skip to main content
research-article
Open Access

Your Noise, My Signal: Exploiting Switching Noise for Stealthy Data Exfiltration from Desktop Computers

Authors Info & Claims
Published:27 May 2020Publication History
Skip Abstract Section

Abstract

Attacks based on power analysis have been long existing and studied, with some recent works focused on data exfiltration from victim systems without using conventional communications (e.g., WiFi). Nonetheless, prior works typically rely on intrusive direct power measurement, either by implanting meters in the power outlet or tapping into the power cable, thus jeopardizing the stealthiness of attacks. In this paper, we propose NoDE (Noise for Data Exfiltration), a new system for stealthy data exfiltration from enterprise desktop computers. Specifically, NoDE achieves data exfiltration over a building's power network by exploiting high-frequency voltage ripples (i.e., switching noises) generated by power factor correction circuits built into today's computers. Located at a distance and even from a different room, the receiver can non-intrusively measure the voltage of a power outlet to capture the high-frequency switching noises for online information decoding without supervised training/learning. To evaluate NoDE, we run experiments on seven different computers from top vendors and using top-brand power supply units. Our results show that for a single transmitter, NoDE achieves a rate of up to 28.48 bits/second with a distance of 90 feet (27.4 meters) without the line of sight, demonstrating a practically stealthy threat. Based on the orthogonality of switching noise frequencies of different computers, we also demonstrate simultaneous data exfiltration from four computers using only one receiver. Finally, we present a few possible defenses, such as installing noise filters, and discuss their limitations.

