Malware Can Use Fan Noise To Steal Data From Air-Gapped Systems

Reader Orome1 writes: For the last few years, researchers from Ben-Gurion University of the Negev have been testing up new ways to exfiltrate data from air-gapped computers: via mobile phones, using radio frequencies ("AirHopper"); using heat ("BitWhisper"), using rogue software ("GSMem") that modulates and transmits electromagnetic signals at cellular frequencies. The latest version of the data-exfiltration attack against air-gapped computers involves the machine's fans. Dubbed "Fansmitter," the attack can come handy when the computer does not have speakers, and so attackers can't use acoustic channels to get the info.An anonymous reader adds:Malicious applications use the noise emanated by a computer fan's speed to relay information to a nearby recording device and steal data from air-gapped, isolated systems. The attack relies on selecting a fan speed to represent binary "1" and another for binary "0". A specially crafted malware can alter the CPU, GPU or chassis fan speed between these two frequencies and provide a method to relay data from infected systems. Attackers can then place microphones or smartphones to record the sound coming from the infected machine and steal the data. The attack works for distances of one to four meters, and operates in the 100-600 Hz frequency that can be picked up by the human year. Choosing smaller fan speeds or fan speeds that are closer together can make the attack harder to pick up by a human, but also makes it susceptible to background noise.

Impressive but useful?

[DougOtto]

Pretty neat idea but in every air-gapped environment I've worked in, getting the cellphone or recording device in would be the more difficult portion of this exercise.

Re:Impressive but useful?

[geekmux]

Pretty neat idea but in every air-gapped environment I've worked in, getting the cellphone or recording device in would be the more difficult portion of this exercise.

Uh, hardly.

SCIF designs do not usually employ metal detectors at the door to detect for malicious electronics before they get close enough, nor is it standard practice to wrap the walls in a Faraday cage.

Let's be honest, the only thing making this "difficult" is the paper (policy) that prevents it, hence the rather massive focus on insider threat risk mitigation these days, which in the post-Snowden era presents no shock or surprise.

Re:Impressive but useful?

[Flavianoep]

This study makes all the precautions put in place around those air-locked computers seem less of paranoia.

Re:Impressive but useful?

[evolutionary]

Not useful yet...but...like most things, given enough refinement. Specific patterns in change can be mapped to data once replicated. Many things we use today to store and transmit data were mere "noise" and random disturbances many years ago. Now we send petrabytes of data with those same distortions.

Re:Impressive but useful?

[GargamelSpaceman]

Yeah, 100-600 hz means we aren't talking about any great amount of data at a time. It seems opening documents in front of a video camera would capture as much text as or more quickly.

Re:Impressive but useful?

[The-Ixian]

Let's be honest, the only thing making this "difficult" is the paper (policy) that prevents it

That... and the fact that you need to get the malware onto the air gapped system.

Which, as previously noted, really makes this an insider attack vector and not a remote exploit.

There are probably easier ways for an insider to infiltrate information.

Re:Impressive but useful?

[rnturn]

Yeah, 100-600 hz means we aren't talking about any great amount of data at a time.

Pretty much the first thing I thought of. What baud rate would be possible using this? It couldn't be very high. Each 0-to-1 and 1-to-0 transition would have to wait for the fan speed to stabilize and that would take a variable amount of time depending on the fan size.

Interesting concept in the lab but would this really work in a real life situation? Many work environments have all sorts of ambient noise that might interfere with being able to detect the computer's fan noise.

Re:Impressive but useful?

[funwithBSD]

It might be able to play the original Legend of Zelda theme....

Re:Impressive but useful?

This is assuming they did not exploit the pulse width modulation to inject higher frequencies into the motors that have little affect on fan speed. Stuff 18 or more bits between the 100-600hz beat of the motor and you have a few khz more bandwidth and built in start-stop bits.

Re: Impressive but useful?

Like Indiana Jones in the movie Firewall, who uses a scanner and an iPod to steal bank account data.

