Slashdot Mirror

← Back to Stories (view on slashdot.org)

Hack Air-Gapped Computers Using Heat

Posted by timothy on from the oh-baby-you're-so-communicative dept.

An anonymous reader writes Ben-Gurion University of the Negev (BGU) researchers have discovered a new method to breach air-gapped computer systems called "BitWhisper," which enables two-way communications between adjacent, unconnected PC computers using heat. BitWhisper bridges the air-gap between the two computers, approximately 15 inches apart that are infected with malware by using their heat emissions and built-in thermal sensors to communicate. It establishes a covert, bi-directional channel by emitting heat from one PC to the other in a controlled manner. Also at Wired.

28 of 123 comments (clear)

  1. Skynet foiled by ceiling fan by Crashmarik · · Score: 5, Funny

    Film at 11:00

  2. goddamnit!!! by Anonymous Coward · · Score: 5, Informative

    they didn't "hack" the machine using heat!

    they gained control of both machines ahead of time, and THEN used heat (etc) to exfil data.

    they didn't gain control of an otherwise stock computer using heat over air gap. stop saying "hack".

    1. Re:goddamnit!!! by Lumpy · · Score: 5, Informative

      Just like the "hack using computer speakers" just install this malware first...

      It's an interesting out of band communications process, a very very VERY slow one... but still interesting.

      --
      Do not look at laser with remaining good eye.
    2. Re:goddamnit!!! by bondsbw · · Score: 2

      This technique re-establishes communication which provides a mechanism for a malicious user to regain control. It could be used to load new malicious software, download sensitive data, and establish a proxy into other disconnected internal systems.

      So I fail to care about which term is used, it is a security breach and one of the worst kind... the kind where you think you're completely safe, but you still aren't.

      --
      All my liberal friends think I'm a conservative, all my conservative friends think I'm a liberal.
    3. Re:goddamnit!!! by Sique · · Score: 3, Informative

      They used heat as an attack vector by creating a covered channel. It is not an attack vector to gain access, it's an attack vector to siphon data.

      --
      .sig: Sique *sigh*
    4. Re:goddamnit!!! by LordLimecat · · Score: 3, Insightful

      So I fail to care about which term is used, it is a security breach and one of the worst kind

      Except it will only work in the most esoteric scenarios with laboratory conditions, sure. 2 PCs, with side-vent cooling and no cold aisle, and a distance of 15 inches?

      Somehow I dont think this will threaten air-gapped secure networks. Those are going to have steady cold air coming in the front, and exhausting out the back; if theyre dumping significant heat through the side of the cases you're doing it wrong.

    5. Re:goddamnit!!! by Wrath0fb0b · · Score: 2

      they didn't "hack" the machine using heat!

      they gained control of both machines ahead of time, and THEN used heat (etc) to exfil data.

      they didn't gain control of an otherwise stock computer using heat over air gap. stop saying "hack".

      I'm afraid you don't understand the meaning of the word "hack" in this context. It does not always mean "gain control/privileges on a computer system in excess of your authorization". In this context, it means "defeat a method used to guarantee a particular security property".

      Property: No control/data flow shall pass from the outside world into this computer
      Method: Air-gapping that computer
      Hack: Defeating that property and passing data between the machines

      Let me give you another example.

      Property: Computers in different classrooms shall not be able to talk directly to each other despite being on the same physical network
      Method: Assign each classroom a VLAN and enforce that at the switch
      Hack: By Double tagging certain ethernet frames you can defeat the property.

      Now you are going to sperg because no one gained control of anything (even the switch). But of course it's still a hack -- you have shown that the switch + VLAN configuration is not capable (in its current configuration) of providing that guaranteed property of non-communciation between VLANs. In some sense this is actually a more elegant hack than taking control of the switch for obvious reasons.

      TL;DR Version: "Hack" means to gain advantage or defeat a security property. Sometimes that involves traditional exploits/privilege escalation, other times it involves other methods.

    6. Re:goddamnit!!! by wonkey_monkey · · Score: 4, Insightful

      If anything, then, I'd say they've hacked the air gap, not the computers.

      --
      systemd is Roko's Basilisk.
    7. Re:goddamnit!!! by BradleyUffner · · Score: 2

      Which step is it that installs the customized thermal sensors?

      Step 2: Drop some customized thermal sensors.

    8. Re:goddamnit!!! by Anonymous Coward · · Score: 2, Insightful

      Exploits only ever get better. That's threat analysis 101. And you've provided no evidence or analysis why you're supposed mitigations are an insurmountable defense; at best they're only a stop-gap.

      This is a proof of concept. And a pretty cool proof of concept. The idea of using a side channel like this isn't that novel (RSA key cracks via CPU acoustics was shown years ago), but just think of the all the little problems you'd have to solve to execute the concept. It's pretty awesome work.

    9. Re:goddamnit!!! by bondsbw · · Score: 2

      Wow, please pay attention.

      read:

      I never stated that no other security breach already existed, but that a new one is being added.

      Consider this scenario: government systems, one computer is internet facing, the other computer is completely isolated. Joe Badguy installs each computer before they are put into real use, and adds the exploit to each. The government beefs up physical security, then enables the internal system confident that data added to it cannot leave. But sometime later, Joe Badguy connects to the internet facing computer, then extracts new data from the isolated computer via the exploit.

