Getting Data Out Of Air-Gapped Networks Through The Power Cable

If you are an organisation that is custodian of sensitive information or infrastructure, it would be foolhardy of you to place it directly on the public Internet. No matter how good your security might be, there is always the risk that a miscreant could circumvent it, and perform all sorts of mischief. The solution employed therefore is to physically isolate such sensitive equipment from the rest of the world, creating an air gap. Nothing can come in and nothing can go out, or so goes the theory.

Well, that’s the theory, anyway. [Davidl] sends us some work that punches a hole in some air-gapped networks, allowing low-speed data to escape the air gap even if it doesn’t allow the reverse.

So how is this seemingly impossible task performed? The answer comes through the mains electrical infrastructure, if the air gap is bridged by a mains cable then the load on that mains cable can be modulated by altering the work undertaken by a computer connected to it. This modulation can then be detected with a current transformer, or even by compromising a UPS or electricity meter outside the air gap.

Of course, the Hackaday readership are all upstanding and law-abiding citizens of good standing, to whom such matters are of purely academic interest. Notwithstanding that, the article goes into the subject in great detail, and makes for a fascinating read.

We’ve touched on this subject before with such various techniques as broadcast radio interference and the noise from a fan,  as well as with an in-depth feature.

28 thoughts on “Getting Data Out Of Air-Gapped Networks Through The Power Cable

        1. Some years ago we were doing research on industrial powerline modems. We had a test setup with a few computers connected to the line interface to test the PHY algorithms. By analyzing the interference profile (this is done to tune OFDM settings) we could easily figure out which appliances in our building were turned on. All that was needed was a quick calibration of the specific appliance. We were thinking if this had some commercial application, but didn’t really find something someone was interested in.

          1. That’s fascinating, I wonder if you could fingerprint individual appliances of a same brand and model type too. Like I said reading about air gap penetration, sound recovery and toolsets such as the NSA playset are all fascinating to me.

          2. It’s not well documented however back in the 80’s-90’s there were general “state” provisions. That were somewhat known in California, that could be used example. One was a Roar of Halide/Sodium Ballasts that could be heard through a walkman coming off the ground line while passing by a house. “Hmmm, wonder why a dark house had a roar coming from it…”

            TEMPEST for ELIZA is a very old trick for CRT monitors to transmit… MUSIC.

            On a Personal level I had a VHF/UHF TV (Atari/NES)right next to my IBM XT clone or 286/386 (don’t remember) but I remember clearly I had the console off and saw the shadow or ghosts of directory listings of the Real-Time Clock on my TV in Q-DOS (Midnight Commander deal) trying to punch through the static. You could argue well sharing the wall-sockets. But I’d be lying if I didn’t hear the RTC/BIOS clock ticking through.

            To this day, if you are in remote parts of the world (where Clearchannel isn’t ACTIVELY broadcasting static), you can hear 18-wheeler engines idling while drivers sleep (the engine idle & alternator/spark) with an earbud antenna radio app on your cellphone (use TUNE not SCAN).

            However if you REALLY want to get blown away the eastern block commie parties would use water pipes to eavesdrop in order to find out democratic supporters/anti-regime/non-conformist types. Hence leave the water running while talking was a popular thing during the old days.

      1. Well it is a bit absurd. IIRC, they had to really crank the volume to get the back to vibrate enough to pick it up with the laser. Sure the concept and tech are cool, but let’s not get too carried away in extending the principal.

      2. Typically dismissed by people that are extremely uneducated in physics and acoustics. Honestly anything that requires a basic science education today is dismissed by many people because general education in science subjects is at an all time low in the world.

    1. I love that story.
      And it’s true I did it to my best friend’s wife and my wife.It was a blast. But I used the kitchen window.
      Like every other Fri they would come over and my wife would go over and help get things ready for supper.
      I had it all set up and we sat there having a ball and playing with there heads when they came back.
      It is so simple to set up and do.Most people could probably get it set up in a hour or two.
      Thanks for the memory

    1. Of course that assumes you can get ‘evil’ code running in the sim. I always wondered what useful information you could tempest-like down a power cable from a flight sim; perhaps simulated secret aircraft performance data?

