Bridging the Air Gap; Data Transfer via Fan Noise

When you want to protect a computer connected to the Internet against attackers, you usually put it behind a firewall. The firewall controls access to the protected computer. However, you can defeat any lock and there are ways a dedicated attacker can compromise a firewall. Really critical data is often placed on a computer that is “air gapped.” That is, the computer isn’t connected at all to an insecure network.

An air gap turns a network security problem into a physical security problem. Even if you can infect the target system and collect data, you don’t have an easy way to get the data out of the secure facility unless you are physically present and doing something obvious (like reading from the screen into a phone). Right? Maybe not.

Researchers in Isreal have been devising various ways to transmit data from air walled computers. Their latest approach? Transmit data via changing the speed of cooling fans in the target computer. Software running on a cellphone (or other computer, obviously) can decode the data and exfiltrate it. You can see a video on the process below.

You have to give them points for out of the box thinking. However, as a practical approach, there’s a lot of things to overcome. First, you have to infect the computer. It isn’t impossible–there are real life examples of this happening. But it is difficult. You also have to have a phone or computer near the target computer. A lot of air gapped computers are in physically secure locations that would make that difficult. On top of that, the data rate is pretty low.

So this attack might be more theoretical than practical. You might wonder about using audio from the target computer’s speaker. If you kept the pitch high enough not to be obvious, that might work. However, a really secure computer might not have speakers. Also, detecting strange audio coming from the speakers would be easier than realizing the fan speed was modulated. In a way, it is like hardware steganography.

We’ve suggested air gaps for the Internet of Things. Cars, too, come to think of it.

Thanks to [Greg] for the tip.

45 thoughts on “Bridging the Air Gap; Data Transfer via Fan Noise

    1. Yes good point AKA, which raises the Question, could you Pulse Width Modulate/Pulse Position Modulate (PWM/PPM) the fan’s motor fast enough or with minimal average energy so it wouldnt turn – just give out sufficient Radio Frequency Interference (RFI) and thus have it detected beyond earshot – assuming the modulation at high enough frequency so not readily audible ?
      The temperature of the windings could go up appreciably as power is applied with less airflow (if any) as it would be outside normal operating parameters. Could even first set a stable speed then superimpose fast changing PWM/PPM at a rate below audible background fan noise but with enough perturbation to stream data, slow but very quiet ;-)

      1. Not really, you’d have to have an app written for a specific fan controller chip to send the necessary commands over SMBUS, if it would even allow it, because beyond the standard stuff like speed and temperature, the parameters will vary with manufacturer and even particular controller model.
        Also, some (usually higher-end) fans ignore the PWM frequency the PC uses to control them and instead use their own clock source, the PWM from the PC just gives them a speed input, nothing more.

        Much better would be abusing the CPU VRM somehow, either by directly fucking with it or just by loading and unloading the CPU, you get both RFI and audible/ultrasonic sound output, data rates could be significantly higher and in case of RFI, could be read over greater distances. Also, it has been described in the past ;-)

        1. Software timing loops were used to play music through nearby AM radios in the very early days of computers. Modulating with digital payloads instead of music would certainly be an option for a higher data rate than fans. However, using speed-modulated fan noise is a clever hack.

  1. Now thats a real world hack that just blows me away !
    Does the delineation of upwind vs downwind have different meaning perchance to raise the follicles on the back of my neck or thats another sort of wind from a close associate ;-)

  2. I’ll just pose another possible way of hacking here. The frequency of a switching power supply changes with the load… Much less conspicuous, and much easier to perform in software as well. Only downside: the computer will appear to become slower, because you have to load the CPU.

  3. Assuming there is a monitor, the old flash a few pixels on the screen scheme would do the trick, or even a ‘animated’ QR code for slow symbol rate, lots of bits per symbol transmission.
    But I guess all these are headless systems, so nice hack!

  4. Infecting airgapped machines is (mostly) trivial because people are lazy. You only have to read up on Stuxnet to realise you dont even need to initially infect the target machine directly to get your malware on it. Social Engineering is the biggest security flaw we face today.

      1. I heard STUXNET was really written by the Israelis to attack the Siemens controllers at foreign power plants. You’d have to get it on the power plant’s intranet as I do not think prudent power plant IT security people put their system controls on Internet. It appears we (USA) are trying to take credit for it but that’s just modern IC myth. I’ll give you one guess who the prime target was/is.

    1. Or: People are lazy, and will download several standard packages when setting up. Some of the more inconspicuous things would probably be infect-able. Think fairly innocuous utility programs and other bits and pieces and the like. Stuff which you might be able to provide a mirror for, and which the person might be lazy enough to not check the checksum of. (or will check the checksum against the checksum on your mirror site)

      1. Hell, look at PadLeft. It was 12 lines of fairly easy code that was a dependency for so much. People included it without thinking, or were dependent on someone who did, and things spiraled out of control when it disappeared. Now imagine someone replaces a small to mid size package with one with some extra code which sits dormant for a while. You don’t even have to pretend to be something else and hope someone takes the bait, all you have to do is provide a useful tool and wait for it to become adopted, then pull a bait and switch. If it’s innocuous enough (ie. not something obviously security critical) it turns out people don’t bother to check the source code for something obviously wrong, much less spend real time evaluating it and how it works.

