A new attack method named COVID-bit uses electromagnetic waves to transmit data from air-gapped systems, which are isolated from the internet, over a distance of at least two meters (6.5 ft), where it’s captured by a receiver.
The information emanating from the isolated device could be picked up by a nearby smartphone or laptop, even if a wall separates the two.
The COVID-bit attack was developed by Ben-Gurion University researcher Mordechai Guri, who has designed multiple methods to steal sensitive data from air-gapped systems stealthily. Prior work includes the “ETHERLED” and “SATAn” attacks.
Initial compromise
Physically air-gapped systems are computers typically found in high-risk environments such as energy infrastructure, government, and weapon control units, so they are isolated from the public internet and other networks for security reasons.
For a successful attack on such systems, a rogue insider or an opportunist intruder must first plant custom-made malware on the target computers through physical access to the air-gapped device or network.
As impractical or even far-fetched this may sound, such attacks have happened, some examples being the Stuxnet worm in Iran’s uranium enrichment facility at Natanz, the Agent.BTZ that infected a U.S. military base, and the Remsec modular backdoor that collected information from air-gapped government networks for over five years.
To transmit the data in the COVID-bit attack, the researchers created a malware program that regulates CPU load and core frequency in a particular manner to make the power supplies on air-gapped computers emanate electromagnetic radiation on a low-frequency band (0 – 48 kHz).
“The primary source of electromagnetic radiation in SMPS is because of their internal design and switching characteristics,” Mordechai Guri explains in the technical paper.
“In the conversion from AC-DC and DC-DC, the MOSFET switching components turning on or off at specific frequencies create a square wave,” the researcher details.
The electromagnetic wave can carry a payload of raw data, following a strain of eight bits that signify the beginning of the transmission.
The receiver can be a laptop or smartphone using a small loop antenna connected to the 3.5mm audio jack, which can be easily spoofed in the form of headphones/earphones.
The smartphone can capture the transmission, apply a noise reduction filter, demodulate the raw data, and eventually decode the secret.
The results
Guri tested three desktop PCs, a laptop, and a single-board computer (Raspberry Pi 3) for various bit rates, maintaining zero bit error rate for up to 200 bps on PCs and the Raspberry Pi and up to 100 bps for the laptop.
Laptops perform worse because their energy-saving profiles and more energy-efficient CPU cores result in their PSUs not generating strong enough signals.
The desktop PCs could reach a 500bps transmission rate for a bit error rate between 0.01% and 0.8% and 1,000 bps for a still acceptable bit error rate of up to 1.78%.
The distance from the machine was limited for the Raspberry Pi due to its weak power supply, while the signal-to-noise ratio was also worse for the laptop as the testing probes moved further away.
At the maximum tested transmission rate (1,000 bps), a 10KB file would be transmitted in 80 seconds, a 4096-bit RSA encryption key could be transmitted in as little as 4 seconds or as much as ten minutes, and the raw data from one hour of keylogging would be sent to the receiver in 20 seconds.
Live keylogging would work in real-time, even for transmission rates as low as five bits per second.
.png)
The researcher also experimented with virtual machines, finding that interruptions in VM-exit traps to the hypervisor handler cause a signal degradation between 2 dB and 8 dB.
Protecting against COVID-bit
The most effective defense against the COVID-bit attack would be to tightly restrict access to air-gapped devices to prevent the installation of the required malware. However, this does not protect you from insider threats.
For this attack, the researchers recommend monitoring CPU core usage and detecting suspicious loading patterns that don’t match the computer’s expected behavior.
However, this countermeasure comes with the caveat of having many false positives and adds a data processing overhead that reduces performance and increases energy consumption.
Another countermeasure would be to lock the CPU core frequency at a specific number, making the generation of the data-carrying signal harder, even if not stopping it entirely.
This method has the drawback of reduced processor performance or high energy waste, depending on the selected lock frequency.
