There is a way to exfiltrate data from air-gapped computers and that is through malware that can control the power consumption of the system.
“The method, dubbed PowerHammer, enables attackers to exfiltrate information from air-gapped networks through AC power lines,” said researchers from the Ben-Gurion University of the Negev in Israel. “We show that a malware running on a computer can regulate the power consumption of the system by controlling the workload of the CPU. Binary data can be modulated on the changes of the current flow, propagated through the power lines, and intercepted by an attacker.”
They devised two versions of the attack: Line level power-hammering (the attacker taps the in-home power lines directly attached to the electrical outlet) and phase level power-hammering (the attacker taps the power lines in the main electrical service panel).
“The receiver is a non-invasive probe connected to a small computer (for the signal processing). The probe is attached to the power line feeding the computer or the main electric panel. It measures the current in the power line, process the modulated signals, decodes the data and sends it to the attacker (e.g., with Wi-Fi transceiver),” said researchers Mordechai Guri, Boris Zadov, Dima Bykhovsky, and Yuval Elovici in a paper.
Special malware present on the target computer harvests data (e.g., passwords, encryption keys, etc.), encodes the data, transmits it via signals injected to the power lines and delivers it to the probes.
The signals end up generated by changing the workload on the CPU cores not utilized by working processes, so the computer would not slow down or show any indication of data exfiltration.
Binary data can end up extracted through the power lines at bit rates of 1000 bits per second for first attack and 10 bits per second for the second, according to their tests.
There are several things defenders can do to spot and protect computers from these types of attacks: They can monitor the currency flow on the power lines, install power line filters, engage in signal jamming, and implement host-based intrusion detection and prevention systems to continuously trace the activities of running processes.
Each of these approaches has its weaknesses, like unreliable results, additional malware can thwart the security, too many false alarms, and it works for one type of attack, but not the other.