The research was conducted by Mordechai Guri, Ph.D, who was assisted by Mazan Munitz and guided by Prof Yuval Elovici, as part of the on-going focus on air-gap security at the BGU Cyber Security Research Center in Beer Sheva, Israel.
In the past year, researchers at the university have found that air-gapped PCs could potentially be compromised using mobile malware and light-based printers, but this latest project indicates that heat emissions could also play a part in hijacking an air-gapped device to steal data.
Researchers say that this is possible by using an attacking technique named as ‘BitWhisper'. Put simply, would-be attackers could infect both the attack and victim devices with specially-designed malware, and then manipulate heat patterns by using thermal sensors - typically used to prevent the system from over-heating.
The researchers said that this method “establishes a covert, bi -directional channel by emitting heat from one PC to the other in a controlled manner. By regulating the heat patterns, binary data is turned into thermal signals. In turn, the adjacent PC uses its built-in thermal sensors to measure the environmental changes. These changes are then sampled, processed, and converted into data.”
Commands or data can subsequently be sent from one machine to another, in an attack that would leave "no trace whatsoever" as it was happening over invisible heat signals, thus there would be no record of data being exfiltrated.
In a video demonstration, Guri and the team showed how BitWhisper could be used to trigger a USB toy missile launcher in rotating and firing. There are, however, a few catches - most notably that both devices would have to have malware installed (not so easy for air-gapped machines, which usually require physical access), and would have to be within 15 inches (or 40cm) of each other. It is also slow in sending data – as it can only transmit around 8 bits per hour.
Researchers, nonetheless, say that this proof of concept (POC) attack could be used to steal data, including passwords and private security keys, from classified military and payment networks.
“The scenario is prevalent in many organisations where there are two computers on a single desk, one connected to the internal network and the other one connected to the internet,” the researchers said. “BitWhisper can be used to steal small chunks of data (eg passwords) and for command and control."
“Only eight signals per hour are sufficient to steal sensitive information such as passwords or secret keys. No additional hardware or software is required. Furthermore, the attacker can use BitWhisper to directly control malware actions inside the network and receive feedback.”
Speaking to SCMagazineUK.com after the release of the findings (the full report is due to be released shortly), Dudu Mimran, chief technology officer of the Cyber Security Labs at the university, said that the attack is viable given it is common for organisations to have a set-up where on a single desktop, there are two computers - on internal and external networks.'
Asked how technically difficult this attack would be to carry out, he added: “In terms of implementing