PowerHammer: Exfiltrating Data from Air-Gapped Computers through Power Lines

TL;DR

PowerHammer demonstrates a novel method of exfiltrating data from air-gapped computers by modulating power line fluctuations, achieving covert communication at significant bit rates through electrical outlets and panels.

Contribution

This paper introduces PowerHammer, a new malware technique that exploits power line emissions to covertly transmit data from air-gapped systems, including detailed attack models and countermeasures.

Findings

Data exfiltration at 1000 bits/sec via line level attack

Data exfiltration at 10 bits/sec via phase level attack

Effective countermeasures reduce covert channel effectiveness

Abstract

In this paper we provide an implementation, evaluation, and analysis of PowerHammer, a malware (bridgeware [1]) that uses power lines to exfiltrate data from air-gapped computers. In this case, a malicious code running on a compromised computer can control the power consumption of the system by intentionally regulating the CPU utilization. Data is modulated, encoded, and transmitted on top of the current flow fluctuations, and then it is conducted and propagated through the power lines. This phenomena is known as a 'conducted emission'. We present two versions of the attack. Line level powerhammering: In this attack, the attacker taps the in-home power lines1 that are directly attached to the electrical outlet. Phase level power-hammering: In this attack, the attacker taps the power lines at the phase level, in the main electrical service panel. In both versions of the attack, the attacker measures the emission conducted and then decodes the exfiltrated data. We describe the adversarial attack model and present modulations and encoding schemes along with a transmission protocol. We evaluate the covert channel in different scenarios and discuss signal-to-noise (SNR), signal processing, and forms of interference. We also present a set of defensive countermeasures. Our results show that binary data can be covertly exfiltrated from air-gapped computers through the power lines at bit rates of 1000 bit/sec for the line level power-hammering attack and 10 bit/sec for the phase level power-hammering attack.