
Academics steal data from air-gapped systems using PC fan vibrations - emptybits
https://www.zdnet.com/article/academics-steal-data-from-air-gapped-systems-using-pc-fan-vibrations/
======
peter_d_sherman
Excerpt:

"In past research, Guri and his team at the Ben-Gurion university's Cyber-
Security Research Center have shown that attackers could steal data from
secure systems using a plethora of techniques such as:

LED-it-Go - exfiltrate data from air-gapped systems via an

HDD's activity LED

USBee - force a USB connector's data bus give out electromagnetic emissions
that can be used to exfiltrate data

AirHopper - use the local GPU card to emit electromagnetic signals to a nearby
mobile phone, also used to steal data

Fansmitter - steal data from air-gapped PCs using sounds emanated by a
computer's GPU fan

DiskFiltration - use controlled read/write HDD operations to steal data via
sound waves

BitWhisper - exfiltrate data from non-networked computers using heat
emanations

Unnamed attack - uses flatbed scanners to relay commands to malware infested
PCs or to exfiltrate data from compromised systems

xLED - use router or switch LEDs to exfiltrate data

aIR-Jumper - use a security camera's infrared capabilities to steal data from
air-gapped networks

HVACKer - use HVAC systems to control malware on air-gapped systems

MAGNETO & ODINI - steal data from Faraday cage-protected systems

MOSQUITO - steal data from PCs using attached speakers and headphones

PowerHammer - steal data from air-gapped systems using power lines

CTRL-ALT-LED - steal data from air-gapped systems using keyboard LEDs

BRIGHTNESS - steal data from air-gapped systems using screen brightness
variations

~~~
lostlogin
> DiskFiltration - use controlled read/write HDD operations to steal data via
> sound waves

There is almost nothing I miss about spinning disks, but having an audible
indication that something was going wrong was helpful. I refer to
inappropriate disk usage (too little or too much) rather than the noises that
preceded a disk death.

~~~
function_seven
You know how some electric cars create fake engine noise at low speeds to
avoid sneaking up on pedestrians?

I wish that was an option with SSDs. A little speaker included with the
package that I could toggle on. All it does it make fake HDD sounds. Bonus if
those sounds match the underlying logical distance and “shape” of the
read/write activity.

~~~
detaro
I wonder if one could make something driven purely by the diskactivity LED
that's mildly convincing

------
varjag
They don't "steal" the data from an uncompromised system but establish a
backchannel on a compromised one.

~~~
_bxg1
That's an important distinction. I was wondering how in the world arbitrary
data was making it to the fan.

~~~
varjag
Yep. As long as you have control over the system, you can use any physical
phenomenon to communicate: blink the LEDs, beep with the speaker, tap it out
with robot arm etc. Not very groundbreaking per se.

------
seanwilson
> Guri says that malicious code planted on an air-gapped system can control
> the speed at which fans work. By moderating fan speed up and down, the
> attacker can control the frequency of the vibrations coming off the fan.

Ah, so it's a malicious program using fan vibrations to communicate data to an
attacker via sound where the attacker doesn't have a network connection to the
computer the malicious program is running on?

I thought it was going to be something to do with e.g. passively reading
passwords/keys via the fan vibrations somehow when the system was running non-
malicious code.

------
SilasX
I "stole" data about when my co-workers were starting npm based on when I
heard their laptop fans come on.

------
surround
Here’s an article from 2016 about the same team. In this attack, they use the
_sound_ of the fans instead of the vibration. The difference is, they would
need microphone permissions in infected smartphones, whereas the vibration
method can be transmitted with accelerometers (which doesn’t require user’s
permission)

[https://www.wired.com/2016/06/clever-attack-uses-sound-
compu...](https://www.wired.com/2016/06/clever-attack-uses-sound-computers-
fan-steal-data/)

------
soVeryTired
Anyone know how practical these attacks are in the real world? Are they just
an academic exercise or is there a real threat?

One issue that jumps out at me is if the system is air-gapped, how does the
malicious software get there in the first place without being detected?

