raw data that can be deciphered by someone far from the machine. The raw data can then be decoded using a noise filter by a program running on the device.
Guri tried his technique on desktops, a laptop, and a Raspberry Pi 3, and discovered that laptops were the hardest to break into since they didn't produce a powerful enough electromagnetic signal due to their energy-saving features.
The PCs, on the other hand, were able to send 500 bits per second (bps) with an error rate of between 0.01% and 0.8% and 1000 bps with an error rate of up to 1.78%, which is still accurate enough for efficient data harvesting.
A 10KB file could be sent in less than 90 seconds at this pace, and raw data for an hour's worth of activity on the target system might be sent in as little as 20 seconds. Such keylogging might also be broadcast in real time, live.
With the Pi 3, the receiver distances were constrained for successful data transfer due to the device's insufficient power supply.
Mitigation Tips
Guri suggests keeping an eye on CPU loads and frequencies for any suspicious or unusual activity to keep air-gapped computers secure. However, given that such values might vary greatly in typical usage settings, this may result in a lot of false positives.
Such monitoring also raises the cost of processing, raising the possibility of decreased performance and increased energy use.
To prevent data from being deciphered by the electromagnetic radiation associated with certain core frequencies, an alternative method is to lock the CPU to certain frequencies. The drawback with this approach is that, as previously noted, core frequency fluctuations are normal, therefore locking them will lead to poor performance at times and misuse at other times.