Hack Air-Gapped Computers Using Heat

An anonymous reader writes Ben-Gurion University of the Negev (BGU) researchers have discovered a new method to breach air-gapped computer systems called "BitWhisper," which enables two-way communications between adjacent, unconnected PC computers using heat. BitWhisper bridges the air-gap between the two computers, approximately 15 inches apart that are infected with malware by using their heat emissions and built-in thermal sensors to communicate. It establishes a covert, bi-directional channel by emitting heat from one PC to the other in a controlled manner. Also at Wired.

I, for one...

...welcome our infrared overlords.

Skynet foiled by ceiling fan

[Crashmarik]

Film at 11:00

Re:Skynet foiled by ceiling fan

[recharged95]

How cares about skynet when it comes to heat and computers... I worry more about the Matrix instead.

Nonsense

This article is just a bunch of hot air.

Re:Nonsense

[gnupun]

Is it TCP/IP over hot air? If so, who installed the server software on the air-gapped PC?

goddamnit!!!

they didn't "hack" the machine using heat!

they gained control of both machines ahead of time, and THEN used heat (etc) to exfil data.

they didn't gain control of an otherwise stock computer using heat over air gap. stop saying "hack".

Re:goddamnit!!!

[Lumpy]

Just like the "hack using computer speakers" just install this malware first...

It's an interesting out of band communications process, a very very VERY slow one... but still interesting.

Re:goddamnit!!!

[bondsbw]

This technique re-establishes communication which provides a mechanism for a malicious user to regain control. It could be used to load new malicious software, download sensitive data, and establish a proxy into other disconnected internal systems.

So I fail to care about which term is used, it is a security breach and one of the worst kind... the kind where you think you're completely safe, but you still aren't.

Re:goddamnit!!!

they didn't "hack" the machine using heat!

they gained control of both machines ahead of time, and THEN used heat (etc) to exfil data.

they didn't gain control of an otherwise stock computer using heat over air gap. stop saying "hack".

Well, yes they did, depending on what meaning you put into the word "hack". For a lot of us old-schoolers, "hack" means "do something cool" and is not limited to "gain unauthorized access to". To support this, we fall back on how the word "hack" was used in the 1960's at places like MIT. For example, look at the classic Jargon File, where the definition of "hack" does not mention anything illegal at. Using that defintion, I would say they did a hack using only heat to communicate.

Then again, I am fully aware that definitions change over time. To each his or her own, I guess.

You are also right that they didn't use the heat communication as an attack vector. But I didn't read that into the claim of the article either.

Re:goddamnit!!!

Hack doesn't mean "infiltrate".

They are using a novel technique to achieve something unexpected - that is the definition of hacking.

Re:goddamnit!!!

The sad thing is, some security puke is going to read this and there will be studies initiated, PowerPoints distributed and ultimately everywhere there is an "air-gap" computer setup new rules will be implemented so that new chiller blankies will be disseminated to everyone at the cost of several billions of dollars.

Yet another Security Decree. Just what we need. As if the 94 character random passwords with only two attempts allowed isn't enough.

FML.

Re:goddamnit!!!

[Sique]

They used heat as an attack vector by creating a covered channel. It is not an attack vector to gain access, it's an attack vector to siphon data.

Re:goddamnit!!!

[nospam007]

"They are using a novel technique to achieve something unexpected"

Infrared data exchange is decades old. hardly a 'novel technique'.

But machines with microphones, cameras, wireless mice and keyboards are vulnerable, everything can be used, the nut before the keyboard included.

Re:goddamnit!!!

[LordLimecat]

So I fail to care about which term is used, it is a security breach and one of the worst kind

Except it will only work in the most esoteric scenarios with laboratory conditions, sure. 2 PCs, with side-vent cooling and no cold aisle, and a distance of 15 inches?

Somehow I dont think this will threaten air-gapped secure networks. Those are going to have steady cold air coming in the front, and exhausting out the back; if theyre dumping significant heat through the side of the cases you're doing it wrong.

