Researchers show fan speed can be modulated to steal data from air-gapped computers

In the past, many research groups have developed methods to steal data from isolated devices disconnected from the Internet using optic, thermal, electromagnetic and acoustic covert channels. Since researchers demonstrated several years ago that data can be stolen using a computer’s internal or external speakers, many organizations have banned these components from air-gapped devices for security reasons.

However, now researchers from Ben-Gurion University of the Negev have discovered a new acoustic data exfiltration method that leverages on a mobile phone positioned in the vicinity of the targeted machine to monitor the computer fans. This version of the data-exfiltration attack against air-gapped computers involves the machine’s fans. The malicious code developed by the researchers can use the device’s fans to exfiltrate data. With this method, it sends out bits of data to the mobile phone or any other computer equipped with a microphone.

“Our method utilizes the noise emitted from the CPU and chassis fans which are present in virtually every computer today. We show that a software can regulate the internal fans’ speed in order to control the acoustic waveform emitted from a computer. Binary data can be modulated and transmitted over these audio signals to a remote microphone (e.g., on a nearby mobile phone),” the researchers, led by Mordechai Guri, Head of R&D at the University’s CyberSecurity Research Center, explained.

Dubbed “Fansmitter,” the attack can be helpful only when the computer does not have speakers, so that the attackers cannot use acoustic channels to get the information.

“Past research has demonstrated that malware can exfiltrate information through an air-gap by transmitting audio signals from the internal or external speakers of desktop computers,” reads the technical paper, entitled “Fansmitter: Acoustic data exfiltration from (speakerless) air-gapped computers” published by the experts.

“Using Fansmitter attackers can successfully exfiltrate passwords and encryption keys from a speakerless air-gapped computer to a mobile phone in the same room from various distances,” researchers wrote in their paper. “Beyond desktop computers, our method is applicable to other kinds of audioless devices, equipped with cooling fans (various types and sizes of fans) such as printers, control systems, embedded devices, IoT devices, and more.”

The researchers were able to examine the frequency and the strength of the acoustic noise released by fans that depend on revolutions per minute (RPM). The malicious code can control the fan to rotate at a certain speed to transmit a “0” bit and a different speed to transmit a “1” bit.

The noise produced by the fan is included in the 100-600 Hz range, which can be detected by the human ear. However, experts point out those attackers could use several methods to avoid raising suspicion by instructing the malware to release data during hours when no one is in the room. They can also use low or close frequencies, which are less visible.

For their experiment, the researchers used a common Dell desktop computer with CPU and chassis fans, and noises were captured with a Samsung Galaxy S4 smartphone. The testing environment was a computer lab with several other workstations, switches and an air conditioning system – all of which produced background noise.

The experiment showed that the researchers using low frequencies (1000 RPM for “0” and 1600 RPM for “1”) over a distance of one meter could transmit 3 bits per minute. In other words, it would take approximately three minutes to transmit 1 byte of each character of a password or an encryption key.

It is possible to have better transfer rate by increasing the frequency in the Fansmitter. For instance, using a rotation range of 2000-2500 RPM the experts transferred 10 bits per minute over a four-meter distance, and the same transfer rate can also be achieved over a distance of eight meters if the frequency is increased. At 4000 – 4250 RPM, the team transmitted 15 bits per minute over a one-meter distance.