In May 2016, I wrote about air gap systems infected via USB flash drive. This posting is a follow-up dubbed Fansmitter. Late June of 2016, it was divulged that a team of researchers at Israel's Ben Gurion University developed malware that extracts data from an isolated computer through acoustic sounds generated by the machine's processor and cooling fans. Extraction of data has been proven using ultrasonic waves from a machine's speakers; however, this method works by controlling and listening to the speed of the machine's fans and CPU (Kopstein, 2016). In this case, it can be analyzed to extract usernames, passwords, and full encryption keys.
For this type of attack to succeed, there are a few prerequisites: target computer has to be physically compromised like Stuxnet, configure the computer's fan to act like a transmitter, and a smartphone as a receiver within 24 feet of the target computer (Olenick, 2016). Two fan speeds represented the 1s and 0s of their code (1,000 and 1,600 RPM) and listened to the sequence of fan-whines to keep track. Their maximum bandwidth is about 1,200 bits an hour which equates to about 150 alpha-numeric characters in an hour (Templeton, 2016). The frequency of this sound depends on the number of blades and their rate of rotation.
This method can also be used to leak data from different types of information technology equipment, embedded systems, and Internet of Things devices. Ones first reaction might be to bury the hatchet by strengthening the physical controls with better locks, doors, frames, cameras, and guards. Or policy and procedures to protect sensitive computers in restricted areas where mobile phones and other recording devices are banned. One might even implement a technical control such as generating background noise so that acoustic transmissions are impossible or replacing fans with specialized quiet ones or using water cooling instead (Emerging Technology, 2016).
These controls are good; however, they don’t address larger issue: insider threat and transmission media of the malware. Many air gapped systems receive data from USB drives that obtained the data from a general support system that has Internet capabilities. The days of saying, “It’s air gapped” as a means of security are over. Theft of data is not the only issue. These air gapped machines are more critical and more often than not run national infrastructure, thus destruction, data modification, and availability is more important.
References:
Kopstein, J. (2016, June 25). Researchers Make Malware That Steals Data by Spinning Your Computer's Fans. Retrieved August 27, 2016, from http://motherboard.vice.com/read/researchers-make-malware-that-steals-data-by-spinning-your-computers-fans
Olenick, D. (2016, June 27). Fansmitter malware steals data through a computer's cooling fans. Retrieved August 27, 2016, from http://www.scmagazine.com/fansmitter-malware-steals-data-through-a-computers-cooling-fans/article/505643/
Emerging Technology. (2016, June 30). How “Fansmitter” Malware Steals Data from Air-Gapped Computers. Retrieved August 27, 2016, from https://www.technologyreview.com/s/601816/how-fansmitter-malware-steals-data-from-air-gapped-computers/
Templeton, G. (2016, June 29). Computer coughs up passwords, encryption keys through its cooling fans | ExtremeTech. Retrieved August 27, 2016, from http://www.extremetech.com/extreme/230933-computer-coughs-up-passwords-encryption-keys-through-its-cooling-fans
