Bad News: Researchers Have Discovered Malware That Steals Data Via Power Lines


Power lines. Image credit: Pok Rie via, CC0 Public Domain

Most computer users are familiar with malware that infiltrates their machines when they download something or use the Internet.

A machine infected with malware can then cause annoying popups and redirects or otherwise make applications like browsers behave strangely.

However, some malware does things that are much more severe than compromising browsing experiences. It can steal data and sometimes even grab bank account details. It’s getting more advanced, too.

Researchers from Israel’s Ben-Gurion University of the Negev engineered malware that relies on power lines to transfer data from air-gapped computers.

Because air-gapped computers don’t connect to the Internet and only use internal networks, companies that require higher-than-average security often rely on them to keep content safer.

Hacking attempts involving infected flash drives have proved there are still ways to breach the protection provided by an air-gapped computer. This most recent development suggests no air-gapped device is beyond reach, especially due to the ubiquitous nature of power lines.

How Does the Malware Work?

The research team came up with the PowerHammer moniker to label this surprising kind of malware. It’s a fitting name, since the malware directly manipulates a computer’s CPU and how much power it pulls from the electrical network.

It does so in a way that doesn’t affect ongoing user operations, making the attacks less noticeable than they’d be otherwise. Notably, the part of the malware that transmits data to hackers also isn’t invasive enough to show up on reports from software that runs periodic malware scans.

Hackers must either compromise the targeted machines by tapping into air-gapped computers’ power cables or by gaining access to power lines at the phase level, which involves reaching the electrical switchboard panels in a building.

Then, the malware takes users’ data —such as passwords, files and credential tokens — from the infected machines and sends it over power lines in the form of binary material.

Finally, the hackers receive the stolen content via Wi-Fi. Normally, computers use power supplies in a uniform way. However, the PowerHammer malware causes usage fluctuations and puts interpretable content into those changes.

It’s worth noting the researchers say it’s possible to use the malware to extract data from computers and servers, as well as IoT devices.

They also mention social engineering could be one strategy hackers employ to achieve successful infiltration. Companies and individuals who use technology responsibly typically have strategies in place for preventing ransomware attacks and detecting problems associated with people divulging details that should stay private.

This research shows how rapidly such criminal activities can evolve, and why social engineering is still a tactic that gives hackers the information they need.

The reality is, hackers don’t always behave as expected when carrying out their attacks. For example, there was a long period when Apple computers seemed almost immune from malware and other viruses.

That’s not because they were more secure, but that Macs comprised a much smaller market segment compared to PCs, leading hackers to decide it was more lucrative to concentrate on targeting the Windows operating system.

That’s changed now, though, since hackers no longer think of Apple computers as not worth their time. In fact, one kind of Mac malware called FruitFly may have been infecting Macs for more than a decade.

A Hack Achieved With Basic Equipment

Perhaps the scariest thing about the PowerHammer malware is that cybercriminals only need a split-core current transformer to orchestrate the main part of the attack.

The transformer measures the amount of current going through the power line and clamps onto it. It then works like an inductor and responds to the magnetic field surrounding an active electrical line.

The hacker measures the emissions first, then decodes the materials. When tapping power cables of the targeted machines, it’s possible to achieve transmission speeds as fast as 1,000 bits per second. In contrast, the phase-level attacks occur substantially slower, at 10 bits per second.

The Researchers’ Recommendations for PowerHammer Prevention

On a positive note, at least this malware came about in a controlled environment overseen by researchers and wasn’t discovered after it had already affected some victims. The team behind the PowerHammer malware devoted a section of the associated research paper to preventive measures.

They suggest continually monitoring the power line flow and investigating deviations from the norm. That’d be a possibility for businesses to employ.

They brought up the potential use of signal-jamming hardware or software, too, mentioning it could interfere with the data transmission process enough to make it ineffective.

Host-based intrusion detection systems could provide protection from PowerHammer, too. In this case, it’d be necessary to check the power levels used by CPUs and look into abnormal CPU power usage by running processes. However, the researchers say this method would likely cause a high percentage of false alarms.

Finally, they recommend installing power line signal filters at the outlet level for every computer.

It’s worth realizing, though, that those filters don’t always apply to lower frequencies, and in lab tests, the hacking attempts could bypass some of them.

Awareness is a primary factor that can reduce successful hacking attempts.

Therefore, both companies and individuals should keep this new research in mind when evaluating how to keep their systems secure.

Written by Kayla Matthews, Productivity Bytes.

Leave a Reply