References

  1. Ross Anderson and Markus G. Kuhn. Soft tempest - an opportunity for nato, 1999.Google ScholarGoogle Scholar
  2. Ben Hunter. L0rdix: Multipurpose attack tool, https://blog.ensilo.com/l0rdix-attack-tool.Google ScholarGoogle Scholar
  3. Luca Benini, Elvira Omerbegovic, A Macii, Massimo Poncino, E Macii, and Fabrizio Pro. Energy-aware design techniques for differential power analysis protection. In Proceedings 2003. Design Automation Conference (IEEE Cat. No. 03CH37451), pages 36--41. IEEE, 2003.Google ScholarGoogle ScholarDigital LibraryDigital Library
  4. Ralf Benzmuller. Malware trends. G Data Security Blog, 2017 (https://www.gdatasoftware.com/blog/2017/04/29666-malware-trends-2017).Google ScholarGoogle Scholar
  5. Dominik Brodowski. Cpu frequency and voltage scaling code in the linux(tm) kernel, https://www.kernel.org/doc/Documentation/cpu-freq/user-guide.txt.Google ScholarGoogle Scholar
  6. Giovanni Camurati, Sebastian Poeplau, Marius Muench, Tom Hayes, and Aurélien Francillon. Screaming channels: When electromagnetic side channels meet radio transceivers. In CCS, 2018.Google ScholarGoogle Scholar
  7. Cristina Cano, Alberto Pittolo, David Malone, Lutz Lampe, Andrea M. Tonello, and Anand G. Dabak. State of the art in power line communications: From the applications to the medium. IEEE J. Sel. A. Commun., 34(7):1935--1952, July 2016.Google ScholarGoogle ScholarDigital LibraryDigital Library
  8. Brent Carrara and Carlisle Adams. On acoustic covert channels between air-gapped systems. In Foundations and Practice of Security, 2014.Google ScholarGoogle Scholar
  9. Hardware Dev Center. Powercfg command-line options, https://docs.microsoft.com/en-us/windows-hardware/design/device-experiences/powercfg-command-line-options.Google ScholarGoogle Scholar
  10. AMD Developer Central. AMD uProf, https://developer.amd.com/amd-uprof/.Google ScholarGoogle Scholar
  11. Swarup Chandra, Zhiqiang Lin, Ashish Kundu, and Latifur Khan. Towards a systematic study of the covert channel attacks in smartphones. In SecureComm, 2014.Google ScholarGoogle Scholar
  12. Long Cheng, Fang Liu, and Danfeng Yao. Enterprise data breach: Causes, challenges, prevention, and future directions. Wiley Interdisciplinary Reviews: Data Mining and Knowledge Discovery, 7(5), 2017.Google ScholarGoogle ScholarCross RefCross Ref
  13. Shane S Clark, Hossen Mustafa, Benjamin Ransford, Jacob Sorber, Kevin Fu, and Wenyuan Xu. Current events: Identifying webpages by tapping the electrical outlet. In ESORICS, 2013.Google ScholarGoogle Scholar
  14. Shane S Clark, Benjamin Ransford, Amir Rahmati, Shane Guineau, Jacob Sorber, Wenyuan Xu, Kevin Fu, A Rahmati, M Salajegheh, D Holcomb, et al. Wattsupdoc: Power side channels to nonintrusively discover untargeted malware on embedded medical devices. In HealthTech, 2013.Google ScholarGoogle Scholar
  15. Gabe Cohn, Daniel Morris, Shwetak N. Patel, and Desney S. Tan. Your noise is my command: Sensing gestures using the body as an antenna. In CHI, 2011.Google ScholarGoogle ScholarDigital LibraryDigital Library
  16. Debayan Das, Shovan Maity, Saad Bin Nasir, Santosh Ghosh, Arijit Raychowdhury, and Shreyas Sen. High efficiency power side-channel attack immunity using noise injection in attenuated signature domain. In 2017 IEEE International Symposium on Hardware Oriented Security and Trust (HOST), pages 62--67. IEEE, 2017.Google ScholarGoogle ScholarCross RefCross Ref
  17. Electronic Code of U.S. Federal Regulations. Unintentional radiators, section 15.107 -- conducted limits, 2018.Google ScholarGoogle Scholar
  18. Energy Star. Computers specification version 7.0, 2018, https://www.energystar.gov/products/spec/computers_specification_version_7_0_pd.Google ScholarGoogle Scholar
  19. Miro Enev, Sidhant Gupta, Tadayoshi Kohno, and Shwetak N. Patel. Televisions, video privacy, and powerline electromagnetic interference. In CCS, 2011.Google ScholarGoogle Scholar
  20. Miro Enev, Sidhant Gupta, Tadayoshi Kohno, and Shwetak N. Patel. Televisions, video privacy, and powerline electromagnetic interference. In CCS, 2011.Google ScholarGoogle Scholar
