Malware Can Use Fan Noise To Steal Data From Air-Gapped Systems (helpnetsecurity.com)

← Back to Stories (view on slashdot.org)

Malware Can Use Fan Noise To Steal Data From Air-Gapped Systems (helpnetsecurity.com)

Posted by msmash on Friday June 24, 2016 @02:00AM from the security-woes dept.

Reader Orome1 writes: For the last few years, researchers from Ben-Gurion University of the Negev have been testing up new ways to exfiltrate data from air-gapped computers: via mobile phones, using radio frequencies ("AirHopper"); using heat ("BitWhisper"), using rogue software ("GSMem") that modulates and transmits electromagnetic signals at cellular frequencies. The latest version of the data-exfiltration attack against air-gapped computers involves the machine's fans. Dubbed "Fansmitter," the attack can come handy when the computer does not have speakers, and so attackers can't use acoustic channels to get the info.An anonymous reader adds:Malicious applications use the noise emanated by a computer fan's speed to relay information to a nearby recording device and steal data from air-gapped, isolated systems. The attack relies on selecting a fan speed to represent binary "1" and another for binary "0". A specially crafted malware can alter the CPU, GPU or chassis fan speed between these two frequencies and provide a method to relay data from infected systems. Attackers can then place microphones or smartphones to record the sound coming from the infected machine and steal the data. The attack works for distances of one to four meters, and operates in the 100-600 Hz frequency that can be picked up by the human year. Choosing smaller fan speeds or fan speeds that are closer together can make the attack harder to pick up by a human, but also makes it susceptible to background noise.

50 of 95 comments (clear)

Min score:

Reason:

Sort:

Impressive but useful? by DougOtto · 2016-06-24 02:13 · Score: 4, Insightful

Pretty neat idea but in every air-gapped environment I've worked in, getting the cellphone or recording device in would be the more difficult portion of this exercise.

--
Solving Unix problems since 1989...
1. Re:Impressive but useful? by geekmux · 2016-06-24 02:30 · Score: 1
  
  Pretty neat idea but in every air-gapped environment I've worked in, getting the cellphone or recording device in would be the more difficult portion of this exercise.
  Uh, hardly.
  SCIF designs do not usually employ metal detectors at the door to detect for malicious electronics before they get close enough, nor is it standard practice to wrap the walls in a Faraday cage.
  Let's be honest, the only thing making this "difficult" is the paper (policy) that prevents it, hence the rather massive focus on insider threat risk mitigation these days, which in the post-Snowden era presents no shock or surprise.
2. Re:Impressive but useful? by Flavianoep · 2016-06-24 02:34 · Score: 1
  
  This study makes all the precautions put in place around those air-locked computers seem less of paranoia.
  
  --
  Linux is for people who don't mind RTFM.
3. Re:Impressive but useful? by evolutionary · 2016-06-24 02:40 · Score: 1
  
  Not useful yet...but...like most things, given enough refinement. Specific patterns in change can be mapped to data once replicated. Many things we use today to store and transmit data were mere "noise" and random disturbances many years ago. Now we send petrabytes of data with those same distortions.
  
  --
  "Imagination is more important than knowledge" - Einstein
4. Re:Impressive but useful? by GargamelSpaceman · 2016-06-24 03:20 · Score: 1
  
  Yeah, 100-600 hz means we aren't talking about any great amount of data at a time. It seems opening documents in front of a video camera would capture as much text as or more quickly.
  
  --
  ...
5. Re:Impressive but useful? by The-Ixian · 2016-06-24 03:42 · Score: 4, Insightful
  
  Let's be honest, the only thing making this "difficult" is the paper (policy) that prevents it
  That... and the fact that you need to get the malware onto the air gapped system.
  Which, as previously noted, really makes this an insider attack vector and not a remote exploit.
  There are probably easier ways for an insider to infiltrate information.
  
  --
  My eyes reflect the stars and a smile lights up my face.
6. Re:Impressive but useful? by rnturn · 2016-06-24 04:28 · Score: 4, Insightful
  
  Yeah, 100-600 hz means we aren't talking about any great amount of data at a time.
  
  Pretty much the first thing I thought of. What baud rate would be possible using this? It couldn't be very high. Each 0-to-1 and 1-to-0 transition would have to wait for the fan speed to stabilize and that would take a variable amount of time depending on the fan size.
  Interesting concept in the lab but would this really work in a real life situation? Many work environments have all sorts of ambient noise that might interfere with being able to detect the computer's fan noise.
  
  --
  CUR ALLOC 20195.....5804M
7. Re:Impressive but useful? by funwithBSD · 2016-06-24 05:31 · Score: 1
  
  It might be able to play the original Legend of Zelda theme....
  