Of course it requires physical access to the data center and a situation where all the bank data is displayed on monitors as it's being exported, but that probably happens quite often.

Re:Impressive but useful?

Some SCIF have started putting devices looking for bluetooth and wireless devices. As you pass by them the detecting device will go off. And yes the use of warping the walls as a Faraday cage have been in practice for years now..As so other things are in place to make sure things are not transferred out wireless.
Noticed that most secrets have all been sneaker net out..

Re:Impressive but useful?

There are probably easier ways for an insider to infiltrate information.

As there are other ways to cool your system. Go liquid.

Re:Impressive but useful?

[JustAnotherOldGuy]

Bingo.

I think this is one of those theoretical possibilities that could conceivably work under very tightly controlled conditions, but would never actually work in the real world.

Re:Impressive but useful?

[davester666]

and, at least to me, since the fan is audible, I would expect that I would notice the fan operating in a non-standard way [not going off, but varying between two speeds continuously, regardless of what is actually happening on the computer].

Re: Impressive but useful?

[ememisya]

Nah man, you just remember it by ear. Go home and write down all the 1s and 0s.

Re: Impressive but useful?

Pulse width modulation is when you use a rapid on off switching of a high frequency system to produce a varying amplitude on a much lower frequency system, thus I don't think it's very useful in this case. If anything it would diminish the effective baud rate significantly.
Frequently modulation is probably what you meant, which could be done if the fans could change speed quickly enough and the recording device was sensitive enough to pick up these rapid changes.

Useless...

Quote: "The attack works for distances of one to four meters..."

If you can get so close to the machine, then there are better ways of getting data off it.

Re:Useless...

From TFA: "A specially crafted malware can alter the CPU, GPU or chassis fan speed between these two frequencies and provide a method to relay data from infected systems. "

So, first, you have to get the malware on the target computer. If you can do that, there are better, easier ways to get information off of it.

Re:Useless...

[tsqr]

Quote: "The attack works for distances of one to four meters..."

If you can get so close to the machine, then there are better ways of getting data off it.

Maybe, but in a lot of cases there aren't. Every air-gapped computer I've ever used at work has been in a secure physical environment where electronic devices capable of recording or storing anything or connecting to any kind of network are strictly prohibited. The security folks even nixed a digital clock because it had WiFi for time sync. And the computers themselves had no working external mass storage capability, network ports, or optical drives. Computer cases have anti-tamper seals on them, and access to the room requires a badge swipe that timestamps your entry. You can lose your job for having a phone in your pocket, and if you were actually caught trying to take information out of the room in anything other than your brain, you would likely be prosecuted.

Frankly, I have trouble imagining how the malware could end up on one of these computers in the first place.

Re:Useless...

The computer is air-gapped. You'd need physical access to get any data off of it. For future data, you'd need another instance of such physical access. This is "install-once, retrieve forever" model. The listener can be hidden in a trashcan nearby and can store e.g. 30-days worth of data. Now you only need physical access to the trashcan instead of the compromised machine.

Re:Useless...

Until the cleaning people throw it out the evening after it was installed.

Re:Useless...

Quote: "The attack works for distances of one to four meters..."

If you can get so close to the machine, then there are better ways of getting data off it.

Maybe, but in a lot of cases there aren't. Every air-gapped computer I've ever used at work has been in a secure physical environment where electronic devices capable of recording or storing anything or connecting to any kind of network are strictly prohibited. The security folks even nixed a digital clock because it had WiFi for time sync. And the computers themselves had no working external mass storage capability, network ports, or optical drives. Computer cases have anti-tamper seals on them, and access to the room requires a badge swipe that timestamps your entry. You can lose your job for having a phone in your pocket, and if you were actually caught trying to take information out of the room in anything other than your brain, you would likely be prosecuted.

Frankly, I have trouble imagining how the malware could end up on one of these computers in the first place.

