Malware Can Use Fan Noise To Steal Data From Air-Gapped Systems

Reader Orome1 writes: For the last few years, researchers from Ben-Gurion University of the Negev have been testing up new ways to exfiltrate data from air-gapped computers: via mobile phones, using radio frequencies ("AirHopper"); using heat ("BitWhisper"), using rogue software ("GSMem") that modulates and transmits electromagnetic signals at cellular frequencies. The latest version of the data-exfiltration attack against air-gapped computers involves the machine's fans. Dubbed "Fansmitter," the attack can come handy when the computer does not have speakers, and so attackers can't use acoustic channels to get the info.An anonymous reader adds:Malicious applications use the noise emanated by a computer fan's speed to relay information to a nearby recording device and steal data from air-gapped, isolated systems. The attack relies on selecting a fan speed to represent binary "1" and another for binary "0". A specially crafted malware can alter the CPU, GPU or chassis fan speed between these two frequencies and provide a method to relay data from infected systems. Attackers can then place microphones or smartphones to record the sound coming from the infected machine and steal the data. The attack works for distances of one to four meters, and operates in the 100-600 Hz frequency that can be picked up by the human year. Choosing smaller fan speeds or fan speeds that are closer together can make the attack harder to pick up by a human, but also makes it susceptible to background noise.

Impressive but useful?

[DougOtto]

Pretty neat idea but in every air-gapped environment I've worked in, getting the cellphone or recording device in would be the more difficult portion of this exercise.

Re:Impressive but useful?

[The-Ixian]

Let's be honest, the only thing making this "difficult" is the paper (policy) that prevents it

That... and the fact that you need to get the malware onto the air gapped system.

Which, as previously noted, really makes this an insider attack vector and not a remote exploit.

There are probably easier ways for an insider to infiltrate information.

Re:Impressive but useful?

[rnturn]

Yeah, 100-600 hz means we aren't talking about any great amount of data at a time.

Pretty much the first thing I thought of. What baud rate would be possible using this? It couldn't be very high. Each 0-to-1 and 1-to-0 transition would have to wait for the fan speed to stabilize and that would take a variable amount of time depending on the fan size.

Interesting concept in the lab but would this really work in a real life situation? Many work environments have all sorts of ambient noise that might interfere with being able to detect the computer's fan noise.

A rather slow data rate

They achieved a speed of 15 bits per minute, so a long time is needed for an attack

Re:A rather slow data rate

[Yvan256]

Assuming the attack goes undetected and only targets the administrator login/password, not much time will be needed for an attack.

Re:Useless...

From TFA: "A specially crafted malware can alter the CPU, GPU or chassis fan speed between these two frequencies and provide a method to relay data from infected systems. "

So, first, you have to get the malware on the target computer. If you can do that, there are better, easier ways to get information off of it.

Re:Useless...

[tsqr]

Quote: "The attack works for distances of one to four meters..."

If you can get so close to the machine, then there are better ways of getting data off it.

Maybe, but in a lot of cases there aren't. Every air-gapped computer I've ever used at work has been in a secure physical environment where electronic devices capable of recording or storing anything or connecting to any kind of network are strictly prohibited. The security folks even nixed a digital clock because it had WiFi for time sync. And the computers themselves had no working external mass storage capability, network ports, or optical drives. Computer cases have anti-tamper seals on them, and access to the room requires a badge swipe that timestamps your entry. You can lose your job for having a phone in your pocket, and if you were actually caught trying to take information out of the room in anything other than your brain, you would likely be prosecuted.

Frankly, I have trouble imagining how the malware could end up on one of these computers in the first place.

Nothing New

[twmcneil]

In the early 1980's one of my neighbors, a Honeywell employee, warned me that people could tell what I was printing out on my daisy-wheel printer just by listening through my open window. Apparently, each character of the Diablo 630 printer made a unique noise when struck.

As I was only printing teaching instructions for using the accounting software I trained users on, I thanked him kindly for the warning and carried on.

Re:Nothing New

I think he was telling you to keep the damn noise down and shut your windows!

Really?

[Rudisaurus]

Or, you know, they could use the hard drive LED to blink out the information they want to extract in Morse code with the cell phone camera set to record the transmitted data. I mean, holy crap, at some point this all becomes a little ridiculous.

Isn't this just a 1-way communication though?

[shoor]

If I'm reading this right (no I didn't RTFA) the malware can send out info. But it doesn't know if the info is being picked up or not. It can't answer questions from it's masters or anything like that.

So, I won't say it has no uses for spies, but it's kind of limited.