COVID-bit: Exfiltrating data from air-gapped computers

A new research paper by Dr. Mordechai Guri, head of R&D in the Cyber Security Research Center at the Ben Gurion University of the Negev in Israel details a proof of concept on data exfiltration from air-gapped computers. Dr. Guri is also the head of Offensive-Defensive Cyber Research Lab at the University. The paper presents COVID-bit, a new COVert channel attack that leaks sensitive information over the air from highly isolated systems.

Guri found that information emanates from the air-gapped computer over the air to a distance of 2m and more and “can be picked up by a nearby insider or spy with a mobile phone or laptop.”

COVID-bit relies on malware placed on a target machine to generate electromagnetic radiation in the 0-60 kHz frequency band. The malware is subsequently transmitted and picked up by a stealth receiving device in close physical proximity to the infected machine.

The malware exploits “dynamic power consumption of modern computers and manipulates the loads on CPU cores,” according to Guri.

Sensitive data such as files, encryption keys, biometric data, and keylogging can all be extracted and transmitted over the signal range to a nearby smartphone or laptop. The smartphone is capable of receiving data at 1,000 bits/second.

An antenna can boost signal and be purchased for as low as $1.

The attack does not require root privileges, executes from ordinary user-level access, and works even within a virtual machine environment.

There are limited countermeasures to take to mitigate this threat, which includes malware monitoring of CPU cores; monitoring the 0-60 kHz frequency band; and initiating random workloads on the CPU processors when suspicious activity occurs.

A video demonstration of the COVID-bit air-gap network attack.

The paper was also submitted to IEEE TrustCom 2022, and is available on arXiv, an open-source, curated research-sharing platform.

Air-gapped computers or networks are frequently in use in critical infrastructure as well as national security. It is long thought to be a “more secure” network from typical internet-connected cybersecurity threats.

The rationale is that access and the network are tightly controlled. They also do not communicate publicly on the “open” internet. They may, but not necessarily, utilize zero trust cybersecurity methodologies.

However, an air-gapped network is like any other network: it still remains a threat target, and one very susceptible to vulnerabilities. An insider threat is often the primary concern and means to exploit an air-gapped network.