Following reports from The Daily Swig, it was found that a security researcher has developed an leftfield technique for extracting data from air-gapped systems that relies on hacking power supplies. The Mission Impossible-style approach, dubbed ‘POWER-SUPPLaY’, relies on creating an acoustic covert channel by turning a PC’s power supplies into speakers. The technique, developed by Israeli security researcher Dr Mordechai Guri, is capable of working on secure air-gapped PCs, even in cases where the owners have taken the extra precaution of disabling audio hardware and forbidding the use of loudspeakers. Providing attackers can first get the POWER-SUPPLaY malware onto the hardware then servers, PCs and IoT devices might still leak data – even if cases where they are both air-gapped and audio-gapped, as Dr Guri explains in a paper. “Our developed malware can exploit the computer power supply unit (PSU) to play sounds and use it as an out-of-band, secondary speaker with limited capabilities,” the researcher explains. “The malicious code manipulates the internal ‘switching frequency’ of the power supply and hence controls the sound waveforms generated from its capacitors and transformers.”
This is again very niche, and an impractical, hack. There is no using of this as a means of bidirectional communication, and someone would still need to place other units, devices or infections into the area which would read the results, listen on the audio and so on. It carries a novelty value. The practical value is still, for pretty much every organisation in the world, less serious than the risks imparted by users reading email. It does not take away in anyway the novelty value of the research, but it is for almost every application a novelty.