Those wacky researchers at Ben-Gurion University of the Negev are at it again. The Israeli scientists, best known for dreaming up ways to transmit software from computers that aren’t networked, have figured out a way to do it using the vibrations in computer fans.
Mordechai Guri, professor at the University’s Cyber-Security Research Center, revealed the technique on 13 April in his latest paper, AiR-ViBeR: Exfiltrating Data from Air-Gapped Computers via Covert Surface ViBrAtIoNs.
Most computers have at least one fan, which they use to cool their internal components by introducing air to them. Some higher-end components like graphics cards come with their own dedicated fans to keep their silicon from overheating. Guri realised that these fans create vibrations in any structure supporting the computer (like a table).
This attack focuses on changing the speed of the chassis fan. It generates the most vibration, points out the paper, presumably because it’s embedded right into the case that sits on the table, unlike say a GPU fan that typically sits inside the machine.
Malware running on the computer changes the speed of the fan, which makes the table vibrate at different frequencies. A device that could pick up those vibrations could interpret them as data, he deduced. He also figured out the perfect device to make this work: a smartphone.
Smartphones these days ship with accelerometers that are great at recognising vibrations. They also offer some advantages for attackers, he points out. First, Android and iOS consider these sensors safe, so they don’t ask for user permissions to access them. Second, there’s no visual indication that a smartphone is using a sensor. Third, you can access the sensor using JavaScript in a web browser, meaning that you don’t technically have to infect the smartphone with a malicious app to pick up the vibrations.
The attacker still has to get malware onto the airgapped computer that’s going to transmit the data, but as Guri points out, this has been done before in incidents such as the Stuxnet attack. The malware must then gather the data that the attacker wants, and this would have to be coded in advance as there’s no command and control capability in an airgapped environment.
The malware then vibrates the fans at set frequencies, creating the appropriate vibration in the underlying table which can be picked up by the malicious code running on the smartphone. From there, the phone can communicate the data to the attacker over the internet.
Don’t expect great transmission speeds if you decide to try this attack at home. Guri demonstrated a communication speed of about half a bit per second in an average workplace scenario. Assuming all the stars aligned, you could still score some SSH keys in decent time, though.
Researchers at Ben-Gurion University have used fans to transmit data before, but they concentrated on the noise that they made. They have also used screen brightness, keyboard LEDs, speakers, and infra-red cameras, among others. Other researchers have also created attacks that used accelerometers to listen to your calls instead of getting microphone permission.
Beratung Consulting are dedicated to Security solutions and are a trusted Sophos Partner.
