May 6, 2020 | 11:00
Researchers have found a way for PC power supplies to be used to steal data in cyberattacks, and it's a fascinating concept.
Fortunately, the odds of it ever happening to anyone are very slim and the kind of thing you'd see in a blockbuster movie, but it's an intriguing concept. Discovered by the Cyber Security Research Center at Ben-Gurion University, Israel, the team led by Dr Mordechai Guri has been extensively working on how sound can be used to steal data.
Last month, they discovered what is now known as Air-ViBeR, a vulnerability that uses changes in your PC's fan vibrations to retrieve data through a very elaborate process. Via a compromised PC, the fan-speeds are altered with a compromised smartphone then able to convert the noises that different vibrations make into ones and zeroes to then transmit to the web. Obviously, there are some key limitations here. Notably, the compromised smartphone needs to be within listening distance of the PC's fans, and attackers will have to be incredibly selective about the data they steal, lest they want to wait a lifetime for the data to transmit.
POWER-SUPPLaY, as this new attack is known, is just as outlandish yet somehow possible. This one silently transmits data from the ultrasound frequencies put out by a PC power supply. It involves using a piece of malware to alter the system load by changing the CPU workload thereby leading to the power supply changing its ultrasonic frequencies. Again, it requires a smartphone to be within 5m of the target to analyse the results.
Also, the security team has found that the transmission rate of the attack is only 50 bits per second - the equivalent of about 22.5kB per hour - so the only feasible data that could be transmitted is plain text. Even then, we're talking about 10,000 words an hour.
So, it's never going to happen. Probably. But it is a fascinating idea. The thinking is that it could be used to steal data from totally air-gapped systems - those computers that offer no remote data connection or even speakers. Attackers would still need to be in close proximity though and odds are that if they're that close, they're far easier ways to steal data.
Still, it's nice to know that Bond films et al aren't that outlandish sometimes, surely? More details are available from the official paper.
February 19 2021 | 17:15