This has been my experience in environments where air-gapped computers are deployed. Access to the room is monitored via card access reader on the way in and out. Random security patrol by facility security asking you to empty pockets and no bags or cases of any kind may be carried into the secure room without prior wtitten approval and then only in a specially-sealed container inspected at the security checkpoint and you are escorted to the secure room in some organisations or facilities.

Re:Useless...

At some point those computers were attached to something that gave them the software they are running now. Attacking that point has already been used successfully in the wild. In fact, they can attack the hardware before it is even delivered (again, this has been done in the wild already.) So delivering the malware to any PC is possible. It would likely need to be a targeted attack though which will exclude most systems no one really cares about.

After that it's just a matter of social engineering and gaining access to a badge (stealing one, tricking someone into swiping the thief in, copying the badge and returning the original or fake, etc.)

TLDR; It's possible and its been done before.

Re:Useless...

Your assumption is that the facility security guys are trustworthy. What if the security guy got offered 10 million dollars and a new identity in South America to plug this USB stick into said computer for a 15 second period? Or the pair of them, if they do their rounds in pairs.
I know..USB storage is disabled on a lot of high security computers, but a lot of computers now don't have PS/2 for keyboard/mouse, so they have to be USB; so, a USB stick that appears to the bus as a keyboard, and literally types in the code for the malware.

Re:Useless...

[chipschap]

if you were actually caught trying to take information out of the room in anything other than your brain, you would likely be prosecuted.

Unless you're Hillary.

Re:Useless...

Security, even armed, is making what? $40-60k/year? $10m is way too much to bribe one of these guys. any of them would cave for $1m, but there's a good chance you could find someone to do it for $100-200k. If you find someone with a drug or gambling problem, you may even get as low as $10-20k. Anything under that and you're risking a careless idiot getting caught and people finding out about your malware.

Everyone has a price, but it's important to bid on the right people to keep the costs manageable.

Re:Useless...

[tsqr]

if you were actually caught trying to take information out of the room in anything other than your brain, you would likely be prosecuted.

Unless you're Hillary.

Probably true, but highly speculative; as far as I can tell, she never bothered to use a secure computer or network in the first place.

Re:Useless...

[operagost]

It rather involved being on the other side of this airtight hatchway.

Not news

This is one of many of this type of attack which just uses some analogue channel to broadcast data hopefully out-of-earshot from the system users.

Truly interesting would be if it analyzes the usage patterns of a normal, unhacked fan to determine something about CPU activity.

Re:Not news

Yes, this is very old tech. I attended a computer security talk in the 80's that described the same method by altering the jitter of a line printer. I suppose this is a bit more subtle, but is still an inside attack.

A rather slow data rate

They achieved a speed of 15 bits per minute, so a long time is needed for an attack

Re:A rather slow data rate

[Yvan256]

Assuming the attack goes undetected and only targets the administrator login/password, not much time will be needed for an attack.

Re:A rather slow data rate

Assuming the attack goes undetected and only targets the administrator login/password, not much time will be needed for an attack.

And what does that gain the hacker? They would need physical access to the machine to use that login/password (since it's airgapped), at which point most security is pointless anyway.

Re:A rather slow data rate

Well, it worked on Mission Impossible, with nothing more complex than a rope and an air vent, so surely that's exactly how it happens in real life!!!

Re:A rather slow data rate

[SeaFox]

That's okay. As the summary says, the attack "can be picked up by the human year", and even at that data rate they should get some juicy stuff over 12 months of transmitting.

Re:A rather slow data rate

They should be able to do a lot faster. My gaming PC (Intel 8 core, with a transparent case) used to seem to play music through the cooling fans. I could actually recognise the tunes as something I had heard before.

Re:A rather slow data rate

[cyberchondriac]

I was going to ask, just how fast can you modulate a fan motor? This seems more of a proof of concept but pretty useless in the real world.

