Abstract
Attacks based on power analysis have been long existing and studied, with some recent works focused on data exfiltration from victim systems without using conventional communications (e.g., WiFi). Nonetheless, prior works typically rely on intrusive direct power measurement, either by implanting meters in the power outlet or tapping into the power cable, thus jeopardizing the stealthiness of attacks. In this paper, we propose NoDE (Noise for Data Exfiltration), a new system for stealthy data exfiltration from enterprise desktop computers. Specifically, NoDE achieves data exfiltration over a building's power network by exploiting high-frequency voltage ripples (i.e., switching noises) generated by power factor correction circuits built into today's computers. Located at a distance and even from a different room, the receiver can non-intrusively measure the voltage of a power outlet to capture the high-frequency switching noises for online information decoding without supervised training/learning. To evaluate NoDE, we run experiments on seven different computers from top vendors and using top-brand power supply units. Our results show that for a single transmitter, NoDE achieves a rate of up to 28.48 bits/second with a distance of 90 feet (27.4 meters) without the line of sight, demonstrating a practically stealthy threat. Based on the orthogonality of switching noise frequencies of different computers, we also demonstrate simultaneous data exfiltration from four computers using only one receiver. Finally, we present a few possible defenses, such as installing noise filters, and discuss their limitations.
- Ross Anderson and Markus G. Kuhn. Soft tempest - an opportunity for nato, 1999.Google Scholar
- Ben Hunter. L0rdix: Multipurpose attack tool, https://blog.ensilo.com/l0rdix-attack-tool.Google Scholar
- Luca Benini, Elvira Omerbegovic, A Macii, Massimo Poncino, E Macii, and Fabrizio Pro. Energy-aware design techniques for differential power analysis protection. In Proceedings 2003. Design Automation Conference (IEEE Cat. No. 03CH37451), pages 36--41. IEEE, 2003.Google Scholar
Digital Library
- Ralf Benzmuller. Malware trends. G Data Security Blog, 2017 (https://www.gdatasoftware.com/blog/2017/04/29666-malware-trends-2017).Google Scholar
- Dominik Brodowski. Cpu frequency and voltage scaling code in the linux(tm) kernel, https://www.kernel.org/doc/Documentation/cpu-freq/user-guide.txt.Google Scholar
- Giovanni Camurati, Sebastian Poeplau, Marius Muench, Tom Hayes, and Aurélien Francillon. Screaming channels: When electromagnetic side channels meet radio transceivers. In CCS, 2018.Google Scholar
- Cristina Cano, Alberto Pittolo, David Malone, Lutz Lampe, Andrea M. Tonello, and Anand G. Dabak. State of the art in power line communications: From the applications to the medium. IEEE J. Sel. A. Commun., 34(7):1935--1952, July 2016.Google Scholar
Digital Library
- Brent Carrara and Carlisle Adams. On acoustic covert channels between air-gapped systems. In Foundations and Practice of Security, 2014.Google Scholar
- Hardware Dev Center. Powercfg command-line options, https://docs.microsoft.com/en-us/windows-hardware/design/device-experiences/powercfg-command-line-options.Google Scholar
- AMD Developer Central. AMD uProf, https://developer.amd.com/amd-uprof/.Google Scholar
- Swarup Chandra, Zhiqiang Lin, Ashish Kundu, and Latifur Khan. Towards a systematic study of the covert channel attacks in smartphones. In SecureComm, 2014.Google Scholar
- Long Cheng, Fang Liu, and Danfeng Yao. Enterprise data breach: Causes, challenges, prevention, and future directions. Wiley Interdisciplinary Reviews: Data Mining and Knowledge Discovery, 7(5), 2017.Google Scholar
Cross Ref
- Shane S Clark, Hossen Mustafa, Benjamin Ransford, Jacob Sorber, Kevin Fu, and Wenyuan Xu. Current events: Identifying webpages by tapping the electrical outlet. In ESORICS, 2013.Google Scholar
- Shane S Clark, Benjamin Ransford, Amir Rahmati, Shane Guineau, Jacob Sorber, Wenyuan Xu, Kevin Fu, A Rahmati, M Salajegheh, D Holcomb, et al. Wattsupdoc: Power side channels to nonintrusively discover untargeted malware on embedded medical devices. In HealthTech, 2013.Google Scholar
