Follow Slashdot blog updates by subscribing to our blog RSS feed

 



Forgot your password?
typodupeerror
×
Security Hardware

Malware Can Use Fan Noise To Steal Data From Air-Gapped Systems (helpnetsecurity.com) 95

Reader Orome1 writes: For the last few years, researchers from Ben-Gurion University of the Negev have been testing up new ways to exfiltrate data from air-gapped computers: via mobile phones, using radio frequencies ("AirHopper"); using heat ("BitWhisper"), using rogue software ("GSMem") that modulates and transmits electromagnetic signals at cellular frequencies. The latest version of the data-exfiltration attack against air-gapped computers involves the machine's fans. Dubbed "Fansmitter," the attack can come handy when the computer does not have speakers, and so attackers can't use acoustic channels to get the info.An anonymous reader adds:Malicious applications use the noise emanated by a computer fan's speed to relay information to a nearby recording device and steal data from air-gapped, isolated systems. The attack relies on selecting a fan speed to represent binary "1" and another for binary "0". A specially crafted malware can alter the CPU, GPU or chassis fan speed between these two frequencies and provide a method to relay data from infected systems. Attackers can then place microphones or smartphones to record the sound coming from the infected machine and steal the data. The attack works for distances of one to four meters, and operates in the 100-600 Hz frequency that can be picked up by the human year. Choosing smaller fan speeds or fan speeds that are closer together can make the attack harder to pick up by a human, but also makes it susceptible to background noise.
This discussion has been archived. No new comments can be posted.

Malware Can Use Fan Noise To Steal Data From Air-Gapped Systems

Comments Filter:
  • by Doug Otto ( 2821601 ) on Friday June 24, 2016 @09:13AM (#52381219)
    Pretty neat idea but in every air-gapped environment I've worked in, getting the cellphone or recording device in would be the more difficult portion of this exercise.
    • Pretty neat idea but in every air-gapped environment I've worked in, getting the cellphone or recording device in would be the more difficult portion of this exercise.

      Uh, hardly.

      SCIF designs do not usually employ metal detectors at the door to detect for malicious electronics before they get close enough, nor is it standard practice to wrap the walls in a Faraday cage.

      Let's be honest, the only thing making this "difficult" is the paper (policy) that prevents it, hence the rather massive focus on insider threat risk mitigation these days, which in the post-Snowden era presents no shock or surprise.

      • Yeah, 100-600 hz means we aren't talking about any great amount of data at a time. It seems opening documents in front of a video camera would capture as much text as or more quickly.

        • by rnturn ( 11092 ) on Friday June 24, 2016 @11:28AM (#52382427)

          Yeah, 100-600 hz means we aren't talking about any great amount of data at a time.

          Pretty much the first thing I thought of. What baud rate would be possible using this? It couldn't be very high. Each 0-to-1 and 1-to-0 transition would have to wait for the fan speed to stabilize and that would take a variable amount of time depending on the fan size.

          Interesting concept in the lab but would this really work in a real life situation? Many work environments have all sorts of ambient noise that might interfere with being able to detect the computer's fan noise.

          • It might be able to play the original Legend of Zelda theme....

          • Bingo.

            I think this is one of those theoretical possibilities that could conceivably work under very tightly controlled conditions, but would never actually work in the real world.

          • and, at least to me, since the fan is audible, I would expect that I would notice the fan operating in a non-standard way [not going off, but varying between two speeds continuously, regardless of what is actually happening on the computer].

      • by The-Ixian ( 168184 ) on Friday June 24, 2016 @10:42AM (#52382029)

        Let's be honest, the only thing making this "difficult" is the paper (policy) that prevents it

        That... and the fact that you need to get the malware onto the air gapped system.

        Which, as previously noted, really makes this an insider attack vector and not a remote exploit.

        There are probably easier ways for an insider to infiltrate information.

    • This study makes all the precautions put in place around those air-locked computers seem less of paranoia.
    • Not useful yet...but...like most things, given enough refinement. Specific patterns in change can be mapped to data once replicated. Many things we use today to store and transmit data were mere "noise" and random disturbances many years ago. Now we send petrabytes of data with those same distortions.
    • Comment removed based on user account deletion
  • by Anonymous Coward

    Quote: "The attack works for distances of one to four meters..."

    If you can get so close to the machine, then there are better ways of getting data off it.

    • Re: (Score:3, Insightful)

      by Anonymous Coward

      From TFA: "A specially crafted malware can alter the CPU, GPU or chassis fan speed between these two frequencies and provide a method to relay data from infected systems. "

      So, first, you have to get the malware on the target computer. If you can do that, there are better, easier ways to get information off of it.

      • It rather involved being on the other side of this airtight hatchway.
    • Re: (Score:3, Insightful)

      by tsqr ( 808554 )

      Quote: "The attack works for distances of one to four meters..."

      If you can get so close to the machine, then there are better ways of getting data off it.

      Maybe, but in a lot of cases there aren't. Every air-gapped computer I've ever used at work has been in a secure physical environment where electronic devices capable of recording or storing anything or connecting to any kind of network are strictly prohibited. The security folks even nixed a digital clock because it had WiFi for time sync. And the computers themselves had no working external mass storage capability, network ports, or optical drives. Computer cases have anti-tamper seals on them, and access

      • Re: (Score:2, Flamebait)

        by chipschap ( 1444407 )

        if you were actually caught trying to take information out of the room in anything other than your brain, you would likely be prosecuted.

