Hack Air-Gapped Computers Using Heat

An anonymous reader writes Ben-Gurion University of the Negev (BGU) researchers have discovered a new method to breach air-gapped computer systems called "BitWhisper," which enables two-way communications between adjacent, unconnected PC computers using heat. BitWhisper bridges the air-gap between the two computers, approximately 15 inches apart that are infected with malware by using their heat emissions and built-in thermal sensors to communicate. It establishes a covert, bi-directional channel by emitting heat from one PC to the other in a controlled manner. Also at Wired.

I, for one...

...welcome our infrared overlords.

Skynet foiled by ceiling fan

[Crashmarik]

Film at 11:00

Re:Skynet foiled by ceiling fan

[recharged95]

How cares about skynet when it comes to heat and computers... I worry more about the Matrix instead.

Nonsense

This article is just a bunch of hot air.

Re:Nonsense

[gnupun]

Is it TCP/IP over hot air? If so, who installed the server software on the air-gapped PC?

goddamnit!!!

they didn't "hack" the machine using heat!

they gained control of both machines ahead of time, and THEN used heat (etc) to exfil data.

they didn't gain control of an otherwise stock computer using heat over air gap. stop saying "hack".

Re:goddamnit!!!

[tiberus]

Kinda reminds me of:

Leonard: Not only is he still not talking to me, but there’s this thing he does where he stares at you and tries to get your brain to explode. You know, like in the classic sci-fi movie Scanners? (Put’s fingers to head) You know, bzzz-pchew! Never mind. How about this one. It says, “I know my physics, but I’m still a fun guy!”

Series 1 Episode 09 – The Cooper-Hofstadter Polarization

Re:goddamnit!!!

[Lumpy]

Just like the "hack using computer speakers" just install this malware first...

It's an interesting out of band communications process, a very very VERY slow one... but still interesting.

Re:goddamnit!!!

[bondsbw]

This technique re-establishes communication which provides a mechanism for a malicious user to regain control. It could be used to load new malicious software, download sensitive data, and establish a proxy into other disconnected internal systems.

So I fail to care about which term is used, it is a security breach and one of the worst kind... the kind where you think you're completely safe, but you still aren't.

Re:goddamnit!!!

they didn't "hack" the machine using heat!

they gained control of both machines ahead of time, and THEN used heat (etc) to exfil data.

they didn't gain control of an otherwise stock computer using heat over air gap. stop saying "hack".

Well, yes they did, depending on what meaning you put into the word "hack". For a lot of us old-schoolers, "hack" means "do something cool" and is not limited to "gain unauthorized access to". To support this, we fall back on how the word "hack" was used in the 1960's at places like MIT. For example, look at the classic Jargon File, where the definition of "hack" does not mention anything illegal at. Using that defintion, I would say they did a hack using only heat to communicate.

Then again, I am fully aware that definitions change over time. To each his or her own, I guess.

You are also right that they didn't use the heat communication as an attack vector. But I didn't read that into the claim of the article either.

Re:goddamnit!!!

[QuietLagoon]

...they didn't gain control of an otherwise stock computer using heat over air gap. stop saying "hack"....

Stop saying "heat" as well. Heat in this context is nothing but low-frequency light.

.
So the headline should read...

Malware that was installed on computers uses light to send data to other computers similarly loaded with malware.

But that doesn't make for a page-hit-generating headline.

Re:goddamnit!!!

Hack doesn't mean "infiltrate".

They are using a novel technique to achieve something unexpected - that is the definition of hacking.

Re:goddamnit!!!

The sad thing is, some security puke is going to read this and there will be studies initiated, PowerPoints distributed and ultimately everywhere there is an "air-gap" computer setup new rules will be implemented so that new chiller blankies will be disseminated to everyone at the cost of several billions of dollars.

Yet another Security Decree. Just what we need. As if the 94 character random passwords with only two attempts allowed isn't enough.

FML.

Re:goddamnit!!!

If computers have a method to transmit and receive that transmission, however stupid, then it counts in your "security breach" model. So, stay to keyboard and monitor, and that's it for you.