- Gabe Cohn, Daniel Morris, Shwetak N. Patel, and Desney S. Tan. Your noise is my command: Sensing gestures using the body as an antenna. In CHI, 2011.Google Scholar
Digital Library
- Debayan Das, Shovan Maity, Saad Bin Nasir, Santosh Ghosh, Arijit Raychowdhury, and Shreyas Sen. High efficiency power side-channel attack immunity using noise injection in attenuated signature domain. In 2017 IEEE International Symposium on Hardware Oriented Security and Trust (HOST), pages 62--67. IEEE, 2017.Google Scholar
Cross Ref
- Electronic Code of U.S. Federal Regulations. Unintentional radiators, section 15.107 -- conducted limits, 2018.Google Scholar
- Energy Star. Computers specification version 7.0, 2018, https://www.energystar.gov/products/spec/computers_specification_version_7_0_pd.Google Scholar
- Miro Enev, Sidhant Gupta, Tadayoshi Kohno, and Shwetak N. Patel. Televisions, video privacy, and powerline electromagnetic interference. In CCS, 2011.Google Scholar
- Miro Enev, Sidhant Gupta, Tadayoshi Kohno, and Shwetak N. Patel. Televisions, video privacy, and powerline electromagnetic interference. In CCS, 2011.Google Scholar
- Benyamin Farshteindiker, Nir Hasidim, Asaf Grosz, and Yossi Oren. How to phone home with someone else's phone: Information exfiltration using intentional sound noise on gyroscopic sensors. In WOOT, Berkeley, CA, USA, 2016.Google Scholar
- Daniel Genkin, Lev Pachmanov, Itamar Pipman, and Eran Tromer. Stealing keys from pcs using a radio: Cheap electromagnetic attacks on windowed exponentiation. In CHES, 2015.Google Scholar
Digital Library
- Daniel Genkin, Lev Pachmanov, Itamar Pipman, Eran Tromer, and Yuval Yarom. Ecdsa key extraction from mobile devices via nonintrusive physical side channels. In CCS. ACM, 2016.Google Scholar
Digital Library
- Daniel Genkin, Adi Shamir, and Eran Tromer. Rsa key extraction via low-bandwidth acoustic cryptanalysis. In Crypto, 2014.Google Scholar
Cross Ref
- Andrea Goldsmith. Wireless Communications. Cambridge University Press, 2005.Google Scholar
Digital Library
- Cassi Goodman. An introduction to tempest, 2001,https://www.sans.org/reading-room/whitepapers/privacy/paper/981.Google Scholar
- Tim Güneysu and Amir Moradi. Generic side-channel countermeasures for reconfigurable devices. In International Workshop on Cryptographic Hardware and Embedded Systems, pages 33--48. Springer, 2011.Google Scholar
Cross Ref
- Mordechai Guri and Yuval Elovici. Bridgeware: The air-gap malware. Commun. ACM, 61(4):74--82, March 2018.Google Scholar
Digital Library
- Mordechai Guri, Assaf Kachlon, Ofer Hasson, Gabi Kedma, Yisroel Mirsky, and Yuval Elovici. Gsmem: Data exfiltration from air-gapped computers over GSM frequencies. In USENIX Security, 2015.Google Scholar
- Mordechai Guri, Matan Monitz, and Yuval Elovici. Bridging the air gap between isolated networks and mobile phones in a practical cyber-attack. ACM Trans. Intell. Syst. Technol., 8(4):50:1--50:25, May 2017.Google Scholar
Digital Library
- Mordechai Guri, Matan Monitz, Yisroel Mirski, and Yuval Elovici. BitWhisper: Covert signaling channel between air-gapped computers using thermal manipulations. In CSF, 2015.Google Scholar
Digital Library
- Mordechai Guri, Yosef Solewicz, Andrey Daidakulov, and Yuval Elovici. Acoustic data exfiltration from speakerless air-gapped computers via covert hard-drive noise (`diskfiltration'). In ESORICS, 2017.Google Scholar
Cross Ref
- Mordechai Guri, Yosef Solewicz, Andrey Daidakulov, and Yuval Elovici. MOSQUITO: Covert ultrasonic transmissions between two air-gapped computers using speaker-to-speaker communication. https://arxiv.org/abs/1803.03422, 2018.Google Scholar
- Mordechai Guri, Yosef A. Solewicz, Andrey Daidakulov, and Yuval Elovici. Fansmitter: Acoustic data exfiltration from (speakerless) air-gapped computers. http://arxiv.org/abs/1606.05915, 2016.Google Scholar
- Mordechai Guri, Boris Zadov, Dima Bykhovsky, and Yuval Elovici. PowerHammer: Exfiltrating data from air-gapped computers through power lines. https://arxiv.org/abs/1804.04014, 2018.Google Scholar
- Mordechai Guri, Boris Zadov, Andrey Daidakulov, and Yuval Elovici. ODINI: Escaping sensitive data from faraday-caged, air-gapped computers via magnetic fields. https://arxiv.org/abs/1802.02700, 2018.Google Scholar