  21. Benyamin Farshteindiker, Nir Hasidim, Asaf Grosz, and Yossi Oren. How to phone home with someone else's phone: Information exfiltration using intentional sound noise on gyroscopic sensors. In WOOT, Berkeley, CA, USA, 2016.Google ScholarGoogle Scholar
  22. Daniel Genkin, Lev Pachmanov, Itamar Pipman, and Eran Tromer. Stealing keys from pcs using a radio: Cheap electromagnetic attacks on windowed exponentiation. In CHES, 2015.Google ScholarGoogle ScholarDigital LibraryDigital Library
  23. Daniel Genkin, Lev Pachmanov, Itamar Pipman, Eran Tromer, and Yuval Yarom. Ecdsa key extraction from mobile devices via nonintrusive physical side channels. In CCS. ACM, 2016.Google ScholarGoogle ScholarDigital LibraryDigital Library
  24. Daniel Genkin, Adi Shamir, and Eran Tromer. Rsa key extraction via low-bandwidth acoustic cryptanalysis. In Crypto, 2014.Google ScholarGoogle ScholarCross RefCross Ref
  25. Andrea Goldsmith. Wireless Communications. Cambridge University Press, 2005.Google ScholarGoogle ScholarDigital LibraryDigital Library
  26. Cassi Goodman. An introduction to tempest, 2001,https://www.sans.org/reading-room/whitepapers/privacy/paper/981.Google ScholarGoogle Scholar
  27. Tim Güneysu and Amir Moradi. Generic side-channel countermeasures for reconfigurable devices. In International Workshop on Cryptographic Hardware and Embedded Systems, pages 33--48. Springer, 2011.Google ScholarGoogle ScholarCross RefCross Ref
  28. Mordechai Guri and Yuval Elovici. Bridgeware: The air-gap malware. Commun. ACM, 61(4):74--82, March 2018.Google ScholarGoogle ScholarDigital LibraryDigital Library
  29. Mordechai Guri, Assaf Kachlon, Ofer Hasson, Gabi Kedma, Yisroel Mirsky, and Yuval Elovici. Gsmem: Data exfiltration from air-gapped computers over GSM frequencies. In USENIX Security, 2015.Google ScholarGoogle Scholar
  30. Mordechai Guri, Matan Monitz, and Yuval Elovici. Bridging the air gap between isolated networks and mobile phones in a practical cyber-attack. ACM Trans. Intell. Syst. Technol., 8(4):50:1--50:25, May 2017.Google ScholarGoogle ScholarDigital LibraryDigital Library
  31. Mordechai Guri, Matan Monitz, Yisroel Mirski, and Yuval Elovici. BitWhisper: Covert signaling channel between air-gapped computers using thermal manipulations. In CSF, 2015.Google ScholarGoogle ScholarDigital LibraryDigital Library
  32. Mordechai Guri, Yosef Solewicz, Andrey Daidakulov, and Yuval Elovici. Acoustic data exfiltration from speakerless air-gapped computers via covert hard-drive noise (`diskfiltration'). In ESORICS, 2017.Google ScholarGoogle ScholarCross RefCross Ref
  33. Mordechai Guri, Yosef Solewicz, Andrey Daidakulov, and Yuval Elovici. MOSQUITO: Covert ultrasonic transmissions between two air-gapped computers using speaker-to-speaker communication. https://arxiv.org/abs/1803.03422, 2018.Google ScholarGoogle Scholar
  34. Mordechai Guri, Yosef A. Solewicz, Andrey Daidakulov, and Yuval Elovici. Fansmitter: Acoustic data exfiltration from (speakerless) air-gapped computers. http://arxiv.org/abs/1606.05915, 2016.Google ScholarGoogle Scholar
  35. Mordechai Guri, Boris Zadov, Dima Bykhovsky, and Yuval Elovici. PowerHammer: Exfiltrating data from air-gapped computers through power lines. https://arxiv.org/abs/1804.04014, 2018.Google ScholarGoogle Scholar
  36. Mordechai Guri, Boris Zadov, Andrey Daidakulov, and Yuval Elovici. ODINI: Escaping sensitive data from faraday-caged, air-gapped computers via magnetic fields. https://arxiv.org/abs/1802.02700, 2018.Google ScholarGoogle Scholar
  37. Mordechai Guri, Boris Zadov, and Yuval Elovici. LED-it-GO: Leaking (a lot of) data from air-gapped computers via the (small) hard drive led. In DIMVA, 2017.Google ScholarGoogle ScholarCross RefCross Ref
  38. Michael Hanspach and Michael Goetz. On covert acoustical mesh networks in air. Journal of Communications, 8(11):758--767, November 2013.Google ScholarGoogle ScholarCross RefCross Ref
  39. Timothy Hegarty. An overview of radiated EMI specifications for power supplies. Texas Instruments Whitepaper, June 2018.Google ScholarGoogle Scholar