If you want, freak out about the possibility that one computer will ramp up and down power use, causing a minute drain on the AC common to the building, which could be recovered in some freakish manner by any other computer plugged into the same building.

Re:goddamnit!!!

+1

Airgapping would require a very interesting bug to be something you could exploit to infect a machine. Not likely to happen.

Practically it's a method of creating a network between your existing botnet machines, bypassing firewall and network segment restrictions.

Re:goddamnit!!!

[Sique]

They used heat as an attack vector by creating a covered channel. It is not an attack vector to gain access, it's an attack vector to siphon data.

Re:goddamnit!!!

[nospam007]

"They are using a novel technique to achieve something unexpected"

Infrared data exchange is decades old. hardly a 'novel technique'.

But machines with microphones, cameras, wireless mice and keyboards are vulnerable, everything can be used, the nut before the keyboard included.

Re:goddamnit!!!

The article headline does not parse that way.

Re:goddamnit!!!

Yeah, while it's nice that you can communicate between unconnected machines in all sorts of fscked up ways, this one in particular seems to have VERY MANY problems. It'll likely only work under perfectly ideal conditions, e.g. no extraneous air flow in location, machines just happened to be aligned/have venting in just the right locations, just happen to have sensors capable of detecting minor variations, etc.

And we won't even get into the fact that they'd have to have access to the unconnected machine physically for this to even work to begin with, in which case seems like it'd be faster/easier to do other things to it.

I wonder if this was from someone hard up for a master's thesis or phd dissertation... although I'd personally look upon in askance if used for such.

Re:goddamnit!!!

[LordLimecat]

So I fail to care about which term is used, it is a security breach and one of the worst kind

Except it will only work in the most esoteric scenarios with laboratory conditions, sure. 2 PCs, with side-vent cooling and no cold aisle, and a distance of 15 inches?

Somehow I dont think this will threaten air-gapped secure networks. Those are going to have steady cold air coming in the front, and exhausting out the back; if theyre dumping significant heat through the side of the cases you're doing it wrong.

Re:goddamnit!!!

[Wrath0fb0b]

they didn't "hack" the machine using heat!

they gained control of both machines ahead of time, and THEN used heat (etc) to exfil data.

they didn't gain control of an otherwise stock computer using heat over air gap. stop saying "hack".

I'm afraid you don't understand the meaning of the word "hack" in this context. It does not always mean "gain control/privileges on a computer system in excess of your authorization". In this context, it means "defeat a method used to guarantee a particular security property".

Property: No control/data flow shall pass from the outside world into this computer
Method: Air-gapping that computer
Hack: Defeating that property and passing data between the machines

Let me give you another example.

Property: Computers in different classrooms shall not be able to talk directly to each other despite being on the same physical network
Method: Assign each classroom a VLAN and enforce that at the switch
Hack: By Double tagging certain ethernet frames you can defeat the property.

Now you are going to sperg because no one gained control of anything (even the switch). But of course it's still a hack -- you have shown that the switch + VLAN configuration is not capable (in its current configuration) of providing that guaranteed property of non-communciation between VLANs. In some sense this is actually a more elegant hack than taking control of the switch for obvious reasons.

TL;DR Version: "Hack" means to gain advantage or defeat a security property. Sometimes that involves traditional exploits/privilege escalation, other times it involves other methods.

Re:goddamnit!!!

[wonkey_monkey]

If anything, then, I'd say they've hacked the air gap, not the computers.

Re:goddamnit!!!

Except there was no breach and they did not show how a breach could happen.
They merely showed two machines with pre-loaded software communicating using heat.

Unless they can demonstrate the attack vector for how the malware would get on the machines in the first place this is not a security demo. Its an interesting networking demo.

Re:goddamnit!!!

It is not an ATTACK vector when both machines are set up to be involved in the exchange. Attack implies some kind of resistance.
Basically the demo is:

Ok, assume that your security is already compromised, here is how you can exchange info with heat.

Note they say nothing about how the security is already compromised. So really its just a networking demo.

