Researchers Create Malware That Steals Data via Power Lines

  • April 12, 2018
  • 11:23 AM
  • 5


A team of academics has successfully developed and tested malware that can exfiltrate data from air-gapped computers via power lines. The team —from the Ben-Gurion University of the Negev in Israel— named their data exfiltration technique PowerHammer.

PowerHammer works by infecting an air-gapped computer with malware that intentionally alters CPU utilization levels to make the victim's computer consume more or less electrical power.

By default, computers extract power from the local network in a uniform manner. A PowerHammer attack produces a variation of the amount of power a victim's PC sucks from the local electrical network. This phenomena is known as a "conducted emission."

By altering the high and low power consumption levels, PowerHammer malware can encode binary data from a victim's computer into the power consumption pattern.

There are two types of PowerHammer attacks

To retrieve this data, an attacker must tap a victim's electrical network so it can read the power consumption variation and decode the binary data hidden inside.

Based where the attacker places his tapping rig, two types of PowerHammer attacks exists, with two different exfiltration speeds.

The first is "line level power-hammering," and this occurs when the attacker manages to tap the power cable between the air-gapped computer and the electrical socket. The exfiltration speed for a line level hammering is around 1,000 bits/second.

The second is "phase level power-hammering," this version of the attack occurs when the intruder taps the power lines at the phase level, in a building's electrical panel. This version of the PowerHammer attack is more stealthy but can recover data at only 10 bits/second, mainly due to greater amount of "noise" at the power line phase level.

The two types of PowerHammer attacks

Attack uses off-the-shelf electrical equipment

The tapping device isn't anything super-advanced, being a mundane split-core current transformer that can be attached to any electrical line.

This is a non-invasive probe which is clamped around the power line and measures the amount of current passing through it (Fig. 10). The non-invasive probe behaves like an inductor which responds to the magnetic field around a current-carrying cable (Fig. 10 b). The amount of current in the coil is correlated with the amount of current flowing in the conductor. For our experiments we used SparkFun’s split core current transformer ECS1030-L72.

PowerHammer tapping device/probe

The tapping device (probe) is also capable of sending the recorded data to a nearby computer via WiFi, making data collection easier from afar, without the attacker having to physically connect to the tapping probe.

Attack works on desktops, servers, IoT devices

Experiments revealed the attack is successful for stealing data from air-gapped desktops, laptops, servers, and even IoT devices, but the speed exfiltration speed is slower for the latter. Another observation is that exfiltration speed gets better the more cores a CPU possesses.

Mitigations and more details for our technically inclined users are available in the research team's paper, entitled "PowerHammer: Exfiltrating Data from Air-Gapped Computers through Power Lines." It also must be said that this malware is only an experiment and if ever deployed in the wild, such a tool would only be found in the arsenal of intelligence agencies and not something that normal users would see every day.

The research center from the Ben-Gurion University of the Negev who came up with this new data exfiltration technique has a long history of innovative —and sometimes weird— hacks, all listed below:

LED-it-Go - exfiltrate data from air-gapped systems via an HDD's activity LED
SPEAKE(a)R - use headphones to record audio and spy on nearby users
9-1-1 DDoS - launch DDoS attacks that can cripple a US state's 911 emergency systems
USBee - make a USB connector's data bus give out electromagnetic emissions that can be used to exfiltrate data
AirHopper - use the local GPU card to emit electromagnetic signals to a nearby mobile phone, also used to steal data
Fansmitter - steal data from air-gapped PCs using sounds emanated by a computer's GPU fan
DiskFiltration - use controlled read/write HDD operations to steal data via sound waves
BitWhisper - exfiltrate data from non-networked computers using heat emanations

Unnamed attack - uses flatbed scanners to relay commands to malware infested PCs or to exfiltrate data from compromised systems
xLED - use router or switch LEDs to exfiltrate data
Shattered Trust - using backdoored replacement parts to take over smartphones
aIR-Jumper - use security camera infrared capabilities to steal data from air-gapped networks
HVACKer - use HVAC systems to control malware on air-gapped systems
MAGNETO & ODINI - steal data from Faraday cage-protected systems
MOSQUITO - steal data from PCs using speakers and headphones

Related Articles:

Ad Clicker Hiding as Google Photos App Found in Microsoft Store

CoinMiners Use New Tricks to Impersonate Adobe Flash Installers

New Reports Show Increased CyberThreats, User Risks Remain High

Cheap Android Phones and Poor Quality Control Leads to Malware Surprise

Danabot Banking Malware Now Targeting Banks in the U.S.

Catalin Cimpanu
Catalin Cimpanu is the Security News Editor for Bleeping Computer, where he covers topics such as malware, breaches, vulnerabilities, exploits, hacking news, the Dark Web, and a few more. Catalin previously covered Web & Security news for Softpedia between May 2015 and October 2016. The easiest way to reach Catalin is via his XMPP/Jabber address at For other contact methods, please visit Catalin's author page.


  • Cyberluddite Photo
    Cyberluddite - 6 months ago

    Nothing at all concerning about an ally developing a cyberweapon designed specifically to completely disrupt our ability to protect them. No way at all that this could go horribly wrong, very quickly, since nobody's ever taken a good idea and used it for a bad idea.

    I have to admit, though, PowerHammer makes wiretapping a lot easier than Stingrays. Hope my state's law enforcement doesn't hear of it.

  • chadf Photo
    chadf - 6 months ago

    You know what they've been saying for years now.. The only secure computer is one that is turned off, unplugged, encased in concrete, and thrown into the sun.

    But even then, it still might get hacked.

  • chazchance Photo
    chazchance - 5 months ago

    This article didn't bother mentioning the counter-measures in the original research piece. It's also conveniently light on mentioning that as "air-gapped computers" are not connected to any network and usually kept in locked, restricted access rooms, installing the required malware will be a challenge, even for the CIA/KGB. Additionally, the data receiving device has to be relatively near the target device, probably in the same room.

    So you send your operative under cover as an employee, s/he steals a pass card and gains entry to the room, figures out which box has the valuable data on it.... At that point there is the choice of just making a copy of the data and leaving, or installing malware plus something to intercept the data which requires attendance and has a high chance of discovery. Why would you choose the malware route?

    Risk analysis measures the damage that can be done against the likelihood of it actually happening. This is so unlikely that it is very low risk.

  • campuscodi Photo
    campuscodi - 5 months ago

    The article does not mention mitigations because they are too advanced for the casual user, and I did specifically mention this was an experimental research project and not a real threat.

  • chazchance Photo
    chazchance - 5 months ago

    So you are suggesting that the "casual user" is advanced enough to know what an air-gapped computer is and why such a thing might be difficult to hack, but not clever enough to buy a 20 cent noise suppressor from their local electronics store and snap it around a power cable?

    Still, if that is the only thing you found wrong then I didn't do too badly.

Post a Comment Community Rules
You need to login in order to post a comment

Not a member yet? Register Now

You may also like:

Newsletter Sign Up

To receive periodic updates and news from BleepingComputer, please use the form below.

Latest Downloads


Remember Me
Sign in anonymously


Help us understand the problem. What is going on with this comment?

Learn more about what is not allowed to be posted.