Malware Can Use Fan Noise To Steal Data From Air-Gapped Systems (helpnetsecurity.com) 95
Reader Orome1 writes: For the last few years, researchers from Ben-Gurion University of the Negev have been testing up new ways to exfiltrate data from air-gapped computers: via mobile phones, using radio frequencies ("AirHopper"); using heat ("BitWhisper"), using rogue software ("GSMem") that modulates and transmits electromagnetic signals at cellular frequencies. The latest version of the data-exfiltration attack against air-gapped computers involves the machine's fans. Dubbed "Fansmitter," the attack can come handy when the computer does not have speakers, and so attackers can't use acoustic channels to get the info.An anonymous reader adds:Malicious applications use the noise emanated by a computer fan's speed to relay information to a nearby recording device and steal data from air-gapped, isolated systems. The attack relies on selecting a fan speed to represent binary "1" and another for binary "0". A specially crafted malware can alter the CPU, GPU or chassis fan speed between these two frequencies and provide a method to relay data from infected systems. Attackers can then place microphones or smartphones to record the sound coming from the infected machine and steal the data. The attack works for distances of one to four meters, and operates in the 100-600 Hz frequency that can be picked up by the human year. Choosing smaller fan speeds or fan speeds that are closer together can make the attack harder to pick up by a human, but also makes it susceptible to background noise.
Impressive but useful? (Score:5, Insightful)
Re: (Score:2)
Pretty neat idea but in every air-gapped environment I've worked in, getting the cellphone or recording device in would be the more difficult portion of this exercise.
Uh, hardly.
SCIF designs do not usually employ metal detectors at the door to detect for malicious electronics before they get close enough, nor is it standard practice to wrap the walls in a Faraday cage.
Let's be honest, the only thing making this "difficult" is the paper (policy) that prevents it, hence the rather massive focus on insider threat risk mitigation these days, which in the post-Snowden era presents no shock or surprise.
Re: (Score:2)
Yeah, 100-600 hz means we aren't talking about any great amount of data at a time. It seems opening documents in front of a video camera would capture as much text as or more quickly.
Re:Impressive but useful? (Score:5, Insightful)
Pretty much the first thing I thought of. What baud rate would be possible using this? It couldn't be very high. Each 0-to-1 and 1-to-0 transition would have to wait for the fan speed to stabilize and that would take a variable amount of time depending on the fan size.
Interesting concept in the lab but would this really work in a real life situation? Many work environments have all sorts of ambient noise that might interfere with being able to detect the computer's fan noise.
Re: (Score:2)
It might be able to play the original Legend of Zelda theme....
Re: (Score:2)
Bingo.
I think this is one of those theoretical possibilities that could conceivably work under very tightly controlled conditions, but would never actually work in the real world.
Re: (Score:1)
and, at least to me, since the fan is audible, I would expect that I would notice the fan operating in a non-standard way [not going off, but varying between two speeds continuously, regardless of what is actually happening on the computer].
Re:Impressive but useful? (Score:5, Insightful)
Let's be honest, the only thing making this "difficult" is the paper (policy) that prevents it
That... and the fact that you need to get the malware onto the air gapped system.
Which, as previously noted, really makes this an insider attack vector and not a remote exploit.
There are probably easier ways for an insider to infiltrate information.
Re: (Score:2)
Re: (Score:2)
Re: (Score:2)
Useless... (Score:1)
Quote: "The attack works for distances of one to four meters..."
If you can get so close to the machine, then there are better ways of getting data off it.
Re: (Score:3, Insightful)
From TFA: "A specially crafted malware can alter the CPU, GPU or chassis fan speed between these two frequencies and provide a method to relay data from infected systems. "
So, first, you have to get the malware on the target computer. If you can do that, there are better, easier ways to get information off of it.
Translation (Score:2)
Until the cleaning people throw it out the evening after it was installed.
Or in other words: you don't even need physical access to retrieve the recorder.
Or find a believable excuse when you're spotted rummaging through the above-mentionned trashcan.