Re:goddamnit!!!

thank you!

Re:goddamnit!!!

[healyp]

But what about the workstations that access those secure networks? The internal workstation may be sitting right next to an internet connected workstation.

Re:goddamnit!!!

It's an attack on the air-gap. So of course it requires two phases, but if your security correctness proof involves no communications between two isolated networks, then this is something. It's as bad as having the airgap computers compute via audio or light emissions.

Re:goddamnit!!!

[Guybrush_T]

So true. Air gapped PCs will now require to be separated by 5 feets. Just because, you know, more security is always better.

Re:goddamnit!!!

step 1: drop some cool looking thumb drives in the parking lot.
step 2: wait for the password to networks that are air-gapped from the internet to be mailed to you.

Re:goddamnit!!!

[geminidomino]

Which step is it that installs the customized thermal sensors?

Re:goddamnit!!!

[BradleyUffner]

Which step is it that installs the customized thermal sensors?

Step 2: Drop some customized thermal sensors.

Re:goddamnit!!!

[radarskiy]

'they didn't "hack" the machine using heat!'

That's not the claim, so put your strawman away.

Re:goddamnit!!!

Exploits only ever get better. That's threat analysis 101. And you've provided no evidence or analysis why you're supposed mitigations are an insurmountable defense; at best they're only a stop-gap.

This is a proof of concept. And a pretty cool proof of concept. The idea of using a side channel like this isn't that novel (RSA key cracks via CPU acoustics was shown years ago), but just think of the all the little problems you'd have to solve to execute the concept. It's pretty awesome work.

Re:goddamnit!!!

Step Zombocom: the thumb drives are now thermal sensors!

Re:goddamnit!!!

[phantomfive]

So I fail to care about which term is used, it is a security breach and one of the worst kind

It is not a security breach at all, and I'm not sure you could even recognize a buffer overflow if you saw one (bro, do you even asm?).

Once security is breached through another method, this can be used for two already compromised computers to communicate. As a threat, it's less dangerous than a cat5 cable.

Re:goddamnit!!!

[phantomfive]

It doesn't matter if the workstation hasn't already been compromised. You need to hack the computer before you can use this technique.

Re:goddamnit!!!

[bondsbw]

Wow, please pay attention.

read:

I never stated that no other security breach already existed, but that a new one is being added.

Consider this scenario: government systems, one computer is internet facing, the other computer is completely isolated. Joe Badguy installs each computer before they are put into real use, and adds the exploit to each. The government beefs up physical security, then enables the internal system confident that data added to it cannot leave. But sometime later, Joe Badguy connects to the internet facing computer, then extracts new data from the isolated computer via the exploit.

Maybe now you understand the difference between real security, which can exist in layers and multiple forms simultaneously, and simplistic considerations like BOs.

mov eax, $phantomfive_understands
cmp eax, 0x1
jne read

Re:goddamnit!!!

[phantomfive]

mov eax, $phantomfive_understands
cmp eax, 0x1
jne read

Nice

Re:goddamnit!!!

[bondsbw]

Granted... from a "real security" standpoint, this is probably amongst the most difficult situations to exploit effectively. Heat transfer isn't exactly broadband. I imagine you'd be doing well to get 1 bpm (bit per minute) communications. The exploit code would probably need to include a sophisticated AI just to figure out what is important enough to transmit.

Re:goddamnit!!!

[Sique]

Most security systems have several layers of defense. To assess how much a break of one line influences the other lines you have to know what new attack vectors are open.

Lets say you have two systems A and B. System A has very important data, and it is important not only that the data is protected from access, it is also important that if it is accessed unauthorizedly, to know at least, if any data was sent to the outside. System B is less important and in a DMZ. If system B is compromised, you just power it off and reinstall it from a known good backup, but normally you don't do a thorough forensic analysis, you might not even have the right monitoring in place as there is no important data on system B (maybe it's just a web server serving static content like pictures for your corporate website, data that is known to the world anyway).

With this attack you can tunnel data from System A to the outside without the attacked being aware. Even if the victim does a thorough analysis of system A and all paths from and to system A known to the victim, it will be not aware of the actual data leak.