Re:A rather slow data rate

I think they meant "ear" but this may be a technically correct grammar error

That's it, I'm switching to typewriters

[davidwr]

Oh wait, nevermind.

Anyone got some chalk and slate?

Captcha: laughs

Re:That's it, I'm switching to typewriters

Nope. Malware can capture data from typewriters, too.

We're doomed!

human year

of course for a dog this hack doesn't work

Re:human year

No, it works seven times faster.

All your data are belongs to us...

your favorite 3-letter agency

Re:All your data are belongs to us...

[geekmux]

your favorite 3-letter agency

Air-gapped systems are usually justified in order to protect the information that said "3-letter agency" wishes to keep secure.

Let's not confuse civilian monitoring with government systems, since your average social media addict doesn't even understand the concept of a gapped system.

Re:All your data are belongs to us...

These days there seems to be no such thing as a gapped system. So far I've heard of... Using the RFI/EMI of keyboards and/or displays to spy, using built-in speakers/microphones for ultrasonic networking, new hardware being intercepted in transit having govt spyware/hardware installed before the customer gets it, USB devices including cables, picture frames, chargers, dongles having spyware/malware, etc. The only way to be sure is by not turning it on.

Re:All your data are belongs to us...

[geekmux]

These days there seems to be no such thing as a gapped system. So far I've heard of... Using the RFI/EMI of keyboards and/or displays to spy, using built-in speakers/microphones for ultrasonic networking, new hardware being intercepted in transit having govt spyware/hardware installed before the customer gets it, USB devices including cables, picture frames, chargers, dongles having spyware/malware, etc. The only way to be sure is by not turning it on.

There are plenty of ways to mitigate the risks today.

20 years ago I was lugging around PC chassis and monitors that weighed in excess of 50 pounds. Because the damn thing was wrapped in a TEMPEST-certified case. Quite literally lead-lined. Excess crap like speakers and microphones are unnecessary in 99.999% of air-gapped environments.

This, along with getting back to using traditional wired connections for shit like keyboards, would tend to mitigate a lot of the risk we face today. COTS adaptation was perhaps the worst thing we could have done when it comes to air-gapped environments.

Re:All your data are belongs to us...

Using the RFI/EMI of keyboards and/or displays

That's like at least fifty years old and I think I've even seen it in movies.

What is the bandwidth?

[jacekm]

The bandwidth must be miserable. The inertia of the fan is such that we are talking single maybe dozes bits per second. Possibly enough to transmit password recorded by the malware but nowhere near the speed to transmit megabytes of data in a reasonable time.

Re:What is the bandwidth?

[jandersen]

Didn't I hear "15 bits per minute" somewhere? You could transmit it faster by drum signal; it is probably more like smoke-sginals.

Re:What is the bandwidth?

[AHuxley]

Enough to get the users name, pw, search terms, full project name out.
A lot of complex work starts the day with a log in and an internal keyword search, folder names, database location.
Not every cleared staff member is typing in a book chapter of data as part of their normal work load.

liquid coolers prevent this

and you people told me it would be pointless!

take THAT

"can be picked up by the human year"

eh?

Checks calendar...

[no1nose]

Is it April 1st again?

Concern?

Don't all these methods rely on the fact that the target machine is already compromised? i.e. to spin the fan at determined speeds to transmit data.

i feel like some are missing a point

I see so many comments stating that this is useless. but what see, is the reality of how something seemingly harmless can be used as a weakness. doesn't matter how practical this is.. the fact is it works... where are your imaginations? :)

Re:i feel like some are missing a point

It's useless because the air-gapped (target) machine would need to be infected. If getting the data out by such means is so slow/tough how do you expect to get the malware in?

Re:i feel like some are missing a point

Because a system with disabled USB mass storage, a DVD ROM drive, and no network connection, would be ignored by most IT/security people as not having a data ex filtration risk. It can get data onto it, but not off, so the security people would probably think "Even if someone gets malware onto it, it can't send data off it, because there's no way to do it. They can't even burn a DVD."