Re:goddamnit!!!

[Wrath0fb0b]

they didn't "hack" the machine using heat!

they gained control of both machines ahead of time, and THEN used heat (etc) to exfil data.

they didn't gain control of an otherwise stock computer using heat over air gap. stop saying "hack".

I'm afraid you don't understand the meaning of the word "hack" in this context. It does not always mean "gain control/privileges on a computer system in excess of your authorization". In this context, it means "defeat a method used to guarantee a particular security property".

Property: No control/data flow shall pass from the outside world into this computer
Method: Air-gapping that computer
Hack: Defeating that property and passing data between the machines

Let me give you another example.

Property: Computers in different classrooms shall not be able to talk directly to each other despite being on the same physical network
Method: Assign each classroom a VLAN and enforce that at the switch
Hack: By Double tagging certain ethernet frames you can defeat the property.

Now you are going to sperg because no one gained control of anything (even the switch). But of course it's still a hack -- you have shown that the switch + VLAN configuration is not capable (in its current configuration) of providing that guaranteed property of non-communciation between VLANs. In some sense this is actually a more elegant hack than taking control of the switch for obvious reasons.

TL;DR Version: "Hack" means to gain advantage or defeat a security property. Sometimes that involves traditional exploits/privilege escalation, other times it involves other methods.

Re:goddamnit!!!

[wonkey_monkey]

If anything, then, I'd say they've hacked the air gap, not the computers.

Re:goddamnit!!!

[healyp]

But what about the workstations that access those secure networks? The internal workstation may be sitting right next to an internet connected workstation.

Re:goddamnit!!!

[Guybrush_T]

So true. Air gapped PCs will now require to be separated by 5 feets. Just because, you know, more security is always better.

Re:goddamnit!!!

[geminidomino]

Which step is it that installs the customized thermal sensors?

Re:goddamnit!!!

[BradleyUffner]

Which step is it that installs the customized thermal sensors?

Step 2: Drop some customized thermal sensors.

Re:goddamnit!!!

[radarskiy]

'they didn't "hack" the machine using heat!'

That's not the claim, so put your strawman away.

Re:goddamnit!!!

Exploits only ever get better. That's threat analysis 101. And you've provided no evidence or analysis why you're supposed mitigations are an insurmountable defense; at best they're only a stop-gap.

This is a proof of concept. And a pretty cool proof of concept. The idea of using a side channel like this isn't that novel (RSA key cracks via CPU acoustics was shown years ago), but just think of the all the little problems you'd have to solve to execute the concept. It's pretty awesome work.

Re:goddamnit!!!

[phantomfive]

So I fail to care about which term is used, it is a security breach and one of the worst kind

It is not a security breach at all, and I'm not sure you could even recognize a buffer overflow if you saw one (bro, do you even asm?).

Once security is breached through another method, this can be used for two already compromised computers to communicate. As a threat, it's less dangerous than a cat5 cable.

Re:goddamnit!!!

[phantomfive]

It doesn't matter if the workstation hasn't already been compromised. You need to hack the computer before you can use this technique.

Re:goddamnit!!!

[bondsbw]

Wow, please pay attention.

read:

I never stated that no other security breach already existed, but that a new one is being added.

Consider this scenario: government systems, one computer is internet facing, the other computer is completely isolated. Joe Badguy installs each computer before they are put into real use, and adds the exploit to each. The government beefs up physical security, then enables the internal system confident that data added to it cannot leave. But sometime later, Joe Badguy connects to the internet facing computer, then extracts new data from the isolated computer via the exploit.

Maybe now you understand the difference between real security, which can exist in layers and multiple forms simultaneously, and simplistic considerations like BOs.

mov eax, $phantomfive_understands
cmp eax, 0x1
jne read

Re:goddamnit!!!

[phantomfive]

mov eax, $phantomfive_understands
cmp eax, 0x1
jne read

Nice

Re:goddamnit!!!

