How to Steal Data Using a Computer’s Fan
Wednesday, June 29, 2016 @ 09:06 AM gHale
It is possible to steal data from a computer using the noise emitted by its fans to transmit data.
It is no secret researchers have been able to silently cull data from isolated devices using optic, thermal, electromagnetic and acoustic covert channels. Researchers showed they could purloin data using a computer’s internal or external speakers. As a result, for security reasons, companies working in “highly sensitive” areas did not allow computers to have the components.
But even that didn’t stop the potential to steal information as researchers from Ben-Gurion University of the Negev found a new acoustic data exfiltration attack that doesn’t rely on speakers. Instead, they just use the noise emitted by a computer’s fans to transmit data. They call the attack Fansmitter.
Here is how it works: A piece of malware installed on the targeted air-gapped computer can use the device’s fans to send bits of data to a nearby mobile phone or a different computer equipped with a microphone.
Several types of fans can be used for the task, but CPU and chassis fans are the perfect target because they can be monitored and controlled using widely available software.
The frequency and the strength of the acoustic noise emitted by fans depends on revolutions per minute (RPM), according to a paper written by Mordechai Guri, Yosef Solewicz, Andrey Daidakulov, and Yuval Elovici.
Attackers can control the fan to rotate at a certain speed to transmit a “0” bit and a different speed to transmit a “1” bit.
The noise is in the 100-600 Hz range, which a human ear can detect, but the researches said attackers could use several methods to avoid raising suspicion. For instance, they can program the malware to transmit data during hours when no one is in the room (e.g. at night). They can also use low or close frequencies, which are less noticeable.
Researchers have conducted experiments using a regular Dell desktop computer with CPU and chassis fans, and a Samsung Galaxy S4 smartphone with a standard microphone to capture the exfiltrated data.
The testing environment was a computer lab with several other workstations, switches and an air conditioning system, all of which produced background noise.
The experiment showed attackers can transmit 3 bits per minute using low frequencies (1000 RPM for “0” and 1600 RPM for “1”) over a distance of one meter. This means it would take three minutes to transmit 1 byte of data (e.g. one character of a password).
The transfer rate is much better at higher frequencies. For instance, at 4000 – 4250 RPM, experts transferred 15 bits per minute over a one-meter distance. At 2000-2500 RPM, they obtained 10 bits per minute over a four-meter distance, and the same transfer rate can also be obtained over a distance of eight meters if the frequency increases.
“Using Fansmitter, attackers can successfully exfiltrate passwords and encryption keys from a speakerless air-gapped computer to a mobile phone in the same room from various distances,” researchers said in their paper. “We demonstrated the effective transmission of encryption keys and passwords from a distance of zero to eight meters, with bit rate of up to 900 bits/hour. We show that our method can also be used to leak data from different types of IT equipment, embedded systems, and IoT devices that have no audio hardware, but contain fans of various types and sizes.”