back to article Data exfiltrators send info over PCs' power supply cables

If you want your computer to be really secure, disconnect its power cable. So says Mordechai Guri and his team of side-channel sleuths at the Ben-Gurion University of the Negev. The crew have penned a paper titled PowerHammer: Exfiltrating Data from Air-Gapped Computers through Power Lines that explains how attackers could …


  1. handleoclast Silver badge

    Give everybody a laptop

    The batteries ought to even out the current draw sufficiently.

    Maybe. :)

  2. DavidI

    Not a new attack

    Contrary to what the authors conclude in there article, this attack is not new. A year ago it was already documented in the following blog post:

  3. Anonymous Coward


    ..500+ pc's (plus 1000) monitors connected to ****ing huge site UPS.

    How the hell to you find the traffic in that haystack?

    Last time I looked, most companies do not have a 1 pc per external feed setup.

    Heck, even a house it's going to be shared with washing machines, microwaves, tumble driers and all other sorts of noisy junk.

  4. EveryTime Silver badge

    Ah, another theoretical but completely improbable attack.

    It sounds reasonable, if you don't actually understand how things work.

    1000 bits per second? By modulating the power draw of a switch-mode power supply? Not a chance.

    Perhaps if you got to design the power supply specifically to transfer the information, had a dedicated transmitter load instead of a computer, and had a noise-free power source you could get some information out. But far, far less than they suggest.

    With a regular power supply, no way. With a normal OS, no way. With regular power line phase noise, no way. With any but the most contrived lab conditions, you get nothing at all.

    Remember, you get no power line phase information. That limits you to 25/30 baud. You expected to modulate the current draw faster than that? On an AC supply, with current nulls? Oh, you were going to use a sophisticated redundant encoding scheme that avoids those. And somehow that modulation gets past the stability control of multiple layers of switching power supplies, which includes noise spreading, power factor correction and common mode filters and uncounted sources of non-linear behavior.

    Assuming that you could transmit any data at all, the OS isn't going to be your friend. It's going to screw you over on scheduling. Your magical too-sophisticated-for-mortals modulation scheme is going to fall apart in the face of timing variations.

    And remember this is a unidirectional channel. You can't tell what the receiver is hearing. You can't adjust your modulation, bit rate, phase, or anything. You can't adjust your redundancy. You can't know to retransmit. That screws over every single one of your worse-than-marginal communication layers.

    On to the physical matters. the receiver wouldn't just clamp around the power cord. It would need to clamp around a single conductor. Which means slicing open the cord, plugging the computer into your receiver, or getting into the electrical box. Not something that would be done unobserved. Yes, you may be able to sense current variations by distorting the power cord and sensing the near field, at the loss of another 10db in noise performance. (Hey, Shannon, how much does cost me?)

  5. PNGuinn
    Black Helicopters

    Let's look at ths slightly differently....

    Lots of interesting comments here. I can see that in *some* circumstances it might be possible to access the supply to a single or small number of computer supply feeds via an unsecured supply cable. Not necessarily the switchboard. Cable ducting above ceiling / below floor anyone?

    But let's think around this one for a bit. Assume that you've done some research on your target, you know the topography. In other words, you've likely got someone on the inside. The place has considered security, and they've got all sorts of protections in place, and they think they're secure.

    By definition, that probably means they are not. You've independently "audited" their "security". Something like this might just work. The real problem here, it seems to me, is getting the data OUT into the real world unnoticed. Ok, if your tap is in a relatively unsecured area, that might be easy.

    What you really need to know is what they are currently protecting themselves against, design your tap around it, and either, depending on the amount of data you want, and when the data are available, pull your agent out and tap or tap and then get your agent to remove the tap. Then pull the agent or not as desired. Or live dangerously and leave the tap for later.

    Thought. Have they got power line networking anywhere. Ah, WiFi - Must have. Because. or somesuch good reason. Or "intelligent" controls ... ah, green .... Would the systems in place notice a little more naughty RF on the powerlines? How easy would it be to add something into a psu case or on to a mobo or into the birdsnest behind the epoxied usb ports on the front panel ... in a computer, possibly before delivery or at repair?