[bondsbw]

Granted... from a "real security" standpoint, this is probably amongst the most difficult situations to exploit effectively. Heat transfer isn't exactly broadband. I imagine you'd be doing well to get 1 bpm (bit per minute) communications. The exploit code would probably need to include a sophisticated AI just to figure out what is important enough to transmit.

Re:goddamnit!!!

[Sique]

Most security systems have several layers of defense. To assess how much a break of one line influences the other lines you have to know what new attack vectors are open.

Lets say you have two systems A and B. System A has very important data, and it is important not only that the data is protected from access, it is also important that if it is accessed unauthorizedly, to know at least, if any data was sent to the outside. System B is less important and in a DMZ. If system B is compromised, you just power it off and reinstall it from a known good backup, but normally you don't do a thorough forensic analysis, you might not even have the right monitoring in place as there is no important data on system B (maybe it's just a web server serving static content like pictures for your corporate website, data that is known to the world anyway).

With this attack you can tunnel data from System A to the outside without the attacked being aware. Even if the victim does a thorough analysis of system A and all paths from and to system A known to the victim, it will be not aware of the actual data leak.

Re:goddamnit!!!

[LordLimecat]

And you've provided no evidence or analysis why you're supposed mitigations are an insurmountable defense; at best they're only a stop-gap.

In THEORY breaking most encryption is just guessing the right 2048-bit code. At best, increasing the length from 1024 to 2048 is just a stopgap.

In reality, some attacks are so esoteric and hard to pull off (famous example: hard drive magnetic domain remnant detection) that they are not a real-world threat. MAYBE they could adapt this, but it already requires
A) a machine connected to the internet that is compromised (!)
B) an AIR-GAPPED, high-security machine directly adjacent to it (!!!)
C) That that air-gapped machine be compromised as well (!!!!!)
D) Sensors in both machines sensitive enough to detect incredibly minor fluctuations in temperature (given that a steady stream of air will be flowing through)

The proper security procedure is to analyze the chance of the risk, the annualized loss expectancy, etc, and then come up with mitigations. Ok, let me give this a shot.
1) DONT GET YOUR AIRGAPPED MACHINE INFECTED
2) probably dont stick it directly adjacent to non-airgapped machines

Sure, great, new comms channel

[OzPeter]

But how did the malware get on BOTH of the computers in the first place? TFA totally avoids that question.

Re:Sure, great, new comms channel

[GerardAtJob]

I don't know, but one thing is sure, you need to be patient in order to use/exploit this thing... From Article : The time it took them to increase the heat and transmit a “1” varied between three and 20 minutes depending. The time to restore the system to normal temperature and transmit a “0” usually took longer.

Re:Sure, great, new comms channel

[Thanshin]

The time it took them to increase the heat and transmit a 1 varied between three and 20 minute

So, somewhere between Comcast's Standard and High Speed plans.

Re:Sure, great, new comms channel

[gstoddart]

Once you have the PoC ... the rest is just a little social engineering or covert attack.

Knowing it can be done opens a lot of opportunities, and defeats a lot of security.

Re:Sure, great, new comms channel

[pjt33]

Interdiction or USB. NSA has plenty of experience in that side of things.

Re:Sure, great, new comms channel

[fuzzyfuzzyfungus]

But how did the malware get on BOTH of the computers in the first place? TFA totally avoids that question.

TFA was either unclear or misrepresented: This technique is purely a demonstration of a sneaky covert channel implementation that requires only hardware likely to be present and functioning even on aggressively air-gapped systems. Actually getting the malware in place to use the covert channel is somebody else's problem, so TFA doesn't address it.

Re:Sure, great, new comms channel

[fuzzyfuzzyfungus]

Not quite; you can transfer at full speed for the whole month without being throttled or paying overage fees...

Re:Sure, great, new comms channel

[Lumpy]

No it doesnt defeat any security. It requires both machine to be pre infected to begin with, and the data rate is less than 1 bit per minute.