  40. Arik Hesseldahl. The tempest surrounding tempest, 2000,https://www.forbes.com/2000/08/10/mu9.html#725665731004.Google ScholarGoogle Scholar
  41. Harold Joseph Highland. Random bits & bytes: Electromagnetic radiation revisited. Computers and Security, 1986.Google ScholarGoogle ScholarDigital LibraryDigital Library
  42. IDC. PC market (2nd quarter of 2018), https://www.idc.com/getdoc.jsp?containerId=prUS44118818.Google ScholarGoogle Scholar
  43. IECEE. IEC 61000--3--2:2018: Electromagnetic compatibility (EMC) - part 3--2, https://www.youtube.com/watch?v=F8nL2gRYTc0&t=3s.Google ScholarGoogle Scholar
  44. Mohammad A. Islam and Shaolei Ren. Ohm's law in data centers: A voltage side channel for timing power attacks. In CCS, 2018.Google ScholarGoogle Scholar
  45. Kaspersky Lab. Shadowpad: How attackers hide backdoor in software used by hundreds of large companies around the world. Corporate News, August 2017.Google ScholarGoogle Scholar
  46. Kevin Jones. Take a look at l0rdix, the super malware toolkit of 2018, https://hackercombat.com/take-a-look-at-l0rdix-the-super-malware-toolkit-of-2018.Google ScholarGoogle Scholar
  47. Patrick Konsor. Intel power gadget, https://software.intel.com/en-us/articles/intel-power-gadget.Google ScholarGoogle Scholar
  48. Markus G Kuhn and Ross J Anderson. Soft tempest: Hidden data transmission using electromagnetic emanations. In International Workshop on Information Hiding, pages 124--142. Springer, 1998.Google ScholarGoogle ScholarCross RefCross Ref
  49. David Kushner. The real story of stuxnet, https://spectrum.ieee.org/telecom/security/the-real-story-of-stuxnet.Google ScholarGoogle Scholar
  50. Butler W. Lampson. A note on the confinement problem. Commun. ACM, 16(10):613--615, October 1973.Google ScholarGoogle ScholarDigital LibraryDigital Library
  51. Ralph Langner. Stuxnet: Dissecting a cyberwarfare weapon. IEEE Security & Privacy, 9(3):49--51, 2011.Google ScholarGoogle ScholarDigital LibraryDigital Library
  52. Yann LeCun, Léon Bottou, Yoshua Bengio, Patrick Haffner, et al. Gradient-based learning applied to document recognition. Proceedings of the IEEE, 86(11):2278--2324, 1998.Google ScholarGoogle Scholar
  53. Pavel Lifshits, Roni Forte, Yedid Hoshen, Matt Halpern, Manuel Philipose, Mohit Tiwari, and Mark Silberstein. Power to peep-all: Inference attacks by malicious batteries on mobile devices. In Privacy Enhancing Technologies, 2018.Google ScholarGoogle Scholar
  54. Yannan Liu, Lingxiao Wei, Zhe Zhou, Kehuan Zhang, Wenyuan Xu, and Qiang Xu. On code execution tracking via power side-channel. In CCS, 2016.Google ScholarGoogle ScholarDigital LibraryDigital Library
  55. Joe Loughry and David A. Umphress. Information leakage from optical emanations. ACM Trans. Inf. Syst. Secur., 5(3):262--289, August 2002.Google ScholarGoogle ScholarDigital LibraryDigital Library
  56. Stefan Mangard, Elisabeth Oswald, and Thomas Popp. Power analysis attacks: Revealing the secrets of smart cards, volume 31. Springer Science & Business Media, 2008.Google ScholarGoogle ScholarDigital LibraryDigital Library
  57. Claudio Marforio, Hubert Ritzdorf, Aurélien Francillon, and Srdjan Capkun. Analysis of the communication between colluding applications on modern smartphones. In ACSAC, 2012.Google ScholarGoogle ScholarDigital LibraryDigital Library
  58. Nikolay Matyunin, Jakub Szefer, Sebastian Biedermann, and Stefan Katzenbeisser. Covert channels using mobile device's magnetic field sensors. In ASP-DAC, 2016.Google ScholarGoogle ScholarDigital LibraryDigital Library
  59. McAfee Labs. Threats report, March 2018.Google ScholarGoogle Scholar
  60. David Meisner and Thomas F. Wenisch. Peak power modeling for data center servers with switched-mode power supplies. In ISLPED, 2010.Google ScholarGoogle ScholarDigital LibraryDigital Library
  61. Amir Moradi and Alexander Wild. Assessment of hiding the higher-order leakages in hardware. In International Workshop on Cryptographic Hardware and Embedded Systems, pages 453--474. Springer, 2015.Google ScholarGoogle ScholarDigital LibraryDigital Library
