Researchers have found a new way to attack air-gapped systems. Dubbed “COVID-bit,” this new technique induces the power supply of the target air-gapped systems to generate radiations, which then leak the data.
COVID-bit Attack Against Air-Gapped Devices
Researchers from the Ben-Gurion University of the Negev, Israel, have shared another attack technique, “COVID-bit,” to steal data from air-gapped systems.
The researchers from the same have also previously devised and elaborated on many other attacks against air-gapped networks, such as BRIGHTNESS (exploiting the LCD screen brightness), Air-ViBeR (exploiting PC’s vibrations due to the fan), AIR-FI (exploiting the RAM), LANTENNA (manipulating the ethernet cables), and SATAn (using the SATA cables).
And now, the recent COVID-bit attack exploits the power supply of the target air-gapped system to steal information.
Air-gapped systems or networks are isolated setups that remain offline to prevent online cyberattacks. Such installations are common in sensitive sectors such as the military. While keeping the systems/networks off the internet sounds like a once-for-all security solution, it isn’t the case.
If a rogue insider or an attacker successfully gaining physical access to the air-gapped environment infects the target system/network with malware, attacking it becomes easy. The malware exploits a specific hardware unit within the system to generate detectable radiations, which the attacker’s system may receive and process to decipher the data.
The same principle applies in the COVID-bit attack – a COVert channel attack. Once the target air-gapped system is compromised, the malware can manipulate the CPU loads and core frequency which consequently triggers the power supply unit to generate specific low-frequency radiations (between 0-60 kHz). A nearby recipient device, such as a mobile phone, can detect these radiations and decipher the transmitted data. It happens at a rate of 1000 bit/sec and works for devices 2m (or more) apart.
According to the researchers, executing COVID-bit is trivial and evasive since it requires no root privileges and even works with virtual machines.
The researchers have shared the technical details of this attack in their research paper. Whereas they have demonstrated the attack in the following video.
Limitations And Countermeasures
The researchers explained that detecting COVID-bit may be possible via a robust malware protection system that detects CPU core changes. However, given that some apps are CPU-bound, adopting such a detection approach may result in higher false positives. But, then, detecting such sophisticated thread activities isn’t easy.
Nonetheless, the researchers suggest limiting dynamic frequency scaling on the CPU via UEFI configurations may help prevent such attacks. But, again, it won’t be 100% effective. In contrast, hardware-based detection measures can work better, such as EMF receivers or signal jammers to block EMF in the air.
Let us know your thoughts in the comments.