POWER-SUPPLaY: Leaking Sensitive Data from Air-Gapped, Audio-Gapped Systems by Turning the Power Supplies into Speakers

In this paper, we introduce a new covert channel that enables attackers to leak data acoustically from highly secure, air-gapped and audio-gapped systems. The proposed malware can exploit the computer power supply unit (PSU) to play sounds and use it as an out-of-band, secondary speaker with limited capabilities. Our method enables the production of audio streams in a frequency band of 0-24kHz and playing audio files (e.g., WAV) from a computer power supply without the need for audio hardware or speakers. Furthermore, we developed techniques that exploit the multiple CPU cores and their corresponding switching frequencies. It enables the production of multi-channel soundtracks and controlling the bit-depth and volume of sound played through the power supply. Sensitive information (documents, biometric data, encryption keys, etc.) can be covertly transmitted to a nearby receiver (e.g., smartphone). We show that our technique works with various types of systems: PC workstations and servers, as well as embedded systems and IoT devices that have no audio hardware at all.