Re:Sure, great, new comms channel

But how did the malware get on BOTH of the computers in the first place? TFA totally avoids that question.

Don't know, but theoretically this can be used in a stuxnet style attack.
Say that you manage to infect a networked computer. You then use that one to infect any memory device used to upgrade the offline computer.
With this method you can extract small amounts of data from the offline system without having to rely on the user put a writable device in it that later on will be put into an infected computer.
You could also use it as a remove control. Instead of having the offline computer act at a specific time you can send a trigger signal using heat. The benefit is that it won't behave erratically until you actually send the signal.

Re:Sure, great, new comms channel

[fuzzyfuzzyfungus]

It would be an atrocious choice for exfiltrating most types of data, even a couple of pages of 'sensitive_memo.doc' would take ages; but there are some cryptographic private keys that I'd be more than willing to wait a month or two for...

Re:Sure, great, new comms channel

[ComputerGeek01]

This isn't completely unexpected after seeing the title. "Security Researchers" often take liberties with the idea that a tool chains are comprised of individual components, so there is less of a need to offer a complete solution.

Re:Sure, great, new comms channel

[gstoddart]

So did Stuxnet ... it relied on exploiting removable media in the airgapped machine.

People who want to spy on you can be patient.

It may not have much in the way of bandwidth, but it has the potential to bridge an airgap.

Yes, it's far from perfect, and relies on getting installed in the first place. That doesn't mean it won't cause people in secure facilities a few more ulcers.

Re:Sure, great, new comms channel

[MozeeToby]

Well, by most reports the target computers of Stuxnet were airgapped. There are ways, usually through social engineering.

Drop a particularly neat looking, high capacity (and extremely exploited) flash drive in the parking lot and wait for someone to pick it up. At worst they'll plug it into their open PC looking to see if they can find the owner. At worst they'll put it on their lanyard and start using it day to day, infecting every PC they plug it into. Yeah, airgapped PCs should have their USB disabled, but there are many places that should know better that don't bother. And that's just off the top of my head, a team of 20 brainstorming for a week is going to come up with ideas.

Re:Sure, great, new comms channel

[Anubis+IV]

That's what I was just thinking too. Just spitballing, if it averages out to one hour per two bits (since on average half will be 0s and they said it takes longer to cool back down), then you could exfiltrate a 128-bit key in 64 hours. Even bumping it up for longer keys, it still wouldn't take that long. Well worth it.

That said, the fact that this requires that both machines have already been compromised severely limits the usefulness for this attack. After all, in most cases where you already compromised the target computer, you could have already exfiltrated that key to begin with. And if it's a matter of the computer being locked down so that you can't exfiltrate the data any other way, then what are the odds that a computer sitting 15 inches or less away will be configured any differently?

Re:Sure, great, new comms channel

[gstoddart]

You also need to read up on stuxnet, it' seems you are confused as to what it is.

Or, you're an idiot.

Stuxnet didn't magically cross the airgap, and I never said it did. What it did was find ways to cross that used the humans involved, and the fact they needed to get data onto those systems at some point.

Which means it is a solved problem to cross the air gap by coming at the problem from a different direction.

So saying this won't work because it requires the secure system to be compromised is crap ... because there are already examples of how people do this.

Yes, you have to get the stuff onto the machine in the first place. But it's not like that's never been accomplished.

Re:Sure, great, new comms channel

[StikyPad]

Speak for yourse
NO CARRIER

Re:Sure, great, new comms channel

[azadrozny]

The article says you can steal passwords or "secret keys" (encryption keys?) with eight signals per hour. You could simply leave this behind so that you don't need physical access the next time the key changes.

Re:Sure, great, new comms channel

[Anubis+IV]

But you'd need physical access to the machine 15 inches away, which likely has the same security safeguards in place. It seems like a solution looking for a problem.

Re:Sure, great, new comms channel

[ememisya]

Gravitational waves ;)

Nothing new here

Governments and business have been doing this for centuries, communicating by nothing more than hot air.

