Malware Can Use Fan Noise to Exfiltrate Data from Air-Gapped Systems

[Batu69]

Attack works up to a distance of four meters

   CPU fans can be used to steal data from infected systems

 

Malicious applications can use the noise emanated by a computer's fan speed to relay information to a nearby recording device and steal data from air-gapped, isolated systems.

Other researchers proved in the past that malware could use low-frequency sounds sent through the computer's speakers to exfiltrate data from targeted systems to a nearby microphone-enabled device.

This particular scenario has been proven feasible over the past years, and because of the likelihood of something like this happening, in environments with tight security, some administrators have removed speakers from air-gapped systems.

Fansmitter, the malware that fiddles with your fan speed

Four researchers from the Ben-Gurion University of the Negev in Israel have created Fansmitter, a piece of malware that takes the above scenario, but instead of speakers, it uses a computer's fans to send data from the infected host.

Because all data is basically a sequence of ones and zeros, the researchers created Fansmitter to take over the computer's fan speed and make it work at two different speeds, corresponding to a binary "1" and a binary "0".

Fansmitter works with CPU, GPU, or chassis-mounted fans, and can be effective from one to four meters away. Researchers consider this a reliable distance up to which a microphone or a smartphone can be left behind to record sounds emanated from the computer.

Fansmitter attacks are very slow and time-consuming

The downside of a Fansmitter attack is the slow pace at which crooks can steal data. In one of their experiments, using 1000 RPM for "0" and 1600 RPM for "1," researchers were able to steal only 3 bits per minute.

They achieved a speed of 15 bits per minute by using 4000 and 4250 RPM. Increasing the distance between the infected computer and the microphone/smartphone reduced the exfiltration speed. For fan frequencies of 2000 and 2500 RPM, the speed was only 10 bits per minute.

Besides the obvious slow speed, Fansmitter has other drawbacks. The first is that computer fans, in general, emit noise in the range of 100 Hz to 600 Hz, which can be picked up by the human year.

The attacker can use lower fan speeds, but this also reduces the distance at which the attack can be carried out. They could also use 0/1 frequencies that are closer together, but this also opens the data to background noise.

 

A compromised computer (A) - without speakers, and with audio hardware disabled - transmits sensitive information via acoustic signals. This information is received and decoded by a nearby mobile phone (B)

 

Air-gapped systems under attack

The researchers behind this study are Mordechai Guri, Yosef Solewicz, Andrey Daidakulov, and Yuval Elovici. Their paper, named Fansmitter: Acoustic Data Exfiltration from (Speakerless) Air-Gapped Computers, is available as a free download.

At the start of the month, another team of Israeli researchers used coil whine, the noise from the interactions between a computer's components, to extract cryptographic keys used in encrypted communications.

A few months earlier, the same team also extracted cryptographic keys from a computer in another room, through the wall, by using the electromagnetic field emanated by the victim's machine.

Besides sound-based exfiltration methods, researchers proved in the past that they could steal data from air-gapped systems using optic (LEDs), thermal (CPU or GPU heat), or electromagnetic channels.

 

Fan locations within a standard workstation

 

Article source