  --
  Never answer an anonymous letter. - Yogi Berra
8. Re:Impressive but useful? by JustAnotherOldGuy · 2016-06-24 06:41 · Score: 1
  
  Bingo.
  I think this is one of those theoretical possibilities that could conceivably work under very tightly controlled conditions, but would never actually work in the real world.
  
  --
  Just cruising through this digital world at 33 1/3 rpm...
9. Re:Impressive but useful? by davester666 · 2016-06-24 07:27 · Score: 1
  
  and, at least to me, since the fan is audible, I would expect that I would notice the fan operating in a non-standard way [not going off, but varying between two speeds continuously, regardless of what is actually happening on the computer].
  
  --
  Sleep your way to a whiter smile...date a dentist!
10. Re: Impressive but useful? by ememisya · 2016-06-24 10:58 · Score: 1
  
  Nah man, you just remember it by ear. Go home and write down all the 1s and 0s.
Useless... by Anonymous Coward · 2016-06-24 02:15 · Score: 1

Quote: "The attack works for distances of one to four meters..."
If you can get so close to the machine, then there are better ways of getting data off it.
1. Re:Useless... by Anonymous Coward · 2016-06-24 02:23 · Score: 3, Insightful
  
  From TFA: "A specially crafted malware can alter the CPU, GPU or chassis fan speed between these two frequencies and provide a method to relay data from infected systems. "
  So, first, you have to get the malware on the target computer. If you can do that, there are better, easier ways to get information off of it.
2. Re:Useless... by tsqr · 2016-06-24 02:40 · Score: 2, Insightful
  
  Quote: "The attack works for distances of one to four meters..."
  If you can get so close to the machine, then there are better ways of getting data off it.
  Maybe, but in a lot of cases there aren't. Every air-gapped computer I've ever used at work has been in a secure physical environment where electronic devices capable of recording or storing anything or connecting to any kind of network are strictly prohibited. The security folks even nixed a digital clock because it had WiFi for time sync. And the computers themselves had no working external mass storage capability, network ports, or optical drives. Computer cases have anti-tamper seals on them, and access to the room requires a badge swipe that timestamps your entry. You can lose your job for having a phone in your pocket, and if you were actually caught trying to take information out of the room in anything other than your brain, you would likely be prosecuted.
  Frankly, I have trouble imagining how the malware could end up on one of these computers in the first place.
3. Re:Useless... by chipschap · 2016-06-24 05:08 · Score: 1, Flamebait
  
  if you were actually caught trying to take information out of the room in anything other than your brain, you would likely be prosecuted.
  Unless you're Hillary.
4. Re:Useless... by tsqr · 2016-06-24 05:12 · Score: 1
  
  if you were actually caught trying to take information out of the room in anything other than your brain, you would likely be prosecuted.
  Unless you're Hillary.
  Probably true, but highly speculative; as far as I can tell, she never bothered to use a secure computer or network in the first place.
5. Re:Useless... by operagost · 2016-06-24 06:34 · Score: 1
  
  It rather involved being on the other side of this airtight hatchway.
  
  --
  
  Gamingmuseum.com: Give your 3D accelerator a rest.
A rather slow data rate by Anonymous Coward · 2016-06-24 02:17 · Score: 4, Informative

They achieved a speed of 15 bits per minute, so a long time is needed for an attack
1. Re:A rather slow data rate by Yvan256 · 2016-06-24 02:33 · Score: 2
  
  Assuming the attack goes undetected and only targets the administrator login/password, not much time will be needed for an attack.
2. Re:A rather slow data rate by Anonymous Coward · 2016-06-24 03:08 · Score: 1
  
  Assuming the attack goes undetected and only targets the administrator login/password, not much time will be needed for an attack.
  And what does that gain the hacker? They would need physical access to the machine to use that login/password (since it's airgapped), at which point most security is pointless anyway.
3. Re:A rather slow data rate by Anonymous Coward · 2016-06-24 04:25 · Score: 1
  
  Well, it worked on Mission Impossible, with nothing more complex than a rope and an air vent, so surely that's exactly how it happens in real life!!!
4. Re:A rather slow data rate by SeaFox · 2016-06-24 04:33 · Score: 1
  
  That's okay. As the summary says, the attack "can be picked up by the human year", and even at that data rate they should get some juicy stuff over 12 months of transmitting.
5. Re:A rather slow data rate by cyberchondriac · 2016-06-24 06:27 · Score: 1
  
  I was going to ask, just how fast can you modulate a fan motor? This seems more of a proof of concept but pretty useless in the real world.
  