Re: goddamnit!!!

Its just like zombie movies. They never show the outbreak/infection, just the horde of them outside the door.

Re:goddamnit!!!

[LordLimecat]

And you've provided no evidence or analysis why you're supposed mitigations are an insurmountable defense; at best they're only a stop-gap.

In THEORY breaking most encryption is just guessing the right 2048-bit code. At best, increasing the length from 1024 to 2048 is just a stopgap.

In reality, some attacks are so esoteric and hard to pull off (famous example: hard drive magnetic domain remnant detection) that they are not a real-world threat. MAYBE they could adapt this, but it already requires
A) a machine connected to the internet that is compromised (!)
B) an AIR-GAPPED, high-security machine directly adjacent to it (!!!)
C) That that air-gapped machine be compromised as well (!!!!!)
D) Sensors in both machines sensitive enough to detect incredibly minor fluctuations in temperature (given that a steady stream of air will be flowing through)

The proper security procedure is to analyze the chance of the risk, the annualized loss expectancy, etc, and then come up with mitigations. Ok, let me give this a shot.
1) DONT GET YOUR AIRGAPPED MACHINE INFECTED
2) probably dont stick it directly adjacent to non-airgapped machines

Sure, great, new comms channel

[OzPeter]

But how did the malware get on BOTH of the computers in the first place? TFA totally avoids that question.

Re:Sure, great, new comms channel

[GerardAtJob]

I don't know, but one thing is sure, you need to be patient in order to use/exploit this thing... From Article : The time it took them to increase the heat and transmit a “1” varied between three and 20 minutes depending. The time to restore the system to normal temperature and transmit a “0” usually took longer.

Re:Sure, great, new comms channel

[Thanshin]

The time it took them to increase the heat and transmit a 1 varied between three and 20 minute

So, somewhere between Comcast's Standard and High Speed plans.

Re:Sure, great, new comms channel

[gstoddart]

Once you have the PoC ... the rest is just a little social engineering or covert attack.

Knowing it can be done opens a lot of opportunities, and defeats a lot of security.

Re:Sure, great, new comms channel

I don't know, but one thing is sure, you need to be patient in order to use/exploit this thing... From Article : The time it took them to increase the heat and transmit a “1” varied between three and 20 minutes depending. The time to restore the system to normal temperature and transmit a “0” usually took longer.

And by contrast, the cast of The Expendables killed 472 people in 20 minutes to try and steal the hard drive full of data.

Patience is not everyone's strong suit.

Re:Sure, great, new comms channel

[pjt33]

Interdiction or USB. NSA has plenty of experience in that side of things.

Re:Sure, great, new comms channel

[fuzzyfuzzyfungus]

But how did the malware get on BOTH of the computers in the first place? TFA totally avoids that question.

TFA was either unclear or misrepresented: This technique is purely a demonstration of a sneaky covert channel implementation that requires only hardware likely to be present and functioning even on aggressively air-gapped systems. Actually getting the malware in place to use the covert channel is somebody else's problem, so TFA doesn't address it.

Re:Sure, great, new comms channel

[fuzzyfuzzyfungus]

Not quite; you can transfer at full speed for the whole month without being throttled or paying overage fees...

Re:Sure, great, new comms channel

[Lumpy]

No it doesnt defeat any security. It requires both machine to be pre infected to begin with, and the data rate is less than 1 bit per minute.

Re:Sure, great, new comms channel

But how did the malware get on BOTH of the computers in the first place? TFA totally avoids that question.

Don't know, but theoretically this can be used in a stuxnet style attack.
Say that you manage to infect a networked computer. You then use that one to infect any memory device used to upgrade the offline computer.
With this method you can extract small amounts of data from the offline system without having to rely on the user put a writable device in it that later on will be put into an infected computer.
You could also use it as a remove control. Instead of having the offline computer act at a specific time you can send a trigger signal using heat. The benefit is that it won't behave erratically until you actually send the signal.