      Maybe now you understand the difference between real security, which can exist in layers and multiple forms simultaneously, and simplistic considerations like BOs.

      mov eax, $phantomfive_understands
      cmp eax, 0x1
      jne read

      --
      All my liberal friends think I'm a conservative, all my conservative friends think I'm a liberal.
    10. Re:goddamnit!!! by LordLimecat · · Score: 2

      And you've provided no evidence or analysis why you're supposed mitigations are an insurmountable defense; at best they're only a stop-gap.

      In THEORY breaking most encryption is just guessing the right 2048-bit code. At best, increasing the length from 1024 to 2048 is just a stopgap.

      In reality, some attacks are so esoteric and hard to pull off (famous example: hard drive magnetic domain remnant detection) that they are not a real-world threat. MAYBE they could adapt this, but it already requires
      A) a machine connected to the internet that is compromised (!)
      B) an AIR-GAPPED, high-security machine directly adjacent to it (!!!)
      C) That that air-gapped machine be compromised as well (!!!!!)
      D) Sensors in both machines sensitive enough to detect incredibly minor fluctuations in temperature (given that a steady stream of air will be flowing through)

      The proper security procedure is to analyze the chance of the risk, the annualized loss expectancy, etc, and then come up with mitigations. Ok, let me give this a shot.
      1) DONT GET YOUR AIRGAPPED MACHINE INFECTED
      2) probably dont stick it directly adjacent to non-airgapped machines

  3. Sure, great, new comms channel by OzPeter · · Score: 4, Interesting

    But how did the malware get on BOTH of the computers in the first place? TFA totally avoids that question.

    --
    I am Slashdot. Are you Slashdot as well?
    1. Re:Sure, great, new comms channel by GerardAtJob · · Score: 2

      I don't know, but one thing is sure, you need to be patient in order to use/exploit this thing... From Article : The time it took them to increase the heat and transmit a “1” varied between three and 20 minutes depending. The time to restore the system to normal temperature and transmit a “0” usually took longer.

      --
      I can't call that English ;-)
    2. Re:Sure, great, new comms channel by Thanshin · · Score: 5, Funny

      The time it took them to increase the heat and transmit a 1 varied between three and 20 minute

      So, somewhere between Comcast's Standard and High Speed plans.

    3. Re:Sure, great, new comms channel by fuzzyfuzzyfungus · · Score: 2

      But how did the malware get on BOTH of the computers in the first place? TFA totally avoids that question.

      TFA was either unclear or misrepresented: This technique is purely a demonstration of a sneaky covert channel implementation that requires only hardware likely to be present and functioning even on aggressively air-gapped systems. Actually getting the malware in place to use the covert channel is somebody else's problem, so TFA doesn't address it.

    4. Re:Sure, great, new comms channel by fuzzyfuzzyfungus · · Score: 4, Funny

      Not quite; you can transfer at full speed for the whole month without being throttled or paying overage fees...

    5. Re:Sure, great, new comms channel by Lumpy · · Score: 2

      No it doesnt defeat any security. It requires both machine to be pre infected to begin with, and the data rate is less than 1 bit per minute.

      --
      Do not look at laser with remaining good eye.
    6. Re:Sure, great, new comms channel by fuzzyfuzzyfungus · · Score: 2

      It would be an atrocious choice for exfiltrating most types of data, even a couple of pages of 'sensitive_memo.doc' would take ages; but there are some cryptographic private keys that I'd be more than willing to wait a month or two for...

    7. Re:Sure, great, new comms channel by StikyPad · · Score: 2, Funny

      Speak for yourse
      NO CARRIER

      --
      https://www.eff.org/https-everywhere
  4. Nothing new here by Anonymous Coward · · Score: 3, Funny

    Governments and business have been doing this for centuries, communicating by nothing more than hot air.

  5. Next step - embed it in a chip by Crookdotter · · Score: 2

    With chips being so complicated these days, who audits them all? What's to stop a manufacturer being exploited and this kind of malware being as standard in a lot of silicon? However, if that's the case then a more traditional attack would be warranted - the data rate here is awful.

  6. Zalewalski shit by bluefoxlucid · · Score: 2

    This is totally Zalewalski shit.

    --
    Support my political activism on Patreon.
  7. Wireless technology by sreever · · Score: 2

    So, can I use a space heater to extend the range of this new wireless technology?

  8. Re:Bad Title by pjt33 · · Score: 2

    Stenography is typing. You mean steganography. But even that is missing the point, which is one thing the title does get right: air-gapped. There's not supposed to be any communications channel at all between the two computers, but this technique creates one.

  9. Finally, malware that gives computers a fever. by Ihlosi · · Score: 5, Funny

    Now all those viruses can finally give your computer proper disease symptoms.

  10. Re:The larger problem is by gstoddart · · Score: 4, Insightful

    And how did Stuxnet spread?

    In some cases, by exploiting removable media.

    If you think there's no precedent for getting the infection onto the machine, you're horribly mistaken.

    --
    Lost at C:>. Found at C.
  11. Re:Nonsense by gnupun · · Score: 2

    Is it TCP/IP over hot air? If so, who installed the server software on the air-gapped PC?