- Mordechai Guri, Boris Zadov, and Yuval Elovici. LED-it-GO: Leaking (a lot of) data from air-gapped computers via the (small) hard drive led. In DIMVA, 2017.Google Scholar
Cross Ref
- Michael Hanspach and Michael Goetz. On covert acoustical mesh networks in air. Journal of Communications, 8(11):758--767, November 2013.Google Scholar
Cross Ref
- Timothy Hegarty. An overview of radiated EMI specifications for power supplies. Texas Instruments Whitepaper, June 2018.Google Scholar
- Arik Hesseldahl. The tempest surrounding tempest, 2000,https://www.forbes.com/2000/08/10/mu9.html#725665731004.Google Scholar
- Harold Joseph Highland. Random bits & bytes: Electromagnetic radiation revisited. Computers and Security, 1986.Google Scholar
Digital Library
- IDC. PC market (2nd quarter of 2018), https://www.idc.com/getdoc.jsp?containerId=prUS44118818.Google Scholar
- IECEE. IEC 61000--3--2:2018: Electromagnetic compatibility (EMC) - part 3--2, https://www.youtube.com/watch?v=F8nL2gRYTc0&t=3s.Google Scholar
- Mohammad A. Islam and Shaolei Ren. Ohm's law in data centers: A voltage side channel for timing power attacks. In CCS, 2018.Google Scholar
- Kaspersky Lab. Shadowpad: How attackers hide backdoor in software used by hundreds of large companies around the world. Corporate News, August 2017.Google Scholar
- Kevin Jones. Take a look at l0rdix, the super malware toolkit of 2018, https://hackercombat.com/take-a-look-at-l0rdix-the-super-malware-toolkit-of-2018.Google Scholar
- Patrick Konsor. Intel power gadget, https://software.intel.com/en-us/articles/intel-power-gadget.Google Scholar
- Markus G Kuhn and Ross J Anderson. Soft tempest: Hidden data transmission using electromagnetic emanations. In International Workshop on Information Hiding, pages 124--142. Springer, 1998.Google Scholar
Cross Ref
- David Kushner. The real story of stuxnet, https://spectrum.ieee.org/telecom/security/the-real-story-of-stuxnet.Google Scholar
- Butler W. Lampson. A note on the confinement problem. Commun. ACM, 16(10):613--615, October 1973.Google Scholar
Digital Library
- Ralph Langner. Stuxnet: Dissecting a cyberwarfare weapon. IEEE Security & Privacy, 9(3):49--51, 2011.Google Scholar
Digital Library
- Yann LeCun, Léon Bottou, Yoshua Bengio, Patrick Haffner, et al. Gradient-based learning applied to document recognition. Proceedings of the IEEE, 86(11):2278--2324, 1998.Google Scholar
- Pavel Lifshits, Roni Forte, Yedid Hoshen, Matt Halpern, Manuel Philipose, Mohit Tiwari, and Mark Silberstein. Power to peep-all: Inference attacks by malicious batteries on mobile devices. In Privacy Enhancing Technologies, 2018.Google Scholar
- Yannan Liu, Lingxiao Wei, Zhe Zhou, Kehuan Zhang, Wenyuan Xu, and Qiang Xu. On code execution tracking via power side-channel. In CCS, 2016.Google Scholar
Digital Library
- Joe Loughry and David A. Umphress. Information leakage from optical emanations. ACM Trans. Inf. Syst. Secur., 5(3):262--289, August 2002.Google Scholar
Digital Library
- Stefan Mangard, Elisabeth Oswald, and Thomas Popp. Power analysis attacks: Revealing the secrets of smart cards, volume 31. Springer Science & Business Media, 2008.Google Scholar
Digital Library
- Claudio Marforio, Hubert Ritzdorf, Aurélien Francillon, and Srdjan Capkun. Analysis of the communication between colluding applications on modern smartphones. In ACSAC, 2012.Google Scholar
Digital Library
- Nikolay Matyunin, Jakub Szefer, Sebastian Biedermann, and Stefan Katzenbeisser. Covert channels using mobile device's magnetic field sensors. In ASP-DAC, 2016.Google Scholar
Digital Library
- McAfee Labs. Threats report, March 2018.Google Scholar
- David Meisner and Thomas F. Wenisch. Peak power modeling for data center servers with switched-mode power supplies. In ISLPED, 2010.Google Scholar
Digital Library
- Amir Moradi and Alexander Wild. Assessment of hiding the higher-order leakages in hardware. In International Workshop on Cryptographic Hardware and Embedded Systems, pages 453--474. Springer, 2015.Google Scholar
Digital Library
- Official Video on YouTube. See you again, https://www.youtube.com/watch?v=RgKAFK5djSk.Google Scholar