Re:Sure, great, new comms channel

[fuzzyfuzzyfungus]

It would be an atrocious choice for exfiltrating most types of data, even a couple of pages of 'sensitive_memo.doc' would take ages; but there are some cryptographic private keys that I'd be more than willing to wait a month or two for...

Re:Sure, great, new comms channel

[ComputerGeek01]

This isn't completely unexpected after seeing the title. "Security Researchers" often take liberties with the idea that a tool chains are comprised of individual components, so there is less of a need to offer a complete solution.

Re:Sure, great, new comms channel

[gstoddart]

So did Stuxnet ... it relied on exploiting removable media in the airgapped machine.

People who want to spy on you can be patient.

It may not have much in the way of bandwidth, but it has the potential to bridge an airgap.

Yes, it's far from perfect, and relies on getting installed in the first place. That doesn't mean it won't cause people in secure facilities a few more ulcers.

Re:Sure, great, new comms channel

As soon as you can infect a computer with heat waves, problem is it is 105% impossible, something the article makes sure they avoid talking about.

You also need to read up on stuxnet, it' seems you are confused as to what it is.

Re:Sure, great, new comms channel

[MozeeToby]

Well, by most reports the target computers of Stuxnet were airgapped. There are ways, usually through social engineering.

Drop a particularly neat looking, high capacity (and extremely exploited) flash drive in the parking lot and wait for someone to pick it up. At worst they'll plug it into their open PC looking to see if they can find the owner. At worst they'll put it on their lanyard and start using it day to day, infecting every PC they plug it into. Yeah, airgapped PCs should have their USB disabled, but there are many places that should know better that don't bother. And that's just off the top of my head, a team of 20 brainstorming for a week is going to come up with ideas.

Re:Sure, great, new comms channel

[Anubis+IV]

That's what I was just thinking too. Just spitballing, if it averages out to one hour per two bits (since on average half will be 0s and they said it takes longer to cool back down), then you could exfiltrate a 128-bit key in 64 hours. Even bumping it up for longer keys, it still wouldn't take that long. Well worth it.

That said, the fact that this requires that both machines have already been compromised severely limits the usefulness for this attack. After all, in most cases where you already compromised the target computer, you could have already exfiltrated that key to begin with. And if it's a matter of the computer being locked down so that you can't exfiltrate the data any other way, then what are the odds that a computer sitting 15 inches or less away will be configured any differently?

Re:Sure, great, new comms channel

[gstoddart]

You also need to read up on stuxnet, it' seems you are confused as to what it is.

Or, you're an idiot.

Stuxnet didn't magically cross the airgap, and I never said it did. What it did was find ways to cross that used the humans involved, and the fact they needed to get data onto those systems at some point.

Which means it is a solved problem to cross the air gap by coming at the problem from a different direction.

So saying this won't work because it requires the secure system to be compromised is crap ... because there are already examples of how people do this.

Yes, you have to get the stuff onto the machine in the first place. But it's not like that's never been accomplished.

Re:Sure, great, new comms channel

[StikyPad]

Speak for yourse
NO CARRIER

Re:Sure, great, new comms channel

Same strategy as in "How to get a million dollars and not pay taxes."
First, you get a million dollars...

Another good question; where will you ever see two computers close enough to communicate this way in the real world?

Do you know what can totally screw your plans to communicate with heat? Sources of heat not under your control, like the sun streaming in a window, a cup of freshly brewed coffee, any number of pets that would seek out that odd space, etc...

Re:Sure, great, new comms channel

[azadrozny]

The article says you can steal passwords or "secret keys" (encryption keys?) with eight signals per hour. You could simply leave this behind so that you don't need physical access the next time the key changes.

Re:Sure, great, new comms channel

[Anubis+IV]

But you'd need physical access to the machine 15 inches away, which likely has the same security safeguards in place. It seems like a solution looking for a problem.

Re:Sure, great, new comms channel

[ememisya]

Gravitational waves ;)

Nothing new here

Governments and business have been doing this for centuries, communicating by nothing more than hot air.