You only need to throw garbage (drop a new empty recorder) once in a while in the trash,
and count on the cleaning staff to unknowingly "retrieve" it for you.
Re: (Score:1)
Re: (Score:3, Insightful)
Quote: "The attack works for distances of one to four meters..."
If you can get so close to the machine, then there are better ways of getting data off it.
Maybe, but in a lot of cases there aren't. Every air-gapped computer I've ever used at work has been in a secure physical environment where electronic devices capable of recording or storing anything or connecting to any kind of network are strictly prohibited. The security folks even nixed a digital clock because it had WiFi for time sync. And the computers themselves had no working external mass storage capability, network ports, or optical drives. Computer cases have anti-tamper seals on them, and access
Re: (Score:2, Flamebait)
if you were actually caught trying to take information out of the room in anything other than your brain, you would likely be prosecuted.
Unless you're Hillary.
Re: (Score:2)
if you were actually caught trying to take information out of the room in anything other than your brain, you would likely be prosecuted.
Unless you're Hillary.
Probably true, but highly speculative; as far as I can tell, she never bothered to use a secure computer or network in the first place.
A rather slow data rate (Score:4, Informative)
Re: (Score:3)
Assuming the attack goes undetected and only targets the administrator login/password, not much time will be needed for an attack.
Re: (Score:1)
Assuming the attack goes undetected and only targets the administrator login/password, not much time will be needed for an attack.
And what does that gain the hacker? They would need physical access to the machine to use that login/password (since it's airgapped), at which point most security is pointless anyway.
Re: (Score:1)
Well, it worked on Mission Impossible, with nothing more complex than a rope and an air vent, so surely that's exactly how it happens in real life!!!
Re: (Score:2)
That's okay. As the summary says, the attack "can be picked up by the human year", and even at that data rate they should get some juicy stuff over 12 months of transmitting.
Re: (Score:2)
That's it, I'm switching to typewriters (Score:1)
Oh wait, nevermind [cryptomuseum.com].
Anyone got some chalk and slate?
Captcha: laughs
Re: (Score:2)
your favorite 3-letter agency
Air-gapped systems are usually justified in order to protect the information that said "3-letter agency" wishes to keep secure.
Let's not confuse civilian monitoring with government systems, since your average social media addict doesn't even understand the concept of a gapped system.
Re: (Score:2)
These days there seems to be no such thing as a gapped system. So far I've heard of... Using the RFI/EMI of keyboards and/or displays to spy, using built-in speakers/microphones for ultrasonic networking, new hardware being intercepted in transit having govt spyware/hardware installed before the customer gets it, USB devices including cables, picture frames, chargers, dongles having spyware/malware, etc. The only way to be sure is by not turning it on.
There are plenty of ways to mitigate the risks today.
20 years ago I was lugging around PC chassis and monitors that weighed in excess of 50 pounds. Because the damn thing was wrapped in a TEMPEST-certified case. Quite literally lead-lined. Excess crap like speakers and microphones are unnecessary in 99.999% of air-gapped environments.
This, along with getting back to using traditional wired connections for shit like keyboards, would tend to mitigate a lot of the risk we face today. COTS adaptation was pe
Re: (Score:2)
Xenophobes have destroyed the UK. Scotland will leave to join the EU. We're not going to let our hate-fueled Trump supporters do the same in America.
good news for all of us americans who used to think british were on the average more intelligent just cause they talk good.
Re: (Score:2)
Let's take back Murica like the British people did with their country last night!
get the US out of the EU!!!
Re: (Score:2)
Didn't I hear "15 bits per minute" somewhere? You could transmit it faster by drum signal; it is probably more like smoke-sginals.
Re: (Score:2)
A lot of complex work starts the day with a log in and an internal keyword search, folder names, database location.
Not every cleared staff member is typing in a book chapter of data as part of their normal work load.
Checks calendar... (Score:2)
Is it April 1st again?
