Industry News

How malware could steal data from an air-gapped PC – via its fan

Imagine you’re a cybercriminal and you want to steal information from a malware-infected PC that isn’t connected to the internet, isn’t connected to any other computers, and that you don’t have any physical access to.

How would you do it?

Without being able to physically reach the isolated computer, and without any network connections, you’re going to have to use your imagination.

And that’s precisely what researchers from the Ben-Gurion University of the Negev in Israel have done, dreaming up the the concept of the Fansmitter malware, capable of transmitting sensitive information from the PC by adjusting its fan speed.

In their technical paper, entitled “Fansmitter: Acoustic data exfiltration from (speakerless) air-gapped computers”, Mordechai Guri, Yosef Solewicz, Andrey Daidakulov, Yuval Elovici describe how such an attack works:

“Our method utilizes the noise emitted from the CPU and chassis fans which are present in virtually every computer today. We show that a software can regulate the internal fans’ speed in order to control the acoustic waveform emitted from a computer. Binary data can be modulated and transmitted over these audio signals to a remote microphone (e.g., on a nearby mobile phone).”

fansmitter-1

Similar attacks have been postulated by malware sending high frequency sounds through a computer’s built-in speaker in the past, but there has been an obvious (if rudimentary) solution to that threat – remove the speaker.

Such a solution isn’t really practical when it comes to your computer’s fan.

Before you get too fearful that your computer’s fan is sharing your personal or business secrets, it’s important to underline some important points:

  1. Your computer cannot be infected by malware via sound. Your computer would need to be already compromised and infected by malware to interpret sound waves collected by its microphone as malicious instructions. And if a computer is already infected, where would be the attraction in infecting it again via the sound of some noisy fans?
  2. If your computer is air-gaped from the rest of the world, what are the chances that a malicious attacker would be able to infect it with malicious code in the first place to start sharing its secrets by messing around with its fan speed? The most likely route might be via malware on a USB stick being shared with individuals who use the victim PC, or to have meddled with its software somewhere along it’s supply chain – but it’s not a method of attack that is likely to be deployed against the vast majority of computer users.
  3. You don’t just have to have a target computer that has been compromised and pumping out data via the fan. You also need a device which can receive the data – it needs to be physically close by (the researchers claim from one to four meters distance).
  4. Not only does the surveillance device picking up on the sound of the fan need to be close by, it also needs to be present for an extended period of time. In some of its tests the researchers were only able to steal 3 bits (not bytes!) per minute – getting as high as 15 bits per minute when they raised the fan’s oscillation speed.

In short, the method of attack is unusual and interesting, but probably not practical in the vast majority of cases. Aside from the difficulty of infecting a target computer in the first place, there are some obvious other considerations.

For instance, any attacker using the method faces the challenge of either having users notice the unusually loud behaviour fo their computer’s fan, or drastically reduce the distance over which data can be stolen.

For now I wouldn’t lose too much sleep about this particular elaborate method of data exfiltration. Although it never makes sense to turn an entirely blind eye to potential threats, there are much more serious real and present dangers that the typical IT security manager should be treating as a priority instead.

About the author

Graham CLULEY

Graham Cluley is an award-winning security blogger, researcher and public speaker. He has been working in the computer security industry since the early 1990s, having been employed by companies such as Sophos, McAfee and Dr Solomon's. He has given talks about computer security for some of the world's largest companies, worked with law enforcement agencies on investigations into hacking groups, and regularly appears on TV and radio explaining computer security threats.

Graham Cluley was inducted into the InfoSecurity Europe Hall of Fame in 2011, and was given an honorary mention in the "10 Greatest Britons in IT History" for his contribution as a leading authority in internet security.

4 Comments

Click here to post a comment

This site uses Akismet to reduce spam. Learn how your comment data is processed.

  • This technique is probably intended more for spying, for use by an insider. No surprise that this research comes from the home country of Mossad.

  • That's totally nutz! How much money would they make if they applied their brain power and skills to legitimate business ventures?

  • Interesting!

    What I would say about this, side-channel attacks such as taking advantage of acoustic's do exist and exploiting can happen. But, again this would be a very extreme case and picking up acoustic's emissions, say from a fan or keyboard would be a real James Bond moment. Pardon the pun, but in all seriousness these type of attacks a very high level and we all know the hatters of the world would use more theoretical form of attacks.

    Thanks

  • I suspect that it could be useful to know when a computer is switched on and off depending on where the person is located, at home or work. Or even when a computer is being used.