Researchers show fan speed can be modulated to steal data from air-gapped computers
In the past, many research groups have developed methods to steal data from isolated devices disconnected from the Internet using optic, thermal, electromagnetic and acoustic covert channels. Since researchers demonstrated several years ago that data can be stolen using a computerโs internal or external speakers, many organizations have banned these components from air-gapped devices for security reasons.
However, now researchers from Ben-Gurion University of the Negev have discovered a new acoustic data exfiltration method that leverages on a mobile phone positioned in the vicinity of the targeted machine to monitor the computer fans. This version of the data-exfiltration attack against air-gapped computers involves the machineโs fans. The malicious code developed by the researchers can use the deviceโs fans to exfiltrate data. With this method, it sends out bits of data to the mobile phone or any other computer equipped with a microphone.
โOur method utilizes the noise emitted from the CPU and chassis fans which are present in virtually every computer today. We show that a software can regulate the internal fansโ speed in order to control the acoustic waveform emitted from a computer. Binary data can be modulated and transmitted over these audio signals to a remote microphone (e.g., on a nearby mobile phone),โ the researchers, led by Mordechai Guri, Head of R&D at the Universityโs CyberSecurity Research Center, explained.
Dubbed โFansmitter,โ the attack can be helpful only when the computer does not have speakers, so that the attackers cannot use acoustic channels to get the information.
โPast research has demonstrated that malware can exfiltrate information through an air-gap by transmitting audio signals from the internal or external speakers of desktop computers,โ reads the technical paper, entitled โFansmitter: Acoustic data exfiltration from (speakerless) air-gapped computersโ published by the experts.
โUsing Fansmitter attackers can successfully exfiltrate passwords and encryption keys from a speakerless air-gapped computer to a mobile phone in the same room from various distances,โ researchers wrote in their paper. โBeyond desktop computers, our method is applicable to other kinds of audioless devices, equipped with cooling fans (various types and sizes of fans) such as printers, control systems, embedded devices, IoT devices, and more.โ
The researchers were able to examine the frequency and the strength of the acoustic noise released by fans that depend on revolutions per minute (RPM). The malicious code can control the fan to rotate at a certain speed to transmit a โ0โ bit and a different speed to transmit a โ1โ bit.
The noise produced by the fan is included in the 100-600 Hz range, which can be detected by the human ear. However, experts point out those attackers could use several methods to avoid raising suspicion by instructing the malware to release data during hours when no one is in the room. They can also use low or close frequencies, which are less visible.
For their experiment, the researchers used a common Dell desktop computer with CPU and chassis fans, and noises were captured with a Samsung Galaxy S4 smartphone. The testing environment was a computer lab with several other workstations, switches and an air conditioning system โ all of which produced background noise.
The experiment showed that the researchers using low frequencies (1000 RPM for โ0โ and 1600 RPM for โ1โ) over a distance of one meter could transmit 3 bits per minute. In other words, it would take approximately three minutes to transmit 1 byte of each character of a password or an encryption key.
It is possible to have better transfer rate by increasing the frequency in the Fansmitter. For instance, using a rotation range of 2000-2500 RPM the experts transferred 10 bits per minute over a four-meter distance, and the same transfer rate can also be achieved over a distance of eight meters if the frequency is increased. At 4000 โ 4250 RPM, the team transmitted 15 bits per minute over a one-meter distance.