        Unless you're Hillary.

        • by tsqr ( 808554 )

          if you were actually caught trying to take information out of the room in anything other than your brain, you would likely be prosecuted.

          Unless you're Hillary.

          Probably true, but highly speculative; as far as I can tell, she never bothered to use a secure computer or network in the first place.

  • by Anonymous Coward on Friday June 24, 2016 @09:17AM (#52381265)
    They achieved a speed of 15 bits per minute, so a long time is needed for an attack
    • by Yvan256 ( 722131 )

      Assuming the attack goes undetected and only targets the administrator login/password, not much time will be needed for an attack.

      • by Anonymous Coward

        Assuming the attack goes undetected and only targets the administrator login/password, not much time will be needed for an attack.

        And what does that gain the hacker? They would need physical access to the machine to use that login/password (since it's airgapped), at which point most security is pointless anyway.

        • by Anonymous Coward

          Well, it worked on Mission Impossible, with nothing more complex than a rope and an air vent, so surely that's exactly how it happens in real life!!!

    • by SeaFox ( 739806 )

      That's okay. As the summary says, the attack "can be picked up by the human year", and even at that data rate they should get some juicy stuff over 12 months of transmitting.

    • I was going to ask, just how fast can you modulate a fan motor? This seems more of a proof of concept but pretty useless in the real world.
  • Oh wait, nevermind [cryptomuseum.com].

    Anyone got some chalk and slate?

    Captcha: laughs

  • Is it April 1st again?

  • by twmcneil ( 942300 ) on Friday June 24, 2016 @09:57AM (#52381601)
    In the early 1980's one of my neighbors, a Honeywell employee, warned me that people could tell what I was printing out on my daisy-wheel printer just by listening through my open window. Apparently, each character of the Diablo 630 printer made a unique noise when struck.

    As I was only printing teaching instructions for using the accounting software I trained users on, I thanked him kindly for the warning and carried on.
    • by Anonymous Coward on Friday June 24, 2016 @10:02AM (#52381655)

      I think he was telling you to keep the damn noise down and shut your windows!

    • In the early 1980's one of my neighbors, a Honeywell employee, warned me that people could tell what I was printing out on my daisy-wheel printer just by listening through my open window. Apparently, each character of the Diablo 630 printer made a unique noise when struck. As I was only printing teaching instructions for using the accounting software I trained users on, I thanked him kindly for the warning and carried on.

      and the other direction; people would write music which was strings of ascii characters which would be played by printing them through a printer, given that the pitch of the printer whine would vary with what was printing.

  • Just thinking of all the computer devices that I have at home:
    2 laptops: fans are so quiet you'd have to have the microphone next to the vent to hear it
    cellphones and tablets: no fans
    server: If you can hear the two cpu fans over the 9 jet engine fans for the power supplies and disk arrays running at full speed 100% of the time, you can have my data.
    computer 1: passively cooled
    computer 2: Just has a large pretty silent 12V constant speed CPU fan

  • by Anonymous Coward

    Sounds like a load of hot air to me

  • Put up a couple of USB fans around your computer to keep you cool and to confuse the enemy.

  • To suggest that malware can use fans to 'steal' data would imply that the data is being taken FROM an airgapped system by something outside it.

    In fact, what it's talking about is that malware installed on an airgapped system can use the fan system to COMMUNICATE data across an air gap. Still interesting, but a little more honest about what's going on.

  • Humans! (Score:2, Offtopic)

    Air gapping machines is not effective.

    Why? Because as soon as you air gap a machine, you need humans to ferry the data back and forth.
    Now humans can exploited to be the exflitration path.

    If you had a wire, you could control the protocol on the wire, put in overlapping constraints on traffic on the wire, and keep the humans out of the room.

    • Air gapping machines is not effective.

      Why? Because as soon as you air gap a machine, you need humans to ferry the data back and forth. Now humans can exploited to be the exflitration path.

      If you had a wire, you could control the protocol on the wire, put in overlapping constraints on traffic on the wire, and keep the humans out of the room.

      no; you train capuchin monkeys to ferry the data.

  • by Rudisaurus ( 675580 ) on Friday June 24, 2016 @12:30PM (#52382947)
    Or, you know, they could use the hard drive LED to blink out the information they want to extract in Morse code with the cell phone camera set to record the transmitted data. I mean, holy crap, at some point this all becomes a little ridiculous.
    • I'm never against people trying new things. People doing ridiculous things sometimes end up being the inventors of something revolutionary. And at any rate, the more we can test and catalog how things work, the more clear of an idea we have of a concept.
  • Isn't this trivial? Speed up fan for 1. Slow down for 0. Not only trivial, but poorly performing, because of the fan's inertia. Why not use the motherboard beep instead?

  • I solved this by just removing the fan from my computer, and I r$7mend* th(sssss solu#on fssst - jfha^fk lif4gkmv6n-3g ssssssssss

  • If I'm reading this right (no I didn't RTFA) the malware can send out info. But it doesn't know if the info is being picked up or not. It can't answer questions from it's masters or anything like that.

    So, I won't say it has no uses for spies, but it's kind of limited.

  • run all the machines in a vacuum.

"The vast majority of successful major crimes against property are perpetrated by individuals abusing positions of trust." -- Lawrence Dalzell

Working...