Malware Can Use Fan Noise To Steal Data From Air-Gapped Systems (helpnetsecurity.com)

← Back to Stories (view on slashdot.org)

Malware Can Use Fan Noise To Steal Data From Air-Gapped Systems (helpnetsecurity.com)

Posted by msmash on Friday June 24, 2016 @02:00AM from the security-woes dept.

Reader Orome1 writes: For the last few years, researchers from Ben-Gurion University of the Negev have been testing up new ways to exfiltrate data from air-gapped computers: via mobile phones, using radio frequencies ("AirHopper"); using heat ("BitWhisper"), using rogue software ("GSMem") that modulates and transmits electromagnetic signals at cellular frequencies. The latest version of the data-exfiltration attack against air-gapped computers involves the machine's fans. Dubbed "Fansmitter," the attack can come handy when the computer does not have speakers, and so attackers can't use acoustic channels to get the info.An anonymous reader adds:Malicious applications use the noise emanated by a computer fan's speed to relay information to a nearby recording device and steal data from air-gapped, isolated systems. The attack relies on selecting a fan speed to represent binary "1" and another for binary "0". A specially crafted malware can alter the CPU, GPU or chassis fan speed between these two frequencies and provide a method to relay data from infected systems. Attackers can then place microphones or smartphones to record the sound coming from the infected machine and steal the data. The attack works for distances of one to four meters, and operates in the 100-600 Hz frequency that can be picked up by the human year. Choosing smaller fan speeds or fan speeds that are closer together can make the attack harder to pick up by a human, but also makes it susceptible to background noise.

5 of 95 comments (clear)

Min score:

Reason:

Sort:

Impressive but useful? by DougOtto · 2016-06-24 02:13 · Score: 4, Insightful

Pretty neat idea but in every air-gapped environment I've worked in, getting the cellphone or recording device in would be the more difficult portion of this exercise.

--
Solving Unix problems since 1989...
1. Re:Impressive but useful? by The-Ixian · 2016-06-24 03:42 · Score: 4, Insightful
  
  Let's be honest, the only thing making this "difficult" is the paper (policy) that prevents it
  That... and the fact that you need to get the malware onto the air gapped system.
  Which, as previously noted, really makes this an insider attack vector and not a remote exploit.
  There are probably easier ways for an insider to infiltrate information.
  
  --
  My eyes reflect the stars and a smile lights up my face.
2. Re:Impressive but useful? by rnturn · 2016-06-24 04:28 · Score: 4, Insightful
  
  Yeah, 100-600 hz means we aren't talking about any great amount of data at a time.
  
  Pretty much the first thing I thought of. What baud rate would be possible using this? It couldn't be very high. Each 0-to-1 and 1-to-0 transition would have to wait for the fan speed to stabilize and that would take a variable amount of time depending on the fan size.
  Interesting concept in the lab but would this really work in a real life situation? Many work environments have all sorts of ambient noise that might interfere with being able to detect the computer's fan noise.
  
  --
  CUR ALLOC 20195.....5804M
Re:Useless... by Anonymous Coward · 2016-06-24 02:23 · Score: 3, Insightful

From TFA: "A specially crafted malware can alter the CPU, GPU or chassis fan speed between these two frequencies and provide a method to relay data from infected systems. "
So, first, you have to get the malware on the target computer. If you can do that, there are better, easier ways to get information off of it.
Re:Useless... by tsqr · 2016-06-24 02:40 · Score: 2, Insightful

Quote: "The attack works for distances of one to four meters..."
If you can get so close to the machine, then there are better ways of getting data off it.
Maybe, but in a lot of cases there aren't. Every air-gapped computer I've ever used at work has been in a secure physical environment where electronic devices capable of recording or storing anything or connecting to any kind of network are strictly prohibited. The security folks even nixed a digital clock because it had WiFi for time sync. And the computers themselves had no working external mass storage capability, network ports, or optical drives. Computer cases have anti-tamper seals on them, and access to the room requires a badge swipe that timestamps your entry. You can lose your job for having a phone in your pocket, and if you were actually caught trying to take information out of the room in anything other than your brain, you would likely be prosecuted.
Frankly, I have trouble imagining how the malware could end up on one of these computers in the first place.