COVID-bit: New attack can steal data from airgapped PCs

Attackers can listen through walls

The new attack uses EM radiation to steal data

Image:
The new attack uses EM radiation to steal data

Researchers have developed a new data exfiltration method that could be used to steal information from secure air-gapped systems using electromagnetic waves.

Air-gapped systems are often found in high-risk environments like satellite and military networks and critical infrastructure. Due of the nature of information these systems handle, they are cut off from the internet.

The idea is that any information stored and processed inside them stays safe from unauthorised access by outsiders, since they are totally removed from both the public-facing internet and the rest of the network.

However, a novel attack method [pdf] known as the COVID-bit attack, developed by Israeli researcher Mordechai Guri at Ben-Gurion University in Beersheba, demonstrates that air-gapped systems can be breached. The method takes advantage of low-frequency electromagnetic radiation produced by the targeted computer.

Guri has already devised different techniques to covertly extract sensitive data from air-gapped devices, including the 'SATAn' and 'ETHERLED' attacks.

The COVID-bit technique relies on having physical access to the target system, to install custom malware on it.

This malware regulates CPU load and core frequency in a specific way, so as to cause an air-gapped computer's power supply to emit low-frequency (0-48 kHz) electromagnetic radiation.

This wave can carry raw data an attacker can capture from up to two metres away, using an antenna connected to a mobile device's 3.5mm audio jack. The attacker can then decode the raw data using software on the receiving deice and applying a noise filter.

Guri tried his technique on desktops, a laptop and a Raspberry Pi 3. He found that laptops were the hardest to hack since they didn't produce a powerful enough EM signal, due to their energy-saving features. In addition, receiver distances for effective data transfer were limited on the Raspberry Pi due to the device's weak power supply. However, the vast majority of air-gapped systems run on - at least - a standard desktop PC, so neither of these are necessarily significant drawbacks.

The desktops were able to send 500 bits per second (bps) with an error rate of between 0.01% and 0.8%, and 1,000 bps with an error rate of up to 1.78%.

To prevent such attacks, Guri recommend keeping an eye on CPU core usage and watching for unusual loading patterns that don't line up with the way the machine is supposed to behave. However, a main drawback of this countermeasure is that it introduces a data processing overhead that raises energy consumption, in addition to having a high number of false positives.

Another defence would be to fix the CPU core frequency at a certain value, which would make the production of the data-carrying signal more difficult. This approach also has a problem - either low CPU performance or excessive energy consumption, depending on the lock frequency used.