    Remember, the biggest security risk is human, and it doesn't need to be situated locally between keyboard and chair.

  6. DeBeep

    fuck, this will never stop...

    back to the forest.....

  7. Anonymous Coward
    Anonymous Coward


    Sounds like they will need to rewrite the TEMPEST guidelines to add "Backup battery system"

  8. GIRZiM Bronze badge


    It's just easier to say "This a government spot inspection. I've come about your GDPR. I'm going to plug this device into your server and see how easy it is to extract data from it. Then I shall report back to my department and you'll receive notification of any fines and/or necessary action within twenty-eight working days," flash your gym membership card at them and get down to business, no?

    1. Anonymous Coward
      Anonymous Coward

      Re: Surely

      Nah, all you need to do is pitch up at a branch office with a PC under your arm, say "I'm from IT" and, as you say, flash your gym membership card.

      Then connect the PC to the network under a desk somewhere and leave.

      Social engineering red-teaming 101. Succeeds a depressingly large amount of the time.

      1. GIRZiM Bronze badge

        Re: Surely

        > Succeeds a depressingly large amount of the time.

        It does, doesn't it?

  9. jelabarre59 Silver badge

    Frame power ports

    As I remember, there are server racks with remotely-controllable power control units. Years back when working on IBM pSeries systems, the power distribution for the rack actually contained an embedded Linux system, accessible through the rack's own ethernet hub. So there would be a remotely-accessible access to the power system. Of course, then you'd have to know how to program a PPC CPU, and who knows that anymore?

  10. Sandtitz Silver badge

    it's possible

    Considering that (at least) HPE Proliants have optional PLC enabled power supplies which provide identification including IP address and host name, they could be hacked to deliver more than just that since the article assumes that the exfiltration would require a compromized host anyway.

    1. Dawgboy

      Re: it's possible

      Seen this on a Dell M1000 chassis a couple years ago. Hacked the PLC for 2 blades.

  11. Anonymous Coward
    Anonymous Coward

    Is this why my Dell laptop complains...

    If I don't use the "official" Dell power adapter?

    1. Anonymous Coward
      Anonymous Coward

      Re: Is this why my Dell laptop complains...

      Yes,this is the (shuffle paper) "TEMPEST mitigation secure power system installation standard, aka TEMPSIS" Its done on purpose so that the delicate circuitry isn't contaminated with out of specification DC waves that might affect safety, as there is a theoretical risk of low power causing the charging circuits to become unstable. Actually had a near miss here with a similar situation, on a "universal" screw terminal used with a too-small 12V adaptor and the battery got hot and bulged up like a faulty LiPo cell.

      There's actually a special 3 pin chip and that centre pin is used primarily for this purpose.

  12. Dawgboy

    Ethernet over power is old tech

    I was using Ethernet over power across the 220VAC slip rings at the Palomar mountain Observatory back in 2009 for all the dome mounted data acquisition and weather systems, as well as an Allsky camera and UV laser systems in 2009. Frankly, I am surprised it took this long for an outgrowth of that old "Homepower" tech to be used in this way. Even back then I was able to get a very solid 700KBPS in both directions...

    1. TrumpSlurp the Troll Silver badge

      Re: Ethernet over power is old tech

      My first take was that the whole scheme would be much more difficult if there was a "Homeplug" Ethernet running random data between two points on the local power wiring.

      I assume that this low bandwidth connection similar in speed to the old dial up modems would rely on a relatively stable supply (as in relatively noise free phone line) and would have similar problems to trying to use the same phone line for two simultaneous competing modem connections. I do remember that you can share a line between multiple modems if they are aware of this and cooperate.

      Are they selling random mains noise generators by any chance?

      Or special oxygen free mains cables which only allow pulses to propogate in one direction towards the PSU?

  13. John Doe 6

    A Solid State PSU (a big iron core transformer with large capacitors, min. 10000µF) or a good UPS would fix that.

  14. Anonymous Coward
    Anonymous Coward

    Verran AC Datalink

    Who remembers them?

    Was anything patented?

    Does an opportunity for intellectual property rights solicitors exist here?


POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2019