A new attack method named COVID-bit uses electromagnetic waves to transmit data from air-gapped systems isolated from the internet over a distance of at least two meters (6.5 ft), where its captured by a receiver.
The information transmitted by the isolated device could be picked up by a nearby smartphone or laptop, even if a wall separates the two.
The COVID-bit attack was developed by Ben-Gurion University researcher Mordechai Guri, who has designed multiple methods to steal sensitive data from air-gapped systems stealthily. Prior work includes the “ETHERLED” and “SATAn” attacks.
Air-gapped systems are computers found in high-risk environments such as energy infrastructure, government, and weapon control units, so they are isolated from the public internet for security reasons.
For any attack on those systems, a rogue insider or an opportunist intruder must first plant custom-made malware on the target computers through physical contact with the air-gapped device or network.
While this sounds impractical or even far-fetched, history provides several examples of such attacks, including the Stuxnet worm in a uranium enrichment facility, the Agent.BTZ infected a U.S. military base via USB flash drives, and the Remsec malware, which collected information from air-gapped government networks for over five years.
To transmit the data, the researchers created a malware program that regulates CPU load and core frequency in a particular manner to make the power supplies on air-gapped computers emanate electromagnetic radiation on a low-frequency band (0 – 48 kHz).
“The primary source of electromagnetic radiation in SMPS is because of their internal design and switching characteristics,” explains Guri in the technical paper.
“In the conversion from AC-DC and DC-DC, the MOSFET switching components turning on or off at specific frequencies create a square wave.”
The electromagnetic wave can carry a payload of raw data, following a strain of eight bits that signify the beginning of the transmission.
The receiver can be a laptop or smartphone using a small loop antenna connected to the 3.5mm audio jack, which can be easily spoofed in the form of headphones/earphones.
The smartphone can capture the transmission, apply a noise reduction filter, demodulate the raw data, and eventually decode the secret.
Guri tested three desktop PCs, a laptop, and a single-board computer (Raspberry Pi 3) for various bit rates, maintaining zero bit error rate for up to 200 bps on PCs and the IoT and up to 100 bps for the laptop.
Laptops perform worse because their energy-saving profiles and more energy-efficient CPU cores result in their PSUs do not generate strong enough signals.
The desktop PCs could reach a 500 bps transmission rate for a bit error rate between 0.01% and 0.8% and 1000 bps for a bit error rate of up to 1.78%, which is still acceptable.
The distance from the machine was limited for the IoT due to its weak power supply, while the signal-to-noise ratio was also worse for the laptop as the testing probes moved further away.
At the maximum tested transmission rate (1000 bps), a 10KB file would be transmitted in 80 seconds, an RSA encryption key would be transmitted in about 4 seconds, and the raw data from one hour of keylogging would be sent to the receiver in 20 seconds.
Live keylogging would work in real-time, even for transmission rates as low as five bits per second.
The researcher also experimented with virtual machines, finding that interruptions in VM-exit traps to the hypervisor handler cause a signal degradation between 2 dB and 8 dB.
Protecting against COVID-bit
The most effective defense against the COVID-bit attack would be to tightly restrict access to air-gapped devices to prevent the installation of the required malware. However, this does not protect you from insider threats.
For this attack, the researchers recommend monitoring CPU core usage and detecting suspicious loading patterns that don’t match the computer’s expected behavior.
However, this countermeasure comes with the drawback of having many false positives and adds a data processing overhead that reduces performance and increases energy consumption.
Another countermeasure would be to lock the CPU core frequency at a specific number, making the generation of the data-carrying signal harder, even if not stopping it entirely.
This method has the drawback of reduced processor performance or high energy waste, depending on the selected lock frequency.