POWER-SUPPLaY Attack Exfiltrates Data by Turning a PC Power Supply Into a Functional Speaker

Security researcher Dr. Mordechai Guri is back with another data exfiltration technique for supposedly air-gapped computers — this time by turning the power supply into a speaker.

High-security computer systems are frequently "air-gapped" — used with no connection to an external network of any kind, and in the most extreme examples even using local battery or generator power to avoid wiring into a power grid. Last month, researchers showcased two techniques for using a computer's fans or its graphics card to broadcast information for exfiltration. Now, there's yet another technique: Using the power supply as a speaker.

Dr. Mordechai Guri, who unveiled the Air-ViBeR attack to turn fans into seismic data broadcasters last month, has published a new paper detailing POWER-SUPPLaY: "A technique that enable attackers leak data acoustically from air-gapped and audio-gapped systems."

"Our developed malware can exploit the computer power supply unit (PSU) to play sounds and use it as an out-of-band, secondary speaker with limited capabilities," Guri explains. "The malicious code manipulates the internal switching frequency of the power supply and hence controls the sound waveforms generated from its capacitors and transformers. Our technique enables producing audio tones in a frequency band of 0-24 kHz and playing audio streams (e.g. WAV) from a computer power supply without the need for audio hardware or speakers

"Binary data (files, keylogging, encryption keys, etc.) can be modulated over the acoustic signals and sent to a nearby receiver (e.g. smartphone). We show that our technique works with various types of systems: PC workstations and servers, as well as embedded systems and IoT devices that have no audio hardware at all."

While the process is effective, it's relatively slow and limited to attackers within hearing range: In testing, Guri and colleagues found they could transmit data at a rate of 50 bits per second with successful reception up to two and a half metres (around eight feet) away.

Guri's paper suggests four categories of countermeasure against the attack: Zoning, in which devices capable of receiving the audio signal are banned from areas containing airgapped systems; signal detection, either a host-based intrusion detection system monitors for processes regulating the switching frequency in an abnormal manner or a hardware device which can listen out for unexpected audio signals; jamming by broadcasting a rival audio signal; and signal limiting and blocking using a soundproof enclosure or chassis.

Guri's paper has been published on arXiv.org under open-access terms.