- On Semiconductor. New evidence of hacked supermicro hardware found in u.s. telecom, https://www.bloomberg.com/news/articles/2018--10-09/new-evidence-of-hacked-supermicro-hardware-found-in-u-s-telecom.Google Scholar
- On Semiconductor. Power factor correction (PFC) handbook, http://www.onsemi.com/pub/Collateral/HBD853-D.PDF.Google Scholar
- Srinivas Pandruvada. Running average power limit, https://01.org/blogs/2014/running-average-power-limit-%E2%80%93-rapl.Google Scholar
- J. Park, X. Xu, Y. Jin, D. Forte, and M. Tehranipoor. Power-based side-channel instruction-level disassembler. In DAC, 2018.Google Scholar
- Raghavendra Pradyumna Pothukuchi, Sweta Yamini Pothukuchi, Petros Voulgaris, and Josep Torrellas. Maya: Falsifying power sidechannels with operating system support. arXiv preprint arXiv:1907.09440, 2019.Google Scholar
- David E. Sanger and Thom Shanker. NSA devises radio pathway into computers. In The New York Times, Jan. 14, 2014.Google Scholar
- SANS Institute. Covert channels. InfoSec Reading Room, 2010.Google Scholar
- SANS Institute. Threat landscape survey: Users on the front line. InfoSec Reading Room, 2017.Google Scholar
- Security Stronghold. How to remove senna spy ftp trojan, https://www.securitystronghold.com/gates/senna-spy-ftp-trojan.html.Google Scholar
- SophosLabs. Malware forecast. Sophos White Paper, 2018.Google Scholar
- Riccardo Spolaor, Laila Abudahi, Veelasha Moonsamy, Mauro Conti, and Radha Poovendran. No free charge theorem: A covert channel via usb charging cable on mobile devices. In ACNS, 2017.Google Scholar
Cross Ref
- STMicroelectronics. Circuits for power factor correction with regards to mains filtering, http://www.onsemi.com/pub/Collateral/HBD853-D.PDF.Google Scholar
- Symantec. Sennaspy generator, https://www.symantec.com/security-center/writeup/2001-062211--2540--99.Google Scholar
- Mohammad Tehranipoor and Farinaz Koushanfar. A survey of hardware trojan taxonomy and detection. IEEE Design & Test, 27(1):10--25, January 2010.Google Scholar
Digital Library
- Wikipedia. Data theft, https://en.wikipedia.org/wiki/Data_theft.Google Scholar
- X10 Home Gadgets. Xppf plug in noise filter, https://www.x10.com/xppf-plug-in-filter.html.Google Scholar
- Qing Yang, Paolo Gasti, Gang Zhou, Aydin Farajidavar, and Kiran S. Balagani. On inferring browsing activity on smartphones via USB power analysis side-channel. IEEE Transactions on Information Forensics and Security, 12(5):1056--1066, May 2017.Google Scholar
Digital Library
- Jindong Zhang, Jianwen Shao, Peng Xu, Fred C. Lee, and Milan M. Jovanovic. Evaluation of input current in the critical mode boost pfc converter for distributed power systems. In IEEE Applied Power Electronics Conference and Exposition, 2001.Google Scholar
Cross Ref
- Wanfeng Zhang, Guang Feng, Yan-Fei Liu, and Bin Wu. A digital power factor correction (pfc) control strategy optimized for dsp. IEEE Transactions on Power Electronics, 19(6):1474--1485, 2004.Google Scholar
Cross Ref
Index Terms
Your Noise, My Signal: Exploiting Switching Noise for Stealthy Data Exfiltration from Desktop Computers
Recommendations
Your Noise, My Signal: Exploiting Switching Noise for Stealthy Data Exfiltration from Desktop Computers
SIGMETRICS '20: Abstracts of the 2020 SIGMETRICS/Performance Joint International Conference on Measurement and Modeling of Computer SystemsAttacks based on power analysis have been long existing and studied, with some recent works focused on data exfiltration from victim systems without using conventional communications (e.g., WiFi). Nonetheless, prior works typically rely on intrusive ...
The optimization of situational awareness for insider threat detection
CODASPY '11: Proceedings of the first ACM conference on Data and application security and privacyIn recent years, organizations ranging from defense and other government institutions to commercial enterprises, research labs, etc., have witnessed an increasing amount of sophisticated insider attacks that manage to bypass existing security controls. ...
Data exfiltration
ContextOne of the main targets of cyber-attacks is data exfiltration, which is the leakage of sensitive or private data to an unauthorized entity. Data exfiltration can be perpetrated by an outsider or an insider of an organization. Given the increasing ...






Comments