Re: (Score:2)
Because a system with disabled USB mass storage, a DVD ROM drive, and no network connection, would be ignored by most IT/security people as not having a data ex filtration risk. It can get data onto it, but not off, so the security people would probably think "Even if someone gets malware onto it, it can't send data off it, because there's no way to do it. They can't even burn a DVD."
Getting the malware on it would probably be easier than getting data off it in some mass storage kind of way.
our data warehouse is very secure. tons of data gong in but nobody can get anything out of it no matter how hard we try.
Re: (Score:2)
Sounds like this is only useful if the computer is already compromised and has this special "fan-signal" malware on it. If you've already got malware on your isolated system, it sounds like you've already got other problems.
yeah; the secure system has to be infected with the malware, and you have to be close enough to it to pick up the sound of the fan very precisely and decode it. if you're going to all that trouble, might as well have the infected system just read the damn data out to you over the speaker.
Nothing New (Score:3)
As I was only printing teaching instructions for using the accounting software I trained users on, I thanked him kindly for the warning and carried on.
Re:Nothing New (Score:4, Funny)
I think he was telling you to keep the damn noise down and shut your windows!
Re: (Score:2)
In the early 1980's one of my neighbors, a Honeywell employee, warned me that people could tell what I was printing out on my daisy-wheel printer just by listening through my open window. Apparently, each character of the Diablo 630 printer made a unique noise when struck. As I was only printing teaching instructions for using the accounting software I trained users on, I thanked him kindly for the warning and carried on.
and the other direction; people would write music which was strings of ascii characters which would be played by printing them through a printer, given that the pitch of the printer whine would vary with what was printing.
Go ahead, try it (Score:2)
Just thinking of all the computer devices that I have at home:
2 laptops: fans are so quiet you'd have to have the microphone next to the vent to hear it
cellphones and tablets: no fans
server: If you can hear the two cpu fans over the 9 jet engine fans for the power supplies and disk arrays running at full speed 100% of the time, you can have my data.
computer 1: passively cooled
computer 2: Just has a large pretty silent 12V constant speed CPU fan
Stealing data through fan noise? (Score:1)
Sounds like a load of hot air to me
USB fans - not only for the light show (Score:1)
Put up a couple of USB fans around your computer to keep you cool and to confuse the enemy.
Summary misleading /shock /. (Score:2)
To suggest that malware can use fans to 'steal' data would imply that the data is being taken FROM an airgapped system by something outside it.
In fact, what it's talking about is that malware installed on an airgapped system can use the fan system to COMMUNICATE data across an air gap. Still interesting, but a little more honest about what's going on.
Humans! (Score:2, Offtopic)
Air gapping machines is not effective.
Why? Because as soon as you air gap a machine, you need humans to ferry the data back and forth.
Now humans can exploited to be the exflitration path.
If you had a wire, you could control the protocol on the wire, put in overlapping constraints on traffic on the wire, and keep the humans out of the room.
Re: (Score:2)
Air gapping machines is not effective.
Why? Because as soon as you air gap a machine, you need humans to ferry the data back and forth. Now humans can exploited to be the exflitration path.
If you had a wire, you could control the protocol on the wire, put in overlapping constraints on traffic on the wire, and keep the humans out of the room.
no; you train capuchin monkeys to ferry the data.
Really? (Score:3)
Re: (Score:1)
Isn't this trivial? (Score:2)
Isn't this trivial? Speed up fan for 1. Slow down for 0. Not only trivial, but poorly performing, because of the fan's inertia. Why not use the motherboard beep instead?
Easy solution (Score:2)
I solved this by just removing the fan from my computer, and I r$7mend* th(sssss solu#on fssst - jfha^fk lif4gkmv6n-3g ssssssssss
Isn't this just a 1-way communication though? (Score:2)
If I'm reading this right (no I didn't RTFA) the malware can send out info. But it doesn't know if the info is being picked up or not. It can't answer questions from it's masters or anything like that.
So, I won't say it has no uses for spies, but it's kind of limited.
Re: (Score:2)
"[...] that can be picked up by the human year." I think they meant ear?
yuge mistake.
easy fix (Score:2)