Just two weeks ago Dr. Mordechai Guri from the Ben Girion University in Israel published a paper detailing how to steal data from a PC through fan vibrations, and now he's found another way to snoop on your computer. This time, the reserarcher's done it by making a power supply sing data in ultrasonic [PDF].
The attack is used to siphon data from a totally air-gapped system. For those not familiar, an air-gapped computer is essentially one that's not connected to the internet, Wi-Fi, Bluetooth, or any other remote data connection, such as speakers, and is typically considered impossible to extract data from.
Guri's hack for extracting data through your best power supply is called, quite simply, POWER-SUPPLaY, and works in an equally simple manner. Malware present on the target PC reads out system data, and then alters the CPU's workload to cause changes in the system's load on the power supply. Although you can't hear the power supply, changing loads on it does alter the ultrasonic frequencies they produce, which the attacker then reads out using a mobile phone capable of recording the frequencies at a maximum distance of 5m (16.4 feet). The attack doesn't require any special hardware privileges to work.
The noise generated by the power supply comes from its transformers and capacitors, typically somewhere in the 20 kHz to 20 MHz range, according to the researcher. It is kind of like coil whine but beyond the audible range of human hearing.
However, this attack wouldn't be particularly effective in a real-life scenario. Although the success rate is high, the data rate of the attack is a measly 50 bits per second, or equivalent to about 22.5 kB per hour. That works out to about 10,000 words stored in plain text.
Another factor limiting the attack is that it requires malware to be installed on the target computer, as well as access to a nearby mobile phone for recording the data. It's also worth noting that if an attacker had access to all these devices, there'd be easier and more effective ways to extract data.
Therefore, we wouldn't worry about going to extreme measures to prevent this type of attack. Guri's research is meant primarily to showcase what could be done by attackers were they so inclined, with his work showing how to extract data when there are no viable alternatives, due to extreme security.
Next to siphoning your PC's data through its power supply, Guri's past methods for overcoming the security of air-gapped PCs include extracting data through fan vibrations, monitor brightness changes, HDD activity LEDs, data transmission through your PC's internal buzzer and keylogging through reading electromagnetic signals.