
Fansmitter: Acoustic Data Exfiltration from Speakerless Air-Gapped Computers - Jonhoo
http://arxiv.org/abs/1606.05915
======
nickpsecurity
This is why Clive Robinson on Schneier's blog has been saying for close to a
decade you need to think in terms of physics. Any way of moving matter or
energy in any form to a receiver is a potential side channel. He inventee the
term energy gapping to describe systems isolated from all forms of stray
energy. Needless to say, it's difficult.

He and I worked out some detsils on the blog years ago. We saw acoustic
attacks coming since they were used with lasers in Cold War. So, were
emanation and light-based attacks. Even toilets, plumbing, and air ducts can
leak things out. So, you start with a SCIF style design with power filters,
EMSwC masking, audio masking, careful attention to anything coming/going, and
no wireless anything allowed. Then you have to work on endpoint security
ground up isolating and deprivileging everything. He also liked decomposing
everything into resource-isolated functions with a hypervisor inspecting them
on occasion.

Not much attack surface left at that point.

------
Artlav
Makes you wonder what else can be used.

How about power draw? If you can load and unload the CPU at will, it could
send detectable waves all the way out of the facility.

Many designers going after EMI shielding and standard compliance completely
miss the concept of conducted emissions - the rf-range noise that goes out of
the wires connected to the device, i.e. power, rather than RF.

Then, think of the laptop charge adaptors - most of them whine when plugged,
and the pitch of the whine changes with the state of charge of the laptop. The
computer might be secured, but a power supply on the other side of the air gap
is easy to forget about.

~~~
monocasa
[https://en.wikipedia.org/wiki/Power_analysis](https://en.wikipedia.org/wiki/Power_analysis)

------
tinbucket
Very inventive method of breaching the air and audio gaps.

I wonder if exploits like this might encourage the use of fanless computers in
these ultra-secure locations? There are quite a few processors on the market
now which give decent performance without the need for a fan.

~~~
steventhedev
At which point they'd find out how to manipulate specific capacitors on the
board to emit noise. Did you ever hold a cheap backlit wristwatch up to your
ear as a kid? That sound.

Perhaps a cheaper way to solve this is to hide the physical case inside a
locked cabinet, with a ventilation fan? Most users of secure systems don't
need physical access to the case, and the ventilator should drown out any
signal noise from such malware.

~~~
tinbucket
Fair point. I suppose it's about eliminating as many vulnerabilities and
exploit vectors as possible, then deploying countermeasures and controls to
mitigate the ones you can't remove. Putting a fanless machine inside a closed
cabinet with a relatively noisy fan, or at least one with a large frequency
spread, would go some way towards accomplishing that.

------
Animats
900 bits/hour. Slow, but if you're after some crypto keys, useful.

~~~
MrBra
> We demonstrated the effective transmission of encryption keys and passwords
> from a distance of zero to eight meters, with bit rate of up to 900
> bits/hour.

------
mSparks
seems to be something of a waste of time.

even if you could transmit anything usefull at 900 bits per hour.

you still cant install it on the machine in the first place.

and even if you can get equipment close enough to listen.

its not going to be as effective as pulling it from the rf emissions.

and any device that is rf isolated is also going to be audio isolated.

~~~
raverbashing
Yes

At 900 bits per hour it should be easier to convert to something printable or
just use pen and paper

(112 8-bit characters, I'm sure you could find a way of memorizing it if
needed)

~~~
dfc
Paper? I think you are missing the threat model. Eve does not have physical or
network access to machine.

~~~
mSparks
Then how did eve install malware on it to control the system fans?

~~~
dfc
Think stuxnet

------
jkot
Skylake motherboards make high pitch noise, when switching between CPU power
saving states. States change at ms scale and could carry kbps

------
shas3
There is precedent for these types of acoustic attacks. One interesting paper
from 2014 that comes to mind is this:
[https://www.tau.ac.il/~tromer/acoustic/](https://www.tau.ac.il/~tromer/acoustic/)

Basically, the idea is that even though clocks run at GHz (which in acoustics,
would be impractical ultrasound), modular arithmetic (exponentiation) takes
~milliseconds to run, which means they produce acoustic signatures in the kHz
range, which travels easily (and omnidirectionally from the kind of small
aperture that the motherboard represents) in air and can be acquired with
cheap microphones.

------
dsfyu404ed
Cool, sure. Practical, no. It would be trivial to add some monitoring to
detect this sort of thing. Lots of data centers already monitor fan speeds
anyway.

------
dang
Url changed from [https://www.helpnetsecurity.com/2016/06/24/air-gapped-
comput...](https://www.helpnetsecurity.com/2016/06/24/air-gapped-computers-
fan-speed/), which points to this.