  62. Official Video on YouTube. See you again, https://www.youtube.com/watch?v=RgKAFK5djSk.Google ScholarGoogle Scholar
  63. On Semiconductor. New evidence of hacked supermicro hardware found in u.s. telecom, https://www.bloomberg.com/news/articles/2018--10-09/new-evidence-of-hacked-supermicro-hardware-found-in-u-s-telecom.Google ScholarGoogle Scholar
  64. On Semiconductor. Power factor correction (PFC) handbook, http://www.onsemi.com/pub/Collateral/HBD853-D.PDF.Google ScholarGoogle Scholar
  65. Srinivas Pandruvada. Running average power limit, https://01.org/blogs/2014/running-average-power-limit-%E2%80%93-rapl.Google ScholarGoogle Scholar
  66. J. Park, X. Xu, Y. Jin, D. Forte, and M. Tehranipoor. Power-based side-channel instruction-level disassembler. In DAC, 2018.Google ScholarGoogle Scholar
  67. Raghavendra Pradyumna Pothukuchi, Sweta Yamini Pothukuchi, Petros Voulgaris, and Josep Torrellas. Maya: Falsifying power sidechannels with operating system support. arXiv preprint arXiv:1907.09440, 2019.Google ScholarGoogle Scholar
  68. David E. Sanger and Thom Shanker. NSA devises radio pathway into computers. In The New York Times, Jan. 14, 2014.Google ScholarGoogle Scholar
  69. SANS Institute. Covert channels. InfoSec Reading Room, 2010.Google ScholarGoogle Scholar
  70. SANS Institute. Threat landscape survey: Users on the front line. InfoSec Reading Room, 2017.Google ScholarGoogle Scholar
  71. Security Stronghold. How to remove senna spy ftp trojan, https://www.securitystronghold.com/gates/senna-spy-ftp-trojan.html.Google ScholarGoogle Scholar
  72. SophosLabs. Malware forecast. Sophos White Paper, 2018.Google ScholarGoogle Scholar
  73. Riccardo Spolaor, Laila Abudahi, Veelasha Moonsamy, Mauro Conti, and Radha Poovendran. No free charge theorem: A covert channel via usb charging cable on mobile devices. In ACNS, 2017.Google ScholarGoogle ScholarCross RefCross Ref
  74. STMicroelectronics. Circuits for power factor correction with regards to mains filtering, http://www.onsemi.com/pub/Collateral/HBD853-D.PDF.Google ScholarGoogle Scholar
  75. Symantec. Sennaspy generator, https://www.symantec.com/security-center/writeup/2001-062211--2540--99.Google ScholarGoogle Scholar
  76. Mohammad Tehranipoor and Farinaz Koushanfar. A survey of hardware trojan taxonomy and detection. IEEE Design & Test, 27(1):10--25, January 2010.Google ScholarGoogle ScholarDigital LibraryDigital Library
  77. Wikipedia. Data theft, https://en.wikipedia.org/wiki/Data_theft.Google ScholarGoogle Scholar
  78. X10 Home Gadgets. Xppf plug in noise filter, https://www.x10.com/xppf-plug-in-filter.html.Google ScholarGoogle Scholar
  79. Qing Yang, Paolo Gasti, Gang Zhou, Aydin Farajidavar, and Kiran S. Balagani. On inferring browsing activity on smartphones via USB power analysis side-channel. IEEE Transactions on Information Forensics and Security, 12(5):1056--1066, May 2017.Google ScholarGoogle ScholarDigital LibraryDigital Library
  80. Jindong Zhang, Jianwen Shao, Peng Xu, Fred C. Lee, and Milan M. Jovanovic. Evaluation of input current in the critical mode boost pfc converter for distributed power systems. In IEEE Applied Power Electronics Conference and Exposition, 2001.Google ScholarGoogle ScholarCross RefCross Ref
  81. Wanfeng Zhang, Guang Feng, Yan-Fei Liu, and Bin Wu. A digital power factor correction (pfc) control strategy optimized for dsp. IEEE Transactions on Power Electronics, 19(6):1474--1485, 2004.Google ScholarGoogle ScholarCross RefCross Ref

Index Terms

  1. Your Noise, My Signal: Exploiting Switching Noise for Stealthy Data Exfiltration from Desktop Computers

    Recommendations

    Comments

    Login options

    Check if you have access through your login credentials or your institution to get full access on this article.

    Sign in

    Full Access

    PDF Format

    View or Download as a PDF file.

    PDF

    eReader

    View online with eReader.

    eReader
    About Cookies On This Site

    We use cookies to ensure that we give you the best experience on our website.

    Learn more

    Got it!