  1. [David] has his odd and even harmonics mixed up.

    He says: “The 50 Hz power frequency is clearly visible. The odd harmonics of the 50 Hz power signal are only slightly visible, while the even harmonics are also very strong.”
    The image on his page just above that text shows just the opposite: strong odd harmonics (e.g. 150Hz, 250Hz) and weak even harmonics (e.g. 100Hz, 200Hz).

  2. BTW, strong odd and weak even harmonics would be expected if the load was non-linear, but symmetrical about 0.

    In the case of power supply inputs, the symmetry would come from having the load on the output side of a bridge rectifier.

  3. Several years ago, there was a newspaper article about the the level of INsecurity surrounding computer use. When asked how to protect against being compromised when using a computer, the person being interviewed–a computer research scientist from a major engineering school–said something like, “…never, ever use ‘social media’…never, ever get on the internet…only use your computer in a locked concrete bunker with an armed sociopath standing guard outside; even then, understand that your work is NOT secure…”.

    1. Or own a Fortune 500 company the building and underground parking is pretty much setup for whatever you like.

      Or one more step up the “Empty” commercial building in front of Freddie Mac.

  4. The one thing that is making so much harder today is that there is mo much more electronic interference in the load now. With so many things having electronics in them. It is really causing a lot of problems for us electricians. Breakers are popping for no reason and they are well below load. I told the contractor one job that we have to call in some one to find what interference was on the circuit that is causing the problem. This was a 400amp main breaker that had a lot of really low amperage stuff on it. And the price of a 400 amp breaker is not cheep. It turned out to be a small motor controller in this case. But other times I’ve had power supplies and electronic Ballast.
    Being a good electrician today is not easy. I am still going to school and learning. I’ve never Stopped going to school in all of my 35 years. It seams like every year I’m taking a course. Right now I’m retaking motor controllers.

    1. It’s very hard to find good educators, an old vacuum cleaner could really mix up the signaling. Most proper education comes from Industrial Systems courses in post-secondary trade schools. And sadly none of that is covered in any school that offers direct Industrial “Architect” or Engineering degrees.

      Also let it be known Perry isn’t fuzzing standard Hackaday stuff. Most is probably in the Seimens/Fuji/Scada systems that run Ladder Logic Programming. (These are usually the 10x the price components for extreme temps on the dumbest tech and 3 phase or even 4 phase wiring systems.)

      Sorry Perry was gonna post a silly Infomercial Tech clip…(R.I.P.) I tried looking for a old school commercial to post here how you could “Add a phone jack to any room! for 19.95 + shipping and handling), And the KRON or 20/20 or Someone did an investigate report people calling the company and talking to the Customer support AND turning on the Hair dryer two rooms/two outlets over…

    2. This sounds like the exact thing Rod Elliott has been predicting for years. Most of his site is dedicated to audio projects, but he set aside an area for rants about the abysmal power factor of CFLs (often 0.5 or worse) and the impact of outlawing transformer wall warts in favor of SMPSs that are more efficient, but also cause problems for the power grid by only taking current at the peaks of the voltage wave.
      http://sound.whsites.net/lamps/index.html

  5. It use to be that only Banks, Casinos, and certain government infrastructure used intranets. Now a lot of places do it. All the existing attacks require temporary physical access do to RF pollution..

  6. A double-conversion pure-sine UPS used inline wold go a long way to preventing this kind of attack. It is essentially like putting a massive cap on the line, which would distort the signal significantly.

  7. If you can get malicious code running on the airgapped system, security is broken anyways. Because if you can get malicious data IN, then you can transport the stolen secret information OUT, using the very same bridge you used to get the malicious data IN.

    Every method that requires a covert “transmitter” on the airgapped system is completely useless for a adversial. If an attack should be useful, it must work WITHOUT any alterations at all on the airgapped system., OR the attack must work in both ways, eg manipulating the target system by for example varying the supply voltage such as so malicious code is inserted in the airgapped system. (Theres no such attack today, its just a “imaginary” attack to understand whats really required.)

    There are a few attacks that allow for this, for example some systems might leak frequency “noise” out the power line (not consumption, but rather HF noise) that can be tapped and analyzed for example encryption keys.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s