Skip to content
Naked Security Naked Security

Air gap security beaten by turning PC capacitors into speakers

Researchers have poked another small hole in air gapped security by showing how the electronics inside computer power supply units (PSUs) can be turned into covert data transmission devices.

Researchers have poked another small hole in air gapped security by showing how the electronics inside computer power supply units (PSUs) can be turned into covert data transmission devices.
Normally, if a computer is physically isolated from other computers it is seen as being more secure because there is no channel for data to be transmitted in or out of the device.
Used for decades by the military, today the concept is now often used to secure computers used for secure tasks such as internal bank transfers, or to isolate medical equipment controlled by software such as MRI scanners.
However, the famous Stuxnet attack on Iran in 2010 showed how air gapping could be beaten using infected USB sticks, since when researchers have started exploring more unusual methods to achieve the same end.

The latest technique, called POWER-SUPPLaY by Mordechai Guri of Ben-Gurion University of the Negev in Israel, involved malware manipulating the current in the PSU’s electrical components to generate ultrasonic sound waves.
This, apparently, is the phenomenon of the “singing capacitor”, through which the PSU can be turned into a speaker of sorts.
Although the volume of data that can be communicated in this way is a tiny 50 bits/sec, Guri has posted a video as a simple proof-of-concept that demonstrates how even this modest throughput can still transmit characters, including passwords, typed on the target computer to a nearby smartphone.

None of this would be audible to someone using the target computer, or detectable by conventional security, which might be useful in specific types of attack scenario:

This technique allows sonic and ultrasonic audio tones to be generated from a various types of computers and devices even when audio hardware is blocked, disabled, or not present.

A big limitation is that the range is as small as the data throughput – barely five metres at most – which would surely limit its usefulness. Background noise would limit this even more.
It was also beyond the scope of the research to come up with a way of sneaking the malware that generates the signal on to the air gapped computer.
What the research does achieve, however, is to add to the lengthening and ever more ingenious methods researchers at Ben-Gurion University of the Negev have found to sneak data out of computers using almost any component.
This includes using speakers, PSU fans, hard drive LEDs, keyboard LEDs, infrared cameras, and even a technique for exfiltrating data from devices inside Faraday cages that block all electromagnetic signals – and this list is by no means exhaustive.
It seems no air gap is good enough to stop these researchers even if all of them would be difficult to use in real-world scenarios.
Where does this leave air gaps as a concept?
The US Defense Advanced Research Projects Agency (DARPA) is now concerned enough about the attacks to fund research into how computer isolation could be re-thought.
The fundamental problem is that computing devices are now too complex at every level of their design and operation for air to offer the isolation it once did.
There are too many components with unusual properties, while even simple devices such as those found on Internet of Things (IoT) networks can run complex software.
Finding ways to beat air gaps might seem like an esoteric subject but understanding the possibilities could yet redefine how the next generation of hopefully ultra-secure computers is specified.

Latest Naked Security podcast


Click-and-drag on the soundwaves below to skip to any point in the podcast. You can also listen directly on Soundcloud.


As soon I saw the title implying another ridiculous spying technique, first word in my mind was “Israel”, I wasn’t disappointed.
I’m thinking ocular implants on people that don’t know they’ve been hacked, then you can see everything they do.


You say ridiculous, but dismissing attack methods has a bad track record in security. What seems implausible today might look very possible only a few years later.


John, I do not disagree. I expect that they will pull packet data out power sources by tapping the building grid. But then again power supplies are doing line filtering these days to diminish the effects of brownouts. So maybe not that avenue. It’s just that there have been multiple ‘interesting” hacks from that school, so it was an easy expectation, still, A+ for creativity.
In the long run, it may even be likely that all “essential” (popular word these days) computer system may be required to be completely isolated (see the reboot of Battle Star Galactica), for similar reasons.


Agreed. But what I like about this group of researchers is they explore the possible without making any assumptions about who might use a method and in what context. That’s philosophically sound – assuming something is so obscure nobody would bother is a subjective mindset that gets organisations into all sorts of bother in the long run.


Wouldn’t the internal fans and ambient outside noise mask any significant usefulness of this?


Leave a Reply

Your email address will not be published. Required fields are marked *

Subscribe to get the latest updates in your inbox.
Which categories are you interested in?
You’re now subscribed!