News Cyberattack Steals PC Data Through Its Power Supply

[Admin]

A security researcher found a way to steal data from a PC through its power supply.

Cyberattack Steals PC Data Through Its Power Supply : Read more

 

[drtweak]

I remember reason something a while back about a major power cable manufacture that moved out of china, because all the OEM were pressuring it because malicious chips could be installed in the power cable. Wonder how true that is and wonder if it could pair with this. Its amazing the kinds of way people try to compromise systems.

 

[InvalidError]

Before you can send data over audio or visual air-gap side-channels, you also need access to the data on the system itself. All the side-channels in the world won't do you much good if you cannot beat access controls and encryption.

 

[bit_user]

However, this attack wouldn't be particularly effective in a real-life scenario. Although the success rate is high, the data rate of the attack is a measly 50 bits per second, or equivalent to about 22.5 kB per hour. That works out to about 10,000 words stored in plain text.

The author lacks imagination. This data rate is more than fast enough for nuclear launch codes, encryption keys, or certain other extremely high-value data.

Heck, the SARS-CoV-2 virus is only 30k base-pairs. If I'm not mistaken, that would take only 10 minutes to copy. And the key molecules in a vaccine could be much smaller, depending on the data format.

 

[bit_user]

Before you can send data over audio or visual air-gap side-channels, you also need access to the data on the system itself. All the side-channels in the world won't do you much good if you cannot beat access controls and encryption.

Yeah, we had this whole discussion in the comments of the previous article (steal data from a PC through fan vibrations ).

Basically, you need a vector to get malware into the target machine, such as an infected USB stick used by a witting or unwitting insider.

However, especially if the insider is unwitting, just because you can get malware onto the target doesn't mean you can get data off of it. That's where these sorts of exploits come into the picture.

And before someone brings this up (which I'm sure they will, anyhow): if you're not in possession of data that a government agency or extremely motivated non-state actors would want, the exploit should be of no concern to you.

 

[InvalidError]

Basically, you need a vector to get malware into the target machine, such as an infected USB stick used by a witting or unwitting insider.

In a proper air-gapped system, you shouldn't have access to USB ports without extra layers of verification and supervision. Whatever external data you want to bring in would likely get screened and transferred to a separately approved USB key to prevent hidden malware. Ideally, the whole system would also be locked away in a separate room from where people access the monitor, PS/2 keyboard and mouse.

 

[bit_user]

In a proper air-gapped system, you shouldn't have access to USB ports without extra layers of verification and supervision.

Yeah, of course. It was just a simple example that everyone can understand.

At some point in its life, even an air-gapped system must be installed. The malware could even have been incorporated into the installation image, or perhaps into some updates/drivers/etc. that get installed at some later point in the machine's life.

Ideally, the whole system would also be locked away in a separate room from where people access the monitor, PS/2 keyboard and mouse.

Oh, you're not being nearly paranoid enough. No, I submit that the machine and its windowless room should be in a two-layer Faraday cage, so it remains protected even while the operator is entering & exiting. The machine, itself should be locked in another cage, that prevents physical access.

...not to mention lasers - you gotta protect it with lasers! And thermal cameras, drones, and drones with thermal cameras. And maybe an access tunnel that you can only reach when the tide is out. Because it's guarded by sharks, of course. Sharks with lasers. And probably thermal imaging implants, as well.

And no Lady Gaga fans should be allowed near it. That should've been a red flag, right there!

 

[derekullo]

Solution 1
Create audio distortion on the 20khz - 20Mhz range.
Something is simple as a mechanism for blowing a dog whistle automatically
https://en.wikipedia.org/wiki/Dog_whistle
From the quick google research I've read most speakers tap out at 20khz.
I am unsure if speakers are capable of going above 100khz or even into the 1Mhz range, but if we are securing nuclear codes, let's assume we spent the money to develop some 20khz - 20Mhz 0hz - 20Mhz speakers.
If we are spending millions of dollars developing super speakers we might as well allow them to play Bohemian Rhapsody in all its glory.
Of course our white noise 20khz - 20Mhz would still be playing in the inaudible background during our music.

Solution 2
Place the computer in a vacuum.
You can't hear coil whine or screams in space.
Keeping components cool in a vacuum could be difficult but satellites appear to have no issue, even nuclear powered ones.
According to https://physics.stackexchange.com/questions/149832/cooling-a-satellite/149836
Applying a black coating and using an ammonia in a loop heat pipe should be sufficient.
Peltier cooling also comes to mind.

Solution 3
Mine bitcoin/altcoins to keep your power supply at a steady power state.
Not a maxed out power supply (that would be bad) but one that is incapable of being given any more work due to GPU and CPU being at 100%.
Something like a 500 watt load on a Corsair AX1600i, which also has the benefit of no fan noise/vibration when below 640 watts.
https://www.kitguru.net/wp-content/uploads/2018/01/L1003218.jpg
Bitcoin saves the world!!!

 

[bit_user]

Solution 1
Create audio distortion on the 20khz - 20Mhz range.
Something is simple as a mechanism for blowing a dog whistle automatically

Instead of making a high-pitched noise and hoping it drowns out the PSU, it'd be better to look at the spectral distribution of the PSU and target those specific bands via some combination of active and passive means.

Solution 2
Place the computer in a vacuum.
You can't hear coil whine or screams in space.

Now you're talkin'! And put a Xenomorph in there, to guard it, in case the intruder gets past the sharks.

Applying a black coating and using an ammonia in a loop heat pipe should be sufficient.
Peltier cooling also comes to mind.

But take care not to fry the guard-alien.

Solution 3
Mine bitcoin/altcoins to keep your power supply at a steady power state.
Not a maxed out power supply (that would be bad) but one that is incapable of being given any more work due to GPU and CPU being at 100%.

This is good, except requires network connectivity. However, plenty of workloads don't, such as computing digits of Pi.

Just keep the CPU continuously at max TDP by scheduling a low-priority task for each hyperthread. Then, buy a PSU with plenty of excess capacity.

https://www.kitguru.net/wp-content/uploads/2018/01/L1003218.jpg

Not working, for me.

 

[Magical.Enema]

About 2 months ago I needed to oil my fan on my PSU as it was barely, and I mean barely, turning. And it was just starting to let out the magic smoke! But anyhow, I took it all apart and a piece of a fan blade fell out. I cleaned it up, oiled it and put it back together. Only 2 nights in the last 2 months has the computer been shut off, it's been running continuously since the cleaning and oiling. The broken blade is still laying on my workbench down in the shop!
I would be willing to wager that if "they" were listening and recording my PSU vibes, I would be locked away for a very long time.


It's Magical!