Also at Wired

haha

Next step - embed it in a chip

[Crookdotter]

With chips being so complicated these days, who audits them all? What's to stop a manufacturer being exploited and this kind of malware being as standard in a lot of silicon? However, if that's the case then a more traditional attack would be warranted - the data rate here is awful.

Bad Title

[The+Raven]

Not hack. They have not infected computers using thermal energy. They just demonstrated slow (very slow) communication between two computers using heat and heat sensors. It uses a tremendous amount of battery power of little to no purpose, since both computers need to already have the software on them... stenography would be a more appropriate communication method (hiding communication in seemingly-innocuous em traffic).

Re:Bad Title

[pjt33]

Stenography is typing. You mean steganography. But even that is missing the point, which is one thing the title does get right: air-gapped. There's not supposed to be any communications channel at all between the two computers, but this technique creates one.

Re:Bad Title

[fuzzyfuzzyfungus]

The proposed use case (probably realistic in a number of offices right now; quite possibly less so now that this paper is written and the word goes out) where somebody with suitably fancy access has one computer for access to the super-secret-special-network, and a separate one for boring email and web stuff; that are supposed to be totally disconnected from one another; but which are likely to be crammed next to each other because our hypothetical paper pusher has limited desk space.

Now that it's known to be a potential problem, mitigation isn't going to be rocket surgery(thermal communication isn't going to work as well even with an extra couple of meters of separation; much less a purpose-built insulated barrier or something); but it is hardly something that would be obvious when arranging somebody's classified desk, even if you have your paranoia hat on.

Re:Bad Title

[The+Raven]

Air gap... like Bluetooth?

I know what the term means, but heat is just another type of EM radiation (infra-red) that doesn't have dedicated communication hardware. The accomplishment is neat, but not useful.

As a counter-example, the paper on reading monitors from their diffuse reflected luminance is actually useful. You get a high-bandwith, air-gapped eavesdropping method. This communication by heat is more likely to be detected (as a problem, not necessarily as communication) than a steganographic (thank you) communication channel using more common EM radiation.

I'm not saying it's not 'neat'. It's just not neat and useful.

Re:Bad Title

Not hack. They have not infected computers using thermal energy. They just demonstrated slow (very slow) communication between two computers using heat and heat sensors. It uses a tremendous amount of battery power of little to no purpose, since both computers need to already have the software on them... stenography would be a more appropriate communication method (hiding communication in seemingly-innocuous em traffic).

If you're taking the time to try and hack into an air-gapped system, it's likely for good reason. Time is usually the asset you DO have on your side.

And I can see the SCIF rules being rewritten already.

Re:Bad Title

[fnj]

Just because you don't want to use it doesn't mean it's not useful to anybody.

Re:Bad Title

[TheCarp]

So basically, this "hack" is likely really a hack on the administrative apparatus of the state in causing justification for certain paper pushers to request larger offices with bigger desks.

They're fishermen, not engineers.

[jpellino]

As evidenced by them calling that gap between the computers 15 inches.

Zalewalski shit

[bluefoxlucid]

This is totally Zalewalski shit.

Re:Zalewalski shit

[healyp]

YES! Watch the blinkenlights.

Re:Zalewalski shit

who is Zalewalski and why did his shit become more shitty than bullshit?

Wireless technology

[sreever]

So, can I use a space heater to extend the range of this new wireless technology?

Requires computers already infected by malware

Both computers need to be compromised with the researcher's malware for this to work (for anyone who didn't RTFA). Still a really innovative result.

An easy fix

[ctrl-alt-canc]

Just install a mains-powered fan between the two computers.

Re:An easy fix

Then what if one computer increases and decreases power usage, adjusting the speed of the fan ever so slightly? ;)

Re:An easy fix

how can it control the fan speed, if it is powered by mains.

The larger problem is

[Lawrence_Bird]

the air-gapped system must already be infected. So while this is cute and all, on its own it does nothing.

Re:The larger problem is

[gstoddart]

And how did Stuxnet spread?

In some cases, by exploiting removable media.

If you think there's no precedent for getting the infection onto the machine, you're horribly mistaken.

