Abstract
We present a novel bidirectional power line covert channel enabling an attacker to both infiltrate and exfiltrate data from an air-gapped target via its electrical power cable. Unlike prior power line covert channels, which were limited to unidirectional, short-range communication, our technique operates bidirectionally and was validated over 25m through in-line power equipment. By leveraging \ac{plc}, our approach overcomes previous limitations in range and dependence on target-specific software, making it compatible with any \ac{pmbus}-supported device. We achieve bidirectional communication by modulating the line voltage from the attacker to send data to the target, while malware on the target modulates its power consumption to transmit data back. To ensure stealth and reliability, we use minimal line-voltage variations disguised as normal fluctuations and robust line encoding, allowing the covert channel to evade standard monitoring. Our method is resilient to noise, interference, and even military-grade \ac{TEMPEST} power-line filters. In field experiments via an electrical distribution panel, we achieved 2 \ac{bps} with 0% bit error rate under typical line noise. We also analyze the effectiveness of existing defensive countermeasures within our adversarial model.