~~~
bob1029
I would say they are impractical if you have perfect physical security.
Assuming your initial condition is that the air-gapped system is 100% clean to
start with, you would need physical access at least one time to kick off the
show for all of these crazy schemes.

~~~
estebarb
Unless you control each and every provider is difficult to achieve perfect
physical security. Most companies just bought the fans from somebody else.

------
hutzlibu
Use case for air gapping technics, despite their small bandwidth:

\- very powerful agencies with the aim to get valuable information exists

\- they want and do infect as many systems as possible automatically, by
sneaking into them by all means avaiable (OS updates, hardware backdoors, zero
days, ..), wih the hope of getting to valuable targets eventually (but zombies
have a value, too)

\- any organization with very sensitive data, high value research or other
(smaller) intelligence agency knows that, so they try to have their most
sensitive data on air gapped networks or single computers.

\- the attackers already drown in information and do not want their virus to
be exposed so easy, so air gapping technics will likely be not used normaly to
reduce dedection risk (also the are slow and unreliable)

But, now to get the most sensitive informations, all the atackers have to do,
is checking if the system is air-gapped. Means, it is likely that it is a high
value target.

Now the various technices come into play, so the virus tries to communicate
with the outside world in the hope of a also infected device nearby with which
it can maybe exchange a few kb.

If he can make a small connection, then a human (or algorithm) can check, if
it is really a high value target worth deploying more sophisticated attacks,
or just a paranoid hacker trying to protect his personal stuff, or just a old
forgotting pc.

In other words, if you have really sensitive data, air gapping it, might be
the way to attract attackers in the first place ..

Computer security is hard.

------
userbinator
In theory, anything that can have at least two distinct observable states can
be used to store/transmit data. That is, after all, the whole principle which
makes binary digital computing possible.

------
lopmotr
Why is this research? Everyone knows that software can control fan speed
either directly with commands or indirectly with load. Everyone also knows you
can hear the sounds fans make and microphones can pick up sounds or
vibrations. It seems to be just a mundane engineering job or hobby project.
Maybe there's some value in getting a higher bandwidth or longer range
detection or whatever, but the basic principle is too obviously true to need
to be proved.

------
netflixandkill
How fun. Practical implementation in most cases is movie plot level
implausible, but for certain high value systems we already know that state
level actors have the resources and patience to do something like build a side
channel link by having air gapped systems relay in and out via acoustics with
HVAC or whatever.

This is going to be a lot more serious as IOY device capabilities increase --
so many available microphones and radios built into everything.

------
BenjiWiebe
So I guess on an air gapped computer, it's a good idea to set the fans to 100%
in BIOS, rather than smart control / auto.

~~~
notatoad
given the list of other exploits these guys have for exfiltrating data from
airgapped computers, it seems like if you are going to the trouble of making
an airgapped computer, you should put it in its own room with no other
computers and that nobody is allowed to bring their phone into.

------
benibela
They could try it with coil whine

I am just working on a chart that shows a tooltip when the mouse cursor hovers
over a data point.

Everytime the tooltip is shown, my laptop cheeps

edit: or even if I just scroll the browser window

~~~
calaphos
Quite a problem, especially when considering cryptographic implementations.
Here's am article from 2016:

[https://dl.acm.org/doi/10.1145/2851486](https://dl.acm.org/doi/10.1145/2851486)

------
alexfromapex
The data bandwidth for fan speed modulation has to be very slow when compared
to more traditional data transfer methods I’d imagine?

------
fnord77
Maybe, I am wrong, but none of these seem particularly high-bandwidth

~~~
netflixandkill
As a practical example, the keys and metadata for a root certificate authority
are only a few kilobytes.

~~~
kevindong
The article says:

> In fact, data can be exfiltrated through vibrations at a lowly speed of half
> a bit per second, making AiR-ViBeR one of the slowest exfiltration methods
> that Guri and his team have come up with in recent years.

My personal private key has a file size of 3,243 bytes. At the quoted speed,
it would take ~14.4 hours to steal assuming that the time spent recording is
completely continuous.

A single ASCII character would take 16 seconds to "steal".

~~~
moonchild
ASCII is a 7-bit encoding, it would take 14 seconds.

~~~
kevindong
I suppose for plain text files, converting the encoding from extended ASCII
(aka 8-bit) to regular ASCII (7-bit) is worthwhile if one really wants to
pursue this type of worthwhile.

Although in retrospect you can get even higher speedups by condensing the
character encoding table down to A-z and 0-9 and omitting quite a few of the
ASCII characters from the lookup table.

