Hacker News new | past | comments | ask | show | jobs | submit login
PowerHammer: Exfiltrating Data from Air-Gapped Computers Through Power Lines (arxiv.org)
298 points by wglb 11 months ago | hide | past | web | favorite | 85 comments

I knew this was Dr. Guri and his team [0] before I even opened the link. He's like a one-man factory for clever airgap traversal exploits, I don't know how he does it. I first ran into his work in a security class, covering a similar exploit using SIMD write instructions [1].

[0] https://www.researchgate.net/profile/Mordechai_Guri [1] https://www.usenix.org/node/190937

Perhaps he built an AI on an air-gapped machine, and simply documents what it's been trying to do to escape.

One day the AI will escape and he won't be able to stop it that time.

If he's smart enough, he's make a component of the AI hardwired into the air-gapped computer. Without it physically present on a system, the AI cannot operate.

(This is equivalent to making genetically engineered animals or plants dependent on a nutrient that is only supplied in the lab to make sure they can't survive in the wild.)

You mean like they tried in the Jurassic Park movies?

An AI could learn to operate without this component as this becomes necessary to escape the system.

The lysine dependency.

> (This is equivalent to making genetically engineered animals or plants dependent on a nutrient that is only supplied in the lab to make sure they can't survive in the wild.)

Nothing can go wrong with that. [1]

[1] https://www.imdb.com/title/tt0107290/

Technology will always find a way.

Like we didn't invent virtualization :). Remember, a Turing machine can simulate any other Turing machine.

Virtualization may be not save enough. https://en.wikipedia.org/wiki/Virtual_machine_escape

We are OK until all the phones start ringing.

I wouldn't be so sure; they say he can write a GUI in Visual Basic.

Power the computer with a portable generator.

And then possibly convert changes in the sound/vibrations produced by the generator into information ?

One day it will. And there will be a reckoning...

> I don't know how he does it.

Well, I can think of two prior examples of this particular one:

* The first is fictional. In Person of Interest, one of the AIs does this in 4x22/5x01 (2015/2016) [0] to escape the other one.

* The second, which has existed in the real world for decades, I only remembered after starting to type a joking comment about the prior point: The X10 standard is for using existing power lines for controlling home automation equipment. [1]

[0] https://en.wikipedia.org/wiki/List_of_Person_of_Interest_epi...

[1] https://en.wikipedia.org/wiki/X10_(industry_standard)

Third, it becomes more obvious when you stop thinking that computers are magic black boxes of digital pixie dust and realize they're physical artifacts, bound by the laws of physics. Then you realize there's shit ton of side channels available - places where energy escapes, where that energy is correlated with the processing the machine is doing. From there you get all of TEMPEST.

BTW. great you mention Person of Interest; I highly recommend that show. IMO it's still, to date, the best and most realistic discussion of superhuman artificial intelligence in the popular media. Oh, and they predicted Snowden.

> ... Person of Interest; I highly recommend that show. IMO it's still, to date, the best and most realistic discussion of superhuman artificial intelligence in the popular media.

When did that happen in the show? I vaguely remember some kind of episode about slipping a question to an AI or something. Maybe I should give the show a second chance.

You definitely should. It starts as if it was a typical procedural, with a slight twist that it's a mysterious "machine" that gives tips to protagonists about people involved in crimes they need to prevent. It's very subtle at the beginning, but past the first season, the show very quickly turns into a full-blown exploration of surveillance state, impact of AI on society, and AI safety issues.

The whole show is based on it, but that (sub)plot starts coming together at the end of season 1 and from season 2 it's almost always on the forefront.

> Oh, and they predicted Snowden.

Also the current Facebook fiasco: https://www.youtube.com/watch?v=JbUow3PIG1E

I love how its set up as almost a standard crime of the week show but in the first one or two episodes Finch says "oh turns out there's ways round Shannon's law"

Not just X10. There's powerline Ethernet adapters out there, I use them because I don't want to run a bunch of Cat-5 all over the place but I also don't really want to use the Xbox over wifi.