  5. are the numbers supposed to be the data? it doesn’t change for the whole ~40 seconds. low data rate is an understatement!
    900 bits per hour, 2048 rsa key is what ~1000 bytes so around 40 days (with no error correction??). assuming you would leave it running the whole time. I couldn’t sit in a room with a computer for 40 days if its fan kept spinning up and down I would have swapped it onto a pwmless header after about 10 minutes.
    I think there was already something done about the hf noise being able to identify individual processor instructions, perhaps an outside observer could find some signal on the mains input. clearly the government knows its possible which explains the impending smart meter (actually covert repeater stations!) rollout.

  6. That fan in the caption wont be transfering much data, its a thermostatically clutched one, therefore isnt guaranteed to be at 100% spindle speed at any time :-)

  7. That fan in the caption wont be transfering much data, its a thermostatically clutched one, therefore isnt guaranteed to be at 100% spindle speed at any time :-)

  8. I’m calling shenanigans. They provided no proof that the phone was in fact decoding anything at all. Just random numbers on a screen with what looked like an audio intensity graph.

    At least the guys decoding speech from video vibrations effectively demonstrated their technique…

    Just sayin.

  9. Great article. However, The American No Such Agency has been doing this since the 1980’s. They call it TEMPEST. Here’s a great Wikipedia article on it. You should read through it thoroughly it’s an interesting read: http://en.wikipedia.org/wiki/Tempest_(codename)

    You’d probably be shocked (or maybe not) that your PC, MAC, Laptop, whatever gives off a RF signal which is detectable in cellular phone band frequencies. The Israelis call it GSMem. The guys at Ben-Gurion University of the Negev are working on all kinds of gadgets to violate your privacy.

    Don’t forget the BitWhisperer and the ChipWhisperer (there was a HaD article on this one). Also remember the old dial up modems? Put some black electrical tape over your data activity light(s). And pull down the window shade. They can watch it with a hi-powered telescope from across the street with a photo-diode optical capture method over the eye-piece.

    LED indicators on computer equipment can be a source of compromising optical emanations. One such technique involves the monitoring of the lights on a dial-up modem. Almost all modems flash an LED to show activity, and it is common for the flashes to be directly taken from the data line. As such, a fast optical system can easily see the changes in the flickers from the data being transmitted down the wire. Source: Open Source Information

    Oh BTW? In outer space the term-of-art phrase “Air-Gapped” still applies. Why? Because the target computer and spy capture device would STILL be in breathable air because of the space craft’s life support systems. Same thing applies to submarines underwater..

    aka SOTB

      1. Magic Lantern – That’s actually disturbing news. A “friend” of mine claimed that the LED’s are too slow to respond at that high-rate. I suggested manufacturers install electrolytic caps over the LED leads. But they probably wont. They got their NSL’s already I guess. I know CISCO is really pissed about the firmware Beacons illegally installed in their router’s firmware and are actively doing something sneaky to get around that. Has to do with shipping logistics to avoid shipping interdiction.

        http://arstechnica.com/tech-policy/2014/05/photos-of-an-nsa-upgrade-factory-show-cisco-router-getting-implant/

    1. wilberofdelaware – Timex (of Connecticut) had a Data Bank watch that exploited that air-gap technique. The watch had a photo-diode under a lens on top of the watch. You’d type in your data like schedules, appointments, whatever, then when ready set the watch to capture mode and aim at your CRT screen. Start the program. The CRT would go black and thin white lines would appear on the screen like some insane Morse code app. That was air-gap data being sent to the watch. Then if you had a LCD or Laptop they evolved to an LED dongle off of your COM1 serial port. It worked quite well but as all technology it died off eventually due to memory limitations and fad wear off.

      1. To see how the Timex DataLink screen display worked go to this W3Schools Trt Editor v3.0 website. Select All then delete all code there and paste in my JavaScript code below. One could turn this into an air-gap program with a photo-diode and telescope.

        function Start()
        {
        //Demo of how DataLink Air-Gap Comm Worked
        //Change settimeout rate to lower number for faster screen
        //The line off state means 0 and the opposite is 1
        //This demo is random no data

        display.innerHTML="".repeat(Math.random() * 8)
        display.innerHTML+=""
        display.innerHTML+="".repeat(Math.random() * 8)
        setTimeout("Start()",50)
        }

    1. it would just require multiple (roughly the same number as sound sources) microphones to seperate the 2 sources.

      even with just one microphone, if the ex-filtration code was cleverly written it would just decrease transmission speed. given a fixed volume of white noise, the power in an ever finer frequency interval decreases without bound, so the ex-filtration can modulate very slowly at a frequency known only to the adversary…

  10. Why not just blink the status LED? Most drive LEDS, display panels, etc on the front of the system have some kind of diagnostic blink function. And the rate would be much faster and less prone to noise sources than trying to modulate something that was never ever designed to transmit any information at all.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s