Getting the malware on it would probably be easier than getting data off it in some mass storage kind of way.

Re:i feel like some are missing a point

how do you expect to get the malware in?

BIOS, OS, BSP, HAL, ASP, hardware driver/anything that runs in ring0

Re:i feel like some are missing a point

[gzuckier]

Because a system with disabled USB mass storage, a DVD ROM drive, and no network connection, would be ignored by most IT/security people as not having a data ex filtration risk. It can get data onto it, but not off, so the security people would probably think "Even if someone gets malware onto it, it can't send data off it, because there's no way to do it. They can't even burn a DVD."

Getting the malware on it would probably be easier than getting data off it in some mass storage kind of way.

our data warehouse is very secure. tons of data gong in but nobody can get anything out of it no matter how hard we try.

could just do same with thermal imaging

Heck, how about making an array of hard drives access in a special patterns and listening for the noise. You could even do QAM constellation, or probably even fancier encoding.

porcodio

900 bit/h.... I am so scared, especially since I do not use PWMs fan but fixed rotation fans instead....

Re: porcodio

PWM is a motherboard feature and doesn't require special fans.
It does require that they at plugged into the board and not just directly to the PSU so you might be okay.

So you have to already have malware?

Sounds like this is only useful if the computer is already compromised and has this special "fan-signal" malware on it.
If you've already got malware on your isolated system, it sounds like you've already got other problems.

Re:So you have to already have malware?

[gzuckier]

Sounds like this is only useful if the computer is already compromised and has this special "fan-signal" malware on it. If you've already got malware on your isolated system, it sounds like you've already got other problems.

yeah; the secure system has to be infected with the malware, and you have to be close enough to it to pick up the sound of the fan very precisely and decode it. if you're going to all that trouble, might as well have the infected system just read the damn data out to you over the speaker.

Nothing New

[twmcneil]

In the early 1980's one of my neighbors, a Honeywell employee, warned me that people could tell what I was printing out on my daisy-wheel printer just by listening through my open window. Apparently, each character of the Diablo 630 printer made a unique noise when struck.

As I was only printing teaching instructions for using the accounting software I trained users on, I thanked him kindly for the warning and carried on.

Re:Nothing New

I think he was telling you to keep the damn noise down and shut your windows!

Re:Nothing New

[gzuckier]

In the early 1980's one of my neighbors, a Honeywell employee, warned me that people could tell what I was printing out on my daisy-wheel printer just by listening through my open window. Apparently, each character of the Diablo 630 printer made a unique noise when struck. As I was only printing teaching instructions for using the accounting software I trained users on, I thanked him kindly for the warning and carried on.

and the other direction; people would write music which was strings of ascii characters which would be played by printing them through a printer, given that the pitch of the printer whine would vary with what was printing.

Go ahead, try it

[cdrudge]

Just thinking of all the computer devices that I have at home:
2 laptops: fans are so quiet you'd have to have the microphone next to the vent to hear it
cellphones and tablets: no fans
server: If you can hear the two cpu fans over the 9 jet engine fans for the power supplies and disk arrays running at full speed 100% of the time, you can have my data.
computer 1: passively cooled
computer 2: Just has a large pretty silent 12V constant speed CPU fan

Stealing data through fan noise?

Sounds like a load of hot air to me

USB fans - not only for the light show

[Idisagree]

Put up a couple of USB fans around your computer to keep you cool and to confuse the enemy.

Summary misleading /shock /.

[argStyopa]

To suggest that malware can use fans to 'steal' data would imply that the data is being taken FROM an airgapped system by something outside it.

In fact, what it's talking about is that malware installed on an airgapped system can use the fan system to COMMUNICATE data across an air gap. Still interesting, but a little more honest about what's going on.