Re:The larger problem is

[Lawrence_Bird]

If you are able to do that you almost certainly have a far simpler attack vector to extract data from the air-gapped machine. Think about your case: a usb stick. If it can carry in then it can also carry out and is not dependent upon precise proximity of the air and non-gapped computers.

Or...

[AndyKron]

Or you could just go in with lots of guys with guns, take the computers, and dump the bodies at sea.

Finally, malware that gives computers a fever.

[Ihlosi]

Now all those viruses can finally give your computer proper disease symptoms.

Re:Finally, malware that gives computers a fever.

Heh. My son's computer (17" HP Laptop with Nvidia) has enough thermal problems that it already exhibits that. If infected, it shuts down after 30 minutes due to overheating...

SLOW....

This makes my old 1200 baud modem look absolutely speedy.. We are talking about bit rates just around 10 per HOUR. A 256 bit key would take more than a day to transmit. Where this looks cool (er or hot depending on the bit state) it's about useless. Not to mention that it requires line of sight between the two machines, and if you have LOS, why not just use the IR device how it was designed to work?

Re:SLOW....

[fuzzyfuzzyfungus]

It is slower than a lizard in a blizzard; but the advantage is that it uses the thermal sensors that PCs include for ACPI thermal management/fan speed control/etc. not any of the hardware that is explicitly for communication(ethernet, wifi, IRDA, BT, etc. and thus almost certain to be stripped out/disabled) or that isn't for networking; but is a fairly obvious threat(speaker and mic, laptop ambient light sensors for backlight control, that sort of thing); so it is fairly likely that even computers prepared by the relatively paranoid for use on highly sensitive networks will still have the necessary sensors(and any computer will be unable to avoid having the necessary software-controlled thermal source, barring the development of 100% efficient CPUs).

Re:SLOW....

[DocSavage64109]

In addition to all that, both machines have to be essentially idle, so the heat differences can even be noticed.

Re:SLOW....

[Zeroko]

You do not necessarily need a more efficient CPU to block this. Less efficient would also do—just make every operation consume as much power as the worst.

communication with thermal wavelenght of em spec?

[Kekke]

Now, i seem to be missing something here...
Please enlighten Me, how this is news ?
C'mon ffs, Stalin was spied this way from 50-70 meters using Ir produced by His windows (the Idiot was always yelling) (200ft for those of you who don't buy Royale with cheese).

Sneakernet would be just as vulnerable

[Applehu+Akbar]

If your server were air-gapped so totally that all transfers to and from it had to be with a human, malware could just as easily be transmitted by flash drive.

Re:Sneakernet would be just as vulnerable

[Zeroko]

If they use a flash drive with a (properly-implemented) hardware write protect switch, it might only allow one-way transfer, so this is still potentially useful as the return channel.

Communication methods

[MagickalMyst]

Wow! We have hardwire, ethernet, wifi, bluetooth, infrared, optical.... now heat to transfer data.

I guess the only thing missing is smell data transfer and smoke signals.

Maybe a good kickstarter project...

Re:Communication methods

[burtosis]

Personally I'm suprised no one has trained mice to ferry in USB drives to a secured area and plug them in somewhere.

Re:Communication methods

[Zappy]

You missed audio/sound

Re:Communication methods

[DocSavage64109]

People can't even reliably plug USB drives in.

Re:Communication methods

[gstoddart]

Bah, you have a 50/50 chance ... send two mice.

Re:Communication methods

[healyp]

USB Type-C should fix this, for the mice and the people.

Yet ANOTHER BULLSHIT "article"

This site would not be fit for a bird cage floor, if it were printed on paper.

How to get discrete 1/0 from normal operation?

Mildly curious how they intend to deal with normal fluctuations in heat when you don't even want to communicate. I don't think I'll take the time to read the unreleased paper describing their technique when it's all rubbish anyway.

Old hat

[Lew+Perin]

Like most recent technical advances, this is merely a corollary of pre-existing xkcd research.

RFC?

Is there an RFC for IP over heat?

What is ...

