Hacking Power Supplies Allows Data To Be Lifted From Air-gapped Systems – Expert Reaction

Following reports from The Daily Swig, it was found that a security researcher has developed an leftfield technique for extracting data from air-gapped systems that relies on hacking power supplies. The Mission Impossible-style approach, dubbed ‘POWER-SUPPLaY’, relies on creating an acoustic covert channel by turning a PC’s power supplies into speakers. The technique, developed by Israeli security researcher Dr Mordechai Guri, is capable of working on secure air-gapped PCs, even in cases where the owners have taken the extra precaution of disabling audio hardware and forbidding the use of loudspeakers. Providing attackers can first get the POWER-SUPPLaY malware onto the hardware then servers, PCs and IoT devices might still leak data – even if cases where they are both air-gapped and audio-gapped, as Dr Guri explains in a paper. “Our developed malware can exploit the computer power supply unit (PSU) to play sounds and use it as an out-of-band, secondary speaker with limited capabilities,” the researcher explains. “The malicious code manipulates the internal ‘switching frequency’ of the power supply and hence controls the sound waveforms generated from its capacitors and transformers.”

Experts Comments

May 08, 2020
Martin Jartelius
CSO
Outpost24
This is again very niche, and an impractical, hack. There is no using of this as a means of bidirectional communication, and someone would still need to place other units, devices or infections into the area which would read the results, listen on the audio and so on. It carries a novelty value. The practical value is still, for pretty much every organisation in the world, less serious than the risks imparted by users reading email. It does not take away in anyway the novelty value of the.....Read More
This is again very niche, and an impractical, hack. There is no using of this as a means of bidirectional communication, and someone would still need to place other units, devices or infections into the area which would read the results, listen on the audio and so on. It carries a novelty value. The practical value is still, for pretty much every organisation in the world, less serious than the risks imparted by users reading email. It does not take away in anyway the novelty value of the research, but it is for almost every application a novelty.  Read Less
What do you think of the topic? Do you agree with expert(s) or share your expert opinion below.
Be part of our growing Information Security Expert Community (1000+), please register here.

Share on facebook
Share on twitter
Share on linkedin

Recent Posts

Information Security Buzz (aka ISBuzz News) is an independent resource that provides the experts comments, analysis and opinion on the latest Information Security news and topics

Twitter Facebook-f Linkedin Youtube

Working With Us

The Pages

Our Contributing Experts