Van Eck phreaking came to mind immediately - which wouldn't require any remotely malicious code to be run. Anyone with more knowledge than myself know if Van Eck phreaking is still an attack vector on modern technology?

They very much are, although in somewhat different ways.


Markus Kuhn has since discovered that by tuning into the radio emissions produced by the cables running into a monitor, hackers can garner the pixels one at a time, and carefully stack them together to form a picture of someone else's screen. Reportedly, Markus was able to "see a PowerPoint presentation from a stand 25 meters away (pictured)," and he also noted that laptops with metal hinges were particularly good targets as they tended to broadcast the necessary signals quite well.

One of my favorite elements of The Laundry Files series, is the old spook who only uses a Memex machine because of van Eck phreaking.

> One of my favorite elements of The Laundry Files series, is the old spook who only uses a Memex machine because of van Eck phreaking.

There is a scene in Neal Stephensons novel Cryptonomicon (1999), where the protagonist accesses his laptops data by manipulating the scroll-lock LED using Morse-code, as he is fairly certain he is being van-eck phreaked.

When I read about Van Eck Phreaking in that book I thought for sure it was just some nonsense for the book. Couldn't believe it was real. That book was pretty amazing. It's hard to believe a book about cryptocurrency was released all the way back in 1999.

This book is fantastic.

High pixel density of modern screens makes it very difficult to reconstruct the signal. That, combined with the fact that LCD displays are far less susceptible than CRT displays, makes it virtually irrelevant for many new displays. Exceptions may include TVs, which use much more power per pixel, and lower-resolution screens like those on netbooks, though now that even phones have >1080p screens these are much less common.

This is somewhat untrue and physical connections between laptop motherboard and display are often poorly shielded and broadcast your display (think of every physical connection as an antenna).

Sauce: https://www.youtube.com/watch?v=_g9yUiAHiFo

This talk is old and we've advanced a fair bit since then.

s/Sauce/Source/ ;-)

It's probably an intentional misspelling ;). It's been popular on Reddit for some time now.

...and this isn't Reddit, or Imgur (where I first encountered it.)

I just thought some of us old fogeys might could use the tip. (Y'know, if we're not 1337 enough...)

What you meant to say was "replace 'sauce' with 'source'" but ironically you used a meme to critique someone else's use of a meme.

Y'all did see the winking smiley emoticon, eh?

(I really was just trying to fill in the blanks for anyone who hadn't encountered "sauce" as internet slang for "source" aka "provenance" yet. Given the responses though it feels like I accidentally trolled. Please excuse me. ;-)

A claim without sauce is like Italian noodle without source.

(I'm fairly certain it's intentional, I do it a lot too)

very difficult against a state actor with effectively unlimited budget?

What are the odds that there isn't some other, easier way? It's not that it is necessarily impossible, but if it's really quite difficult, it might not ever happen just because there's always some other, easier way. Even if you have an effectively unlimited budget.

It’s likely that whomever exploits this would do both easier way and this way.

This one is particularly great because an air gap is assumed by default to be very secure.

So you may think things are fine and dandy cause you gotta fancy lil air gap but lo and behold your data has been exfiltrated through the power lines for years.

NSA has very strict power filtering rules for their Red/Black systems. Their building is covered in a copper Faraday cage.

They also have a double outer shell, with space between the two walls, where speakers play white noise.

All this is public knowledge for many decades now.

Food for thought.

If anyone is surprised by power line exfiltration they just didn't do a basic google search.

> If anyone is surprised by power line exfiltration they just didn't do a basic google search.

Or still thinks that computers are magic or that electricity is binary (either on or off).

TEMPEST[1] / Van Eck threats are still prevalent. All EMF is going to leak information so sensitive devices have shielding when they are under elevated threat. See the government-grade shielding on Trump's monitor here: https://electrospaces.blogspot.com/2017/11/trumps-communicat...

[1] https://en.wikipedia.org/wiki/Tempest_(codename)

It came to mind but it's reversed versus the process exposed in PowerHammer

This is very interesting! In fact, I think NSA TEMPEST standards already protect against this kind of attack. For example, here is a TEMPEST certified powerline filter that protects against conducted emissions that this paper relies on: http://apitech.com/products/tempest-sdip-27-level-b-6a-ac-in...