Next step - embed it in a chip

[Crookdotter]

With chips being so complicated these days, who audits them all? What's to stop a manufacturer being exploited and this kind of malware being as standard in a lot of silicon? However, if that's the case then a more traditional attack would be warranted - the data rate here is awful.

Bad Title

[The+Raven]

Not hack. They have not infected computers using thermal energy. They just demonstrated slow (very slow) communication between two computers using heat and heat sensors. It uses a tremendous amount of battery power of little to no purpose, since both computers need to already have the software on them... stenography would be a more appropriate communication method (hiding communication in seemingly-innocuous em traffic).

Re:Bad Title

[pjt33]

Stenography is typing. You mean steganography. But even that is missing the point, which is one thing the title does get right: air-gapped. There's not supposed to be any communications channel at all between the two computers, but this technique creates one.

Re:Bad Title

[fuzzyfuzzyfungus]

The proposed use case (probably realistic in a number of offices right now; quite possibly less so now that this paper is written and the word goes out) where somebody with suitably fancy access has one computer for access to the super-secret-special-network, and a separate one for boring email and web stuff; that are supposed to be totally disconnected from one another; but which are likely to be crammed next to each other because our hypothetical paper pusher has limited desk space.

Now that it's known to be a potential problem, mitigation isn't going to be rocket surgery(thermal communication isn't going to work as well even with an extra couple of meters of separation; much less a purpose-built insulated barrier or something); but it is hardly something that would be obvious when arranging somebody's classified desk, even if you have your paranoia hat on.

Re:Bad Title

[The+Raven]

Air gap... like Bluetooth?

I know what the term means, but heat is just another type of EM radiation (infra-red) that doesn't have dedicated communication hardware. The accomplishment is neat, but not useful.

As a counter-example, the paper on reading monitors from their diffuse reflected luminance is actually useful. You get a high-bandwith, air-gapped eavesdropping method. This communication by heat is more likely to be detected (as a problem, not necessarily as communication) than a steganographic (thank you) communication channel using more common EM radiation.

I'm not saying it's not 'neat'. It's just not neat and useful.

Re:Bad Title

[fnj]

Just because you don't want to use it doesn't mean it's not useful to anybody.

Re:Bad Title

[TheCarp]

So basically, this "hack" is likely really a hack on the administrative apparatus of the state in causing justification for certain paper pushers to request larger offices with bigger desks.

They're fishermen, not engineers.

[jpellino]

As evidenced by them calling that gap between the computers 15 inches.

Zalewalski shit

[bluefoxlucid]

This is totally Zalewalski shit.

Re:Zalewalski shit

[healyp]

YES! Watch the blinkenlights.

Wireless technology

[sreever]

So, can I use a space heater to extend the range of this new wireless technology?

An easy fix

[ctrl-alt-canc]

Just install a mains-powered fan between the two computers.

The larger problem is

[Lawrence_Bird]

the air-gapped system must already be infected. So while this is cute and all, on its own it does nothing.

Re:The larger problem is

[gstoddart]

And how did Stuxnet spread?

In some cases, by exploiting removable media.

If you think there's no precedent for getting the infection onto the machine, you're horribly mistaken.

Re:The larger problem is

[Lawrence_Bird]

If you are able to do that you almost certainly have a far simpler attack vector to extract data from the air-gapped machine. Think about your case: a usb stick. If it can carry in then it can also carry out and is not dependent upon precise proximity of the air and non-gapped computers.

Or...

[AndyKron]

Or you could just go in with lots of guys with guns, take the computers, and dump the bodies at sea.

Finally, malware that gives computers a fever.

[Ihlosi]

Now all those viruses can finally give your computer proper disease symptoms.

communication with thermal wavelenght of em spec?