  --
  
  Look back up at my post, now look back down, you're on the Internet. Now look back up. I'm a signature.
That's it, I'm switching to typewriters by davidwr · 2016-06-24 02:20 · Score: 1

Oh wait, nevermind.
Anyone got some chalk and slate?
Captcha: laughs

--
Knowledge is how to play a game, intelligence is how to win, wisdom is knowing what game to play.
Checks calendar... by no1nose · 2016-06-24 02:31 · Score: 1

Is it April 1st again?
Nothing New by twmcneil · 2016-06-24 02:57 · Score: 2

In the early 1980's one of my neighbors, a Honeywell employee, warned me that people could tell what I was printing out on my daisy-wheel printer just by listening through my open window. Apparently, each character of the Diablo 630 printer made a unique noise when struck.

As I was only printing teaching instructions for using the accounting software I trained users on, I thanked him kindly for the warning and carried on.

--
"The ferrets, they're every where I tell you!"
1. Re:Nothing New by Anonymous Coward · 2016-06-24 03:02 · Score: 4, Funny
  
  I think he was telling you to keep the damn noise down and shut your windows!
2. Re:Nothing New by gzuckier · 2016-06-25 16:25 · Score: 1
  
  In the early 1980's one of my neighbors, a Honeywell employee, warned me that people could tell what I was printing out on my daisy-wheel printer just by listening through my open window. Apparently, each character of the Diablo 630 printer made a unique noise when struck. As I was only printing teaching instructions for using the accounting software I trained users on, I thanked him kindly for the warning and carried on.
  and the other direction; people would write music which was strings of ascii characters which would be played by printing them through a printer, given that the pitch of the printer whine would vary with what was printing.
  
  --
  Star Trek transporters are just 3d printers.
Re:All your data are belongs to us... by geekmux · 2016-06-24 02:58 · Score: 1

your favorite 3-letter agency
Air-gapped systems are usually justified in order to protect the information that said "3-letter agency" wishes to keep secure.
Let's not confuse civilian monitoring with government systems, since your average social media addict doesn't even understand the concept of a gapped system.
Go ahead, try it by cdrudge · 2016-06-24 03:20 · Score: 1

Just thinking of all the computer devices that I have at home:
2 laptops: fans are so quiet you'd have to have the microphone next to the vent to hear it
cellphones and tablets: no fans
server: If you can hear the two cpu fans over the 9 jet engine fans for the power supplies and disk arrays running at full speed 100% of the time, you can have my data.
computer 1: passively cooled
computer 2: Just has a large pretty silent 12V constant speed CPU fan
Stealing data through fan noise? by Anonymous Coward · 2016-06-24 03:24 · Score: 1

Sounds like a load of hot air to me
Re:What is the bandwidth? by jandersen · 2016-06-24 03:24 · Score: 1

Didn't I hear "15 bits per minute" somewhere? You could transmit it faster by drum signal; it is probably more like smoke-sginals.
USB fans - not only for the light show by Idisagree · 2016-06-24 03:45 · Score: 1

Put up a couple of USB fans around your computer to keep you cool and to confuse the enemy.
Summary misleading /shock /. by argStyopa · 2016-06-24 03:57 · Score: 1

To suggest that malware can use fans to 'steal' data would imply that the data is being taken FROM an airgapped system by something outside it.
In fact, what it's talking about is that malware installed on an airgapped system can use the fan system to COMMUNICATE data across an air gap. Still interesting, but a little more honest about what's going on.

--
-Styopa
Re:All your data are belongs to us... by geekmux · 2016-06-24 04:15 · Score: 1

These days there seems to be no such thing as a gapped system. So far I've heard of... Using the RFI/EMI of keyboards and/or displays to spy, using built-in speakers/microphones for ultrasonic networking, new hardware being intercepted in transit having govt spyware/hardware installed before the customer gets it, USB devices including cables, picture frames, chargers, dongles having spyware/malware, etc. The only way to be sure is by not turning it on.
There are plenty of ways to mitigate the risks today.
20 years ago I was lugging around PC chassis and monitors that weighed in excess of 50 pounds. Because the damn thing was wrapped in a TEMPEST-certified case. Quite literally lead-lined. Excess crap like speakers and microphones are unnecessary in 99.999% of air-gapped environments.
This, along with getting back to using traditional wired connections for shit like keyboards, would tend to mitigate a lot of the risk we face today. COTS adaptation was perhaps the worst thing we could have done when it comes to air-gapped environments.
Humans! by TechyImmigrant · 2016-06-24 04:36 · Score: 1, Offtopic

Air gapping machines is not effective.
Why? Because as soon as you air gap a machine, you need humans to ferry the data back and forth.
Now humans can exploited to be the exflitration path.
If you had a wire, you could control the protocol on the wire, put in overlapping constraints on traffic on the wire, and keep the humans out of the room.

--
I should use this sig to advertise my book ISBN-13 : 978-1501515132.
1. Re:Humans! by gzuckier · 2016-06-25 16:22 · Score: 1
  
  Air gapping machines is not effective.
  Why? Because as soon as you air gap a machine, you need humans to ferry the data back and forth. Now humans can exploited to be the exflitration path.
  If you had a wire, you could control the protocol on the wire, put in overlapping constraints on traffic on the wire, and keep the humans out of the room.
  no; you train capuchin monkeys to ferry the data.
  