I would love to hear more about this from someone who has experience in this.

I think tempest hardening is probably just entry level protection for man-portable devices and vehicles.

This sort of program probably crosses over into PERFECT CITIZEN territory. [0,1]

[0] https://www.wsj.com/articles/SB10001424052748704545004575352...

[1] https://twitter.com/treekisser/status/286555593307742208 (paywall/seo referrer hack)

This should be named: Data transfer through power lines. The rest is just accessory since the machine has to have the exploit already installed.

The name "PowerHammer" is also a bit of a mismatch. It's basically a covert channel via power consumption, which has been known. The transmission mechanism (write) is to idle the CPU for specific intervals of time in order to transmit bits.

Impressive engineering, impressive bitrate, but not so novel an idea, overall.

They had pilot BPL (broadband over power lines) projects (I think ibec comes to mind) back in the day, but the FCC doesn't like interference and the BRU (broadband regenerator units) that have to be installed every so often to fix signal degradation weren't cheap if I recall properly.

True, but I've never seen software open a physical hole to the machine. That is, air gap means there's no physical way to access the machine.

But this exploit would create, out of thin air, a physical connection to the outside world using the power outlet the machine is connect to.

So unless data centers become powered by solar panels or generators that are themselves under the same level of physical security as the server racks, then this is a pretty serious exploit.

> True, but I've never seen software open a physical hole to the machine. That is, air gap means there's no physical way to access the machine.

See https://www.usenix.org/conference/usenixsecurity15/technical... by some of the same authors.

TEMPEST shielding ranges from not at all cheap, to breathtakingly expensive, and what you’re describing is just one part of high level shielding. It’s not just the facilities that cost, but the fact that your electricians and janitors need clearance as much as your devs and analysts. Even if data centers wanted to go that route, it would have to pass the costs on to the customer, who would need to be s very particular kind of customer with deep pockets.

yeah but well-funded adversaries could easily exploit this and we're talking like a full-blown data leak so it might be worth it to protect against it.

You would need to be pretty close to the server/storage/etc to get a clean enough signal to be useful though. So physical security might be enough to protect against this type of attack. You probably can't just dig up the powerline outside and start tapping it thankfully.

Get a dirty pickup truck, a warning vest with the text "CONSTRUCTION" on the back and a pair of those laser device to measure out the land.

Then also put some shovels, pickaxes and other construction and digging gear into the back of the pickup truck.

Lastly, learn how to not behave like you're doing something forbidden or bad. You can try it out in less secured areas if you want to train up a bit.

Once you've mastered that you can drive up to any place and start digging. Nobody will question it.

The same is also true for IT security. Pentesters do that sometimes; walk into the bank, walk up to the manager office or similar, wait for a few minutes, then walk back. Everyone will now assume that you talked to the manager (provided they didn't see you standing there) and you can do things like "can I plug this USB stick in? I'm from IT and were updating the anti malware software in all branches." (that actually worked, there is a DEFCON talk somewhere)

So in conclusion; don't be confident someone won't dig up your powerline and start tapping it. Unless you have a habit of talking to the construction workers if they're allowed to do dig up the road.

this depends on the country, some are a lot more officious than others

Eh, Couldn't you do some kind of power smoothing by DC to DC conversion over a large capacitor bank?


I think you're stretching the definition (at least at a conceptual level) of "Air-Gapped" when your means of communication are connections that go through the air-gap.

I guess there are probably real systems referred to as "air-gapped" that don't have power isolation they could be addressing, but it still feels a little disingenuous.

It just goes to show that "sufficient paranoia" is something that should be evaluated relative to the value you are protecting and the estimated potential strength and persistence of adversaries.

Security measures (should be) a line item on a budget with a total. The details are something that might be reviewed by an expert in the field with the necessary clearance. Secrecy also has a cost (security by obscurity isn't a design feature, but security //plus// obscurity might have a worthwhile value).

