Fansmitter: Acoustic Data Exfiltration from (Speakerless) Air-Gapped Computers

📝 Abstract

Because computers may contain or interact with sensitive information, they are often air-gapped and in this way kept isolated and disconnected from the Internet. In recent years the ability of malware to communicate over an air-gap by transmitting sonic and ultrasonic signals from a computer speaker to a nearby receiver has been shown. In order to eliminate such acoustic channels, current best practice recommends the elimination of speakers (internal or external) in secure computers, thereby creating a so-called ‘audio-gap’. In this paper, we present Fansmitter, a malware that can acoustically exfiltrate data from air-gapped computers, even when audio hardware and speakers are not present. Our method utilizes the noise emitted from the CPU and chassis fans which are present in virtually every computer today. We show that a software can regulate the internal fans’ speed in order to control the acoustic waveform emitted from a computer. Binary data can be modulated and transmitted over these audio signals to a remote microphone (e.g., on a nearby mobile phone). We present Fansmitter’s design considerations, including acoustic signature analysis, data modulation, and data transmission. We also evaluate the acoustic channel, present our results, and discuss countermeasures. Using our method we successfully transmitted data from air-gapped computer without audio hardware, to a smartphone receiver in the same room. We demonstrated the effective transmission of encryption keys and passwords from a distance of zero to eight meters, with bit rate of up to 900 bits/hour. We show that our method can also be used to leak data from different types of IT equipment, embedded systems, and IoT devices that have no audio hardware, but contain fans of various types and sizes.

💡 Analysis

Because computers may contain or interact with sensitive information, they are often air-gapped and in this way kept isolated and disconnected from the Internet. In recent years the ability of malware to communicate over an air-gap by transmitting sonic and ultrasonic signals from a computer speaker to a nearby receiver has been shown. In order to eliminate such acoustic channels, current best practice recommends the elimination of speakers (internal or external) in secure computers, thereby creating a so-called ‘audio-gap’. In this paper, we present Fansmitter, a malware that can acoustically exfiltrate data from air-gapped computers, even when audio hardware and speakers are not present. Our method utilizes the noise emitted from the CPU and chassis fans which are present in virtually every computer today. We show that a software can regulate the internal fans’ speed in order to control the acoustic waveform emitted from a computer. Binary data can be modulated and transmitted over these audio signals to a remote microphone (e.g., on a nearby mobile phone). We present Fansmitter’s design considerations, including acoustic signature analysis, data modulation, and data transmission. We also evaluate the acoustic channel, present our results, and discuss countermeasures. Using our method we successfully transmitted data from air-gapped computer without audio hardware, to a smartphone receiver in the same room. We demonstrated the effective transmission of encryption keys and passwords from a distance of zero to eight meters, with bit rate of up to 900 bits/hour. We show that our method can also be used to leak data from different types of IT equipment, embedded systems, and IoT devices that have no audio hardware, but contain fans of various types and sizes.

📄 Content

Fansmitter: Acoustic Data Exfiltration from
(Speakerless) Air-Gapped Computers

Abstract

Because computers may contain or interact with sensitive information, they are often air- gapped and in this way kept isolated and disconnected from the Internet. In recent years the ability of malware to communicate over an air-gap by transmitting sonic and ultrasonic signals from a computer speaker to a nearby receiver has been shown. In order to eliminate such acoustic channels, current best practice recommends the elimination of speakers (internal or external) in secure computers, thereby creating a so-called ‘audio-gap’. In this paper, we present Fansmitter, a malware that can acoustically exfiltrate data from air- gapped computers, even when audio hardware and speakers are not present. Our method utilizes the noise emitted from the CPU and chassis fans which are present in virtually every computer today. We show that a software can regulate the internal fans’ speed in order to control the acoustic waveform emitted from a computer. Binary data can be modulated and transmitted over these audio signals to a remote microphone (e.g., on a nearby mobile phone). We present Fansmitter’s design considerations, including acoustic signature analysis, data modulation, and data transmission. We also evaluate the acoustic channel, present our results, and discuss countermeasures. Using our method we successfully transmitted data from air-gapped computer without audio hardware, to a smartphone receiver in the same room. We demonstrated the effective transmission of encryption keys and passwords from a distance of zero to eight meters, with bit rate of up to 900 bits/hour. We show that our method can also be used to leak data from different types of IT equipment, embedded systems, and IoT devices that have no audio hardware, but contain fans of various types and sizes.

1. Introduction Air-Gapped computers are kept physically isolated from the Internet or other less secure networks. Such isolation is often enforced when sensitive or confidential data is involved, in order to reduce the risk of data leakage. Military networks such as the Joint Worldwide Intelligence Communications System (JWICS) [1], as well as networks within financial organizations, critical infrastructure, and commercial industries [2] are known to be air- gapped due to the sensitive data they handle. Despite the high degree of isolation, even air- Mordechai Guri, Yosef Solewicz, Andrey Daidakulov, Yuval Elovici Ben-Gurion University of the Negev Cyber Security Research Center gurim@post.bgu.ac.il; yosef.solewicz@gmail.com; daidakul@post.bgu.ac.il; elovici@post.bgu.ac.il gapped network have been breached in recent years. While most famous cases are Stuxnet [3] and agent.btz [4], other cases have also been reported [5] [6].
   While the breach of such systems has been shown to be feasible in recent years, the exfiltration of data from non-networked computers or those without physical access is still considered a challenging task. Different types of out-of-band covert channels have been proposed over the years, exploring the feasibility of data exfiltration through an air-gap. Electromagnetic methods that exploit electromagnetic radiation from different components of the computer [7] [8] [9] [10] are likely the oldest kind of covert channel researched. Other type of optical [11] and thermal [12] out-of-band channels have also been suggested.
   Exfiltration of data using audible and inaudible sound has been proposed and explored by [13] [14] [15]. The existing method suggests transmitting data though the air-gap via high frequency soundwaves emitted from computer speakers. For example, the work in [14] demonstrates a malware (keylogger) that covertly transmits keystroke data through near- ultrasonic audio emitted from laptop speakers. Interestingly, in 2013 security researchers claimed to find BIOS level malware in the wild (dubbed BadBios) which communicates between air-gapped laptops using ultrasonic sound [16].
   1.1. Speakerless, audioless computers Acoustic covert channels rely on the presence of audio hardware and a speaker in the transmitter computer. To that end, common practices and security policies prohibit the use of speakers and microphones in a secure computer, in order to create a so-called ‘audio-gap’ [17] [18]. Motherboard audio support may also be disabled in the BIOS to cope with the accidental attachment of speakers to the line out connectors. Obviously, disabling audio hardware and keeping speakers disconnected from sensitive computers can effectively mitigate the acoustic covert channels presented thus far [19].
   In this paper we introduce an acoustic channel which doesn’t require a speaker or other audio related hardware to be installed in the infected computer. We show that the noise emitted from a computer’s internal CPU and chassis cooling fans can be intentionally controlled by

This content is AI-processed based on ArXiv data.