Re:Trump 2016

To preface, I am not supporting any candidate this time around. I know people that support both sides and to be honest none of my friends that support Trump are hate filled. In my opinion they are clinging to him as sort of a desperation from hating Obama, latching onto "Making America Great Again" slogan, and only see his crass comments as collateral damage.

A variation on 70s spy techniques

[WillAffleckUW]

This is why even the air ducts are baffled in secure TEMPEST facilities

But the main vector they always use, always, is people via social engineering.

God, people are gullible

Humans!

[TechyImmigrant]

Air gapping machines is not effective.

Why? Because as soon as you air gap a machine, you need humans to ferry the data back and forth.
Now humans can exploited to be the exflitration path.

If you had a wire, you could control the protocol on the wire, put in overlapping constraints on traffic on the wire, and keep the humans out of the room.

Re:Humans!

[gzuckier]

Air gapping machines is not effective.

Why? Because as soon as you air gap a machine, you need humans to ferry the data back and forth. Now humans can exploited to be the exflitration path.

If you had a wire, you could control the protocol on the wire, put in overlapping constraints on traffic on the wire, and keep the humans out of the room.

no; you train capuchin monkeys to ferry the data.

Really?

[Rudisaurus]

Or, you know, they could use the hard drive LED to blink out the information they want to extract in Morse code with the cell phone camera set to record the transmitted data. I mean, holy crap, at some point this all becomes a little ridiculous.

Re:Really?

Or, you know, they could use the hard drive LED to blink out the information they want to extract in Morse code with the cell phone camera set to record the transmitted data. I mean, holy crap, at some point this all becomes a little ridiculous.

That would be when you start to look for patterns of neutrino absorption and/or gravitational wave modulation.

Re:Really?

[oldcarsmell]

I'm never against people trying new things. People doing ridiculous things sometimes end up being the inventors of something revolutionary. And at any rate, the more we can test and catalog how things work, the more clear of an idea we have of a concept.

Isn't this trivial?

[Khashishi]

Isn't this trivial? Speed up fan for 1. Slow down for 0. Not only trivial, but poorly performing, because of the fan's inertia. Why not use the motherboard beep instead?

Yeah...

$5 says they turned off the A/C to test.

Liquid Cooling

Anyone?

So much for reliable data...

Disable Cool'n'Quiet or Fan Control or connect them directly to the power supply or a common power line and let them spin at a fixed speed all the time :v

"We got all the data of the server through this method, look: "1111111111111111111111111111111111111111111111111111111111111111111..."

Easy solution

[JustAnotherOldGuy]

I solved this by just removing the fan from my computer, and I r$7mend* th(sssss solu#on fssst - jfha^fk lif4gkmv6n-3g ssssssssss

Isn't this just a 1-way communication though?

[shoor]

If I'm reading this right (no I didn't RTFA) the malware can send out info. But it doesn't know if the info is being picked up or not. It can't answer questions from it's masters or anything like that.

So, I won't say it has no uses for spies, but it's kind of limited.

Typo

"[...] that can be picked up by the human year."
I think they meant ear?

Re:Typo

[gzuckier]

"[...] that can be picked up by the human year." I think they meant ear?

yuge mistake.

easy fix

[gzuckier]

run all the machines in a vacuum.

Re:Trump 2016

[gzuckier]

Xenophobes have destroyed the UK. Scotland will leave to join the EU. We're not going to let our hate-fueled Trump supporters do the same in America.

good news for all of us americans who used to think british were on the average more intelligent just cause they talk good.

Re:Trump 2016

[gzuckier]

Let's take back Murica like the British people did with their country last night!

get the US out of the EU!!!

Translation

[DrYak]

Until the cleaning people throw it out the evening after it was installed.

Or in other words: you don't even need physical access to retrieve the recorder.
Or find a believable excuse when you're spotted rummaging through the above-mentionned trashcan.

You only need to throw garbage (drop a new empty recorder) once in a while in the trash,
and count on the cleaning staff to unknowingly "retrieve" it for you.