[Kekke]

Now, i seem to be missing something here...
Please enlighten Me, how this is news ?
C'mon ffs, Stalin was spied this way from 50-70 meters using Ir produced by His windows (the Idiot was always yelling) (200ft for those of you who don't buy Royale with cheese).

Sneakernet would be just as vulnerable

[Applehu+Akbar]

If your server were air-gapped so totally that all transfers to and from it had to be with a human, malware could just as easily be transmitted by flash drive.

Re:Sneakernet would be just as vulnerable

[Zeroko]

If they use a flash drive with a (properly-implemented) hardware write protect switch, it might only allow one-way transfer, so this is still potentially useful as the return channel.

Communication methods

[MagickalMyst]

Wow! We have hardwire, ethernet, wifi, bluetooth, infrared, optical.... now heat to transfer data.

I guess the only thing missing is smell data transfer and smoke signals.

Maybe a good kickstarter project...

Re:Communication methods

[burtosis]

Personally I'm suprised no one has trained mice to ferry in USB drives to a secured area and plug them in somewhere.

Re:Communication methods

[Zappy]

You missed audio/sound

Re:Communication methods

[DocSavage64109]

People can't even reliably plug USB drives in.

Re:Communication methods

[gstoddart]

Bah, you have a 50/50 chance ... send two mice.

Re:Communication methods

[healyp]

USB Type-C should fix this, for the mice and the people.

Re:SLOW....

[fuzzyfuzzyfungus]

It is slower than a lizard in a blizzard; but the advantage is that it uses the thermal sensors that PCs include for ACPI thermal management/fan speed control/etc. not any of the hardware that is explicitly for communication(ethernet, wifi, IRDA, BT, etc. and thus almost certain to be stripped out/disabled) or that isn't for networking; but is a fairly obvious threat(speaker and mic, laptop ambient light sensors for backlight control, that sort of thing); so it is fairly likely that even computers prepared by the relatively paranoid for use on highly sensitive networks will still have the necessary sensors(and any computer will be unable to avoid having the necessary software-controlled thermal source, barring the development of 100% efficient CPUs).

Old hat

[Lew+Perin]

Like most recent technical advances, this is merely a corollary of pre-existing xkcd research.

Re:SLOW....

[DocSavage64109]

In addition to all that, both machines have to be essentially idle, so the heat differences can even be noticed.

What is ...

[PPH]

... the signal to noise ratio in an office full of coffee cups?

Re:SLOW....

[Zeroko]

You do not necessarily need a more efficient CPU to block this. Less efficient would also do—just make every operation consume as much power as the worst.

Norton Coffee

[ip_freely_2000]

Protect against this hack by placing a hot coffee beside your computer. Only $69.99 per cup of coffee.

Re:Norton Coffee

[bigtrike]

And far more if you want MILSPEC coffee which has been rigorously tested to withstand an atomic blast 3 miles away.

Any wave'll do

[ememisya]

Heat, light, ... whether electromagnetic or mechanical, you got waves, we'll talk.

What's next - "Computer hacked over power line"?

[mmell]

Of course, it requires the computer to be compromised first . . . but once compromised it can turn lights on and off all over your house!

"Air gap" shouldn't be taken literally

[davidwr]

In security terms, "air gap" should be taken to mean "direct communications gap".

If two machines an "talk" to each other without involving a human or a third-party computer* to do your dirty work for you.

--
*If the third-party computer is being used "in real time" it doesn't count as a "direct communications gap." However, if the computer hijacks the local router in the stand-alone network so that the next time it is hooked to an external network, it does bad things on behalf of the evil computer, that would be an example of "jumping the direct communications gap".

Hack the planet

[skovnymfe]

Hack the planet! With heat! Wait a minute...

Hacking and destroying air gapped computers

[fabioalcor]

Using heat. Lots of it. I'd call it "fire".

15 inches apart

[bug1]

If you have to get the computer that close to the machine you want to hack, then you could just drop by occasionaly and connect a cable/wifi to it and do a data dump.

Cooperative use

[vandamme]

Replace your wifi. Right??