[PPH]

... the signal to noise ratio in an office full of coffee cups?

Norton Coffee

[ip_freely_2000]

Protect against this hack by placing a hot coffee beside your computer. Only $69.99 per cup of coffee.

Re:Norton Coffee

[bigtrike]

And far more if you want MILSPEC coffee which has been rigorously tested to withstand an atomic blast 3 miles away.

Attack Vector

So... everybody complaining about how the software is supposed to have gotten onto the airgapped box has a serious lack of imagination:

Scenario 1: I work for Three Letter Agency, but I'm really a double agent. I know they're carefully checking the airgapped box on a daily basis, but I know they aren't bothering to check its heat emissions, so I set my desk up so that the airgapped box is 15 inches from my email computer, and point them at each other. I install the software on both boxen and set my email computer to email me as soon as the private keys are finished downloading. I then become a model employee for several months, before one day I disappear, and later that day awful things start happening.

Scenario 2: I work for Three Letter Agency, but I'm really stupid. I got this cool BlueCoat thumb drive from a conference I went to, and today I have a problem... I *really* need to move a file from the airgapped box to my email box, both of which sit on my desk. So, eh, what the hell, as long as I plug the thumb drive into the airgapped box first and never plug it back in there after it's touched any other machine, what could it hurt, right? So, I plug it in, move the file to my email computer, and go on with my day. Several months later big guys with guns show up at my desk and ask me a lot of uncomfortable questions about being a double agent. I don't know what they're talking about, but apparently several private keys have been emailed from my email computer to various unsavory characters. It doesn't look so good for me.

Using either attack vector (or any other attack vector), the airgapped box can exfiltrate data quietly using this thermal hack. Specifying which attack vector is beyond the scope of TFA, so it's beyond me why so many posters have a problem with them not specifying. It's not even like this hasn't happened before... Stuxnet relied on operators being stupid (or evil) enough to stick their USB drives into airgapped machines.

Re: New SCIF Rules

Air-gap blocking cubicles/carrels to block heat/audio/EMF transmissions?
Or more direct ventilation/white noise/random EMF generators?

Variants of those would be cheap enough, and easy enough to implement.

FWIW

Any wave'll do

[ememisya]

Heat, light, ... whether electromagnetic or mechanical, you got waves, we'll talk.

What's next - "Computer hacked over power line"?

[mmell]

Of course, it requires the computer to be compromised first . . . but once compromised it can turn lights on and off all over your house!

"Air gap" shouldn't be taken literally

[davidwr]

In security terms, "air gap" should be taken to mean "direct communications gap".

If two machines an "talk" to each other without involving a human or a third-party computer* to do your dirty work for you.

--
*If the third-party computer is being used "in real time" it doesn't count as a "direct communications gap." However, if the computer hijacks the local router in the stand-alone network so that the next time it is hooked to an external network, it does bad things on behalf of the evil computer, that would be an example of "jumping the direct communications gap".

Hack the planet

[skovnymfe]

Hack the planet! With heat! Wait a minute...

Re:What's next - "Computer hacked over power line"

Actually figuring that all of these "hacks" require physical access to the computer in question in the first place, building in an ethernet over powerline module into a power supply and hooking it into the computers undoubtedly built in Ethernet or wiring a usb Ethernet adapter into the supply along side said powerline adapter would probaby be the most effective way at present to bypass an airgapped computer without anyone becoming immediately aware. Couple a modified power supply with some malware and you might even be able to skip the usb angle.

Of course it would in theory be fairly easy to counter by adding some sort of additional filtering to the buildings power lines. Maybe even actual powerline scramblers.

Guess the bottom line is a computer is only as secure as the least trustworthy person who accesses it.

Hacking and destroying air gapped computers

[fabioalcor]

Using heat. Lots of it. I'd call it "fire".

It is all bits and bytes until...

somebody breaks wind.

15 inches apart

[bug1]

If you have to get the computer that close to the machine you want to hack, then you could just drop by occasionaly and connect a cable/wifi to it and do a data dump.

Cooperative use

[vandamme]

Replace your wifi. Right??