This week, a team of computer scientists at the Ben-Gurion University of the Negev in Israel released a report announcing their successful development of a new breed of malware that is actually able to exfiltrate data from air-gapped computers via fans.
No, we’re not talking your biggest supporters here; the fans we’re referring to are cooling fans; the kind that keep your computer’s internal components from overheating. Dubbed Fansmitter, this malware is designed to acoustically exfiltrate sensitive information across air-gapped systems via emission of acoustic tones from cooling fans. In order for the malware to work, the attack model requires installation on both a transmitter and a receiver.
In the test conducted, Fansmitter was installed on a desktop computer, as well as a nearby Samsung Galaxy S4 smartphone. The malware was then able to retrieve targeted data and transmit it to the receiving smartphone via acoustic tone derived from manipulation of fan rotations per minute (RPM).
Via such RPM manipulation, sensitive binary data is able to be modulated and transmitted through these acoustic soundwaves and decoded on the receiving, mutually-infected unit. The receiving unit is then able to deliver the results to the target destination via SMS or alternate means of transmission.
Air-gapping has been traditionally used to separate a computer system from any other external connectivity that could facilitate compromise of sensitive data, and is a configuration often used within the federal government for such purposes. While past studies have demonstrated that malware may be used to exfiltrate information though an air-gap by transmitting ultrasonic audio signals from the internal or external speakers of computer systems, an effective mitigation to this possibility has been to eliminate all internal and external speakers from systems’ design configuration.
The problem with Fansmitter is that internal cooling fans are crucial to system survival, as their elimination would result in overheating of critical components, such as the CPU and power supply. The vast majority of today’s systems feature such cooling fans and, as such, all of these systems are vulnerable to Fansmitter attack.
There is the fact that successful execution of the attack is reliant upon infection of both transmitting and receiving units, with both residing within a distance of zero to eight meters of one another, so pulling off such an attack would take a high degree of coordination, but is absolutely possible. Smartphones are comparatively easier to infect than traditional computers, and infection of air-gapped computers may be achieved via introduction of infected USB drive or other media, just as Stuxnet was able to infect Iranian nuclear facilities.
It was reported that the acoustic tones are indeed detectable by the human ear, which would likely necessitate after-hour execution of attack. There would seem to be one problem; what’s the likelihood of anyone leaving their mobile phone behind at the end of the workday? Not a problem. Fansmitter can effectively transform any device with a microphone into a receiver, meaning even another computer system in the same room within a distance of zero to eight meters, as long as it has a microphone, could be infected and leveraged.
Not only this, but Fansmitter may also be used on any number of devices featuring internal fans to leak sensitive information, including IT equipment, embedded systems, and internet of things (IOT) devices.
At a transmission speed of merely 900 bits per hour, or 15 bits per minute, the process is excruciatingly slow by traditional standards for larger amounts of information, but quite effective for small portions of data such as passwords and encryption keys that may be leveraged for follow-up attacks targeting larger datasets.
The developmental research conducted by the team demonstrates the false sense of security offered by system air-gapping methodologies, and has opened the eyes of industry professionals to such innovative measures that will require attention in future information security threat mitigations to secure our nation's critical information assets.