  --
  Star Trek transporters are just 3d printers.
Really? by Rudisaurus · 2016-06-24 05:30 · Score: 2

Or, you know, they could use the hard drive LED to blink out the information they want to extract in Morse code with the cell phone camera set to record the transmitted data. I mean, holy crap, at some point this all becomes a little ridiculous.

--
licet differant, aequabitur
1. Re:Really? by oldcarsmell · 2016-06-27 06:34 · Score: 1
  
  I'm never against people trying new things. People doing ridiculous things sometimes end up being the inventors of something revolutionary. And at any rate, the more we can test and catalog how things work, the more clear of an idea we have of a concept.
Isn't this trivial? by Khashishi · 2016-06-24 05:41 · Score: 1

Isn't this trivial? Speed up fan for 1. Slow down for 0. Not only trivial, but poorly performing, because of the fan's inertia. Why not use the motherboard beep instead?
Easy solution by JustAnotherOldGuy · 2016-06-24 06:38 · Score: 1

I solved this by just removing the fan from my computer, and I r$7mend* th(sssss solu#on fssst - jfha^fk lif4gkmv6n-3g ssssssssss

--
Just cruising through this digital world at 33 1/3 rpm...
Isn't this just a 1-way communication though? by shoor · 2016-06-24 06:39 · Score: 2

If I'm reading this right (no I didn't RTFA) the malware can send out info. But it doesn't know if the info is being picked up or not. It can't answer questions from it's masters or anything like that.
So, I won't say it has no uses for spies, but it's kind of limited.

--
In theory, theory and practice are the same; in practice they're different. (Yogi Berra & A. Einstein)
Re:What is the bandwidth? by AHuxley · 2016-06-24 17:07 · Score: 1

Enough to get the users name, pw, search terms, full project name out.
A lot of complex work starts the day with a log in and an internal keyword search, folder names, database location.
Not every cleared staff member is typing in a book chapter of data as part of their normal work load.

--
Domestic spying is now "Benign Information Gathering"
easy fix by gzuckier · 2016-06-25 16:20 · Score: 1

run all the machines in a vacuum.

--
Star Trek transporters are just 3d printers.
Re:Typo by gzuckier · 2016-06-25 16:22 · Score: 1

"[...] that can be picked up by the human year." I think they meant ear?
yuge mistake.

--
Star Trek transporters are just 3d printers.
Re:So you have to already have malware? by gzuckier · 2016-06-25 16:26 · Score: 1

Sounds like this is only useful if the computer is already compromised and has this special "fan-signal" malware on it. If you've already got malware on your isolated system, it sounds like you've already got other problems.
yeah; the secure system has to be infected with the malware, and you have to be close enough to it to pick up the sound of the fan very precisely and decode it. if you're going to all that trouble, might as well have the infected system just read the damn data out to you over the speaker.

--
Star Trek transporters are just 3d printers.
Re:i feel like some are missing a point by gzuckier · 2016-06-25 16:28 · Score: 1

Because a system with disabled USB mass storage, a DVD ROM drive, and no network connection, would be ignored by most IT/security people as not having a data ex filtration risk. It can get data onto it, but not off, so the security people would probably think "Even if someone gets malware onto it, it can't send data off it, because there's no way to do it. They can't even burn a DVD."
Getting the malware on it would probably be easier than getting data off it in some mass storage kind of way.
our data warehouse is very secure. tons of data gong in but nobody can get anything out of it no matter how hard we try.

--
Star Trek transporters are just 3d printers.
Re:Trump 2016 by gzuckier · 2016-06-25 16:30 · Score: 1

Xenophobes have destroyed the UK. Scotland will leave to join the EU. We're not going to let our hate-fueled Trump supporters do the same in America.
good news for all of us americans who used to think british were on the average more intelligent just cause they talk good.

--
Star Trek transporters are just 3d printers.
Re:Trump 2016 by gzuckier · 2016-06-25 16:32 · Score: 1

Let's take back Murica like the British people did with their country last night!
get the US out of the EU!!!

--
Star Trek transporters are just 3d printers.
Translation by DrYak · 2016-06-29 21:25 · Score: 1

Until the cleaning people throw it out the evening after it was installed.
Or in other words: you don't even need physical access to retrieve the recorder.
Or find a believable excuse when you're spotted rummaging through the above-mentionned trashcan.
You only need to throw garbage (drop a new empty recorder) once in a while in the trash,
and count on the cleaning staff to unknowingly "retrieve" it for you.

--
"Sufficiently advanced satire is indistinguishable from reality." - [Tips: 1DrYakQDKCQ6y52z6QbnkxHXAocMZJE61o ]