Fansmitter: malware that exfiltrates data from airgapped computers by varying the sound of their fans

In a new paper, researchers from Ben-Gurion University demonstrate a fiendishly clever procedure for getting data off of airgapped computers that have had their speakers removed to prevent acoustic data-transmission: instead of playing sound through the target computer's speakers, they attack its fans, varying their speeds to produce subtle sounds that humans can barely notice, but which nearby devices can pick up through their microphones.

The attack uses variations of as little as 100Hz — in fans spinning at 1,000+ RPM — to signal 0s and 1s. They also showed that they could use multiple fans in the same computer (say, fans on the GPU and power supply) in combination to linearly increase the transmission rate. What's more, they were able to use different base-rates by different computers in the same room to allow multiple machines to transmit simultaneously.

The researchers are challenging the idea of airgapping as a strategy for protecting sensitive machines. Though this attack could be defeated by installing software to detect fan-fluctuation, this software will be finicky and throw many false positives, and Fansmitter is only one of many methods for extracting data from airgapped systems.

Airgaps are problematic for another reason: they tend to be degapped. Individual systems get USB sticks plugged into them (to deliver software updates or move data on and off the system), a principle that Stuxnet's designers relied upon. Audits show that airgapped networks are frequently cross-connected to the public Internet, either by the addition of sneaky DSL connections or tethered mobile devices, or by physically plugging one of the network's devices into a switch connected to the public net. That's not because employees are insensitive to security needs — it's because they trade off the long-term, speculative costs of networked attacks on sensitive systems with the short-term, concrete benefits of being able to get their job done.

A hypothetical: you are the operator for a medical scanner that's connected to an airgapped internal network. A patient presents in a state of medical emergency, which you're asked to evaluate with your equipment. Consulting the internet on your phone, you learn that there's an upgrade to the system that will give a much better diagnosis, possibly making the difference between life and death. Normal firmware updates require a lengthy procedure with your IT department, by which time it'll be too late (besides, it's the weekend and they're all off-site, though still on-call). Do you risk your patient's life in the here-and-now, or plug in that Ethernet cable and risk the lives of theoretical patients in the future? Maybe you tell yourself that you'll disconnect the cable when it's over, but you forget (or by that time, there's already malware crawling the system, which was designed on the assumption that it would never be connected to the net, and has no defenses).

To receive the sound signals emitted from the target machine, an attacker would also need to infect the smartphone of someone working near the machine using malware designed to detect and decode the sound signals as they're transmitted and then send them to the attacker via SMS, Wi-Fi, or mobile data transfers. The receiver needs to be within eight meters or 26 feet of the targeted machine, so in secure environments where workers aren't allowed to bring their smartphones, an attacker could instead infect an internet-connected machine that sits in the vicinity of the targeted machine.

Normally, fans operate at between a few hundred RPMs and a few thousand RPMs. To prevent workers in a room from noticing fluctuations in the fan noise, an attacker could use lower frequencies to transmit the data or use what's known as close frequencies, frequencies that differ only by 100 Hz or so to signify binary 1's and 0's. In both cases, the fluctuating speed would simply blend in with the natural background noise of a room.

"The human ear can barely notice [this]," Guri says.

Fansmitter: Acoustic Data Exfiltration from
(Speakerless) Air-Gapped Computers
[Mordechai Guri, Yosef Solewicz, Andrey Daidakulov and Yuval Elovici/Ben-Gurion University of the Negev
Cyber Security Research Center]

Clever Attack Uses the Sound of a Computer's Fan to Steal Data [Kim Zetter/Wired]