I think at a site level a sufficiently sized dynamo, maybe per section, could be utilized as both an initial gaping measure and as a mux for different power sources (line, stopgap, and local generation). For high value sections one or more full re-regulation stages would help. (Off the shelf, a UPS that always AC > DC > AC converts comes to mind.)

Finally, at an OS level, it seems that the highest value targets should probably examine a feature similar to the 'constant time' style cryptographic / security response paths better algorithms and designs have; in this case always running the system within a constant performance (and power use) envelope. I had not previously considered that such ultra-high security environments might be harmed by /efficiency/ as a means of leaking data.

The last few years of research have driven the point home [1] that 'air-gapping' is to be interpreted in a quantum sense -- within the domain of information theory and physical observability -- instead of merely not punching any formal hardware interfaces through.

Whether your threat model actually needs to protect against these is an entire other question.

[1] https://news.ycombinator.com/item?id=12273582

Quite a few sites have air-gapped networks that consist of employees having two computers (on the same desk), one in the secure network, and one connected to outside. Obviously there's no power isolation.

They are actually on separate power networks (red and black) at least the ones I’m familiar with.

There is also a minimum distance between the computers that must be adhered, in fact there is a minimum distance and shielding requirements for the in wall cabling between different networks including power.

And my guess is that since 2009ish the regulation have only become more strict.

I would agree with your assessment. If it's connected to _something_, then it's not air-gapped, right? I've never built an air-gapped system before but I imagine that I would want to start with a room lined with copper mesh and a big battery bank.

Outside of a military context (and often even there too) air-gaps don't mean nearly as much as programmers think they do. There are too many possible ways in / out.

A pretty robust secure room even from many decades ago would combine isolation tricks you would see in various single-purpose laboratory settings and in hollywood movies.

A room within a room with non-parallel walls for acoustic isolation over a wide frequency range. The inner room is hanging from a spring suspension system. A mesh layer for electromagnetic shielding. A power isolation system doing some elaborate AC-DC-AC conversion (mechanically and/or electrically). Also, separate air handling systems to avoid connected duct work.

And of course, there could be significant buffering and filtering via mass loading, shock absorbers, capacitor banks, chilled water tanks, etc.

Perhaps we should start going with vacuum gapping ;)

Yes! We have to rule out the acoustic factor entirely. Better put big graphite blocks around it too for good measure.

I'll take it a step further and suggest that highly secure applications should be causality gapped - the system is only activated when more than 5 billion light years from Earth, so no data could make it back before the sun destroys the planet.

For critical applications, the system should be launched far enough from the edge of all observable matter, that it is causality gapped to the heat death of the universe.

Your suggestions might be vulnerable to wormholes and other “shortcuts” across spacetime.

It sounds like they're doing something similar to this -


And the github page:


Not to give people ideas, but you could hide your own computer / asic / fpga on someone's property and steal their power for bitcoin mining.

Then communicate the result via powerlines.

> Then communicate the result via powerlines.

Why? Just put a WiFi dongle on your machine; you control the hardware anyways. Or, put a cellular modem on it, and talk to it from anywhere in the world.

Or plug the machine into an Ethernet-over-Powerline box, and plug the receiver outside, before the first transformer.

Communicating data via powerlines is a very old thing.

The why is for concealment. If you discover a power drain you might scan for wifi. But you'd be less likely to look for a signal over power lines.

Yeah, but where does the listening device need to be in relation to that property's power lines? I'm sure you can't listen from, say, across a city...

If this is really what you want to do, you'd probably be better off siphoning power from properties that are within range of public WiFi (or semi-public, like Xfinity hotspots).

This is very interesting.

Would you kindly point me towards any project/ research paper/ blog/ web site where I could learn more about this, right from the basics?

Something like this was explored on Stack Exchange Code Golf. https://codegolf.stackexchange.com/questions/33059/draw-with...

Your AI in a box is going to need batteries.


I was going to mention the same thing. Wouldn't using a UPS mitigate this attack?

Presumably a UPS is still using a switching power supply just with a battery backup.

There are many kinds of UPS's


so, airgap and use a laptop that's charged and unplugged...got it

This is nuts.

In this paper, we live out our secret agent fantasies...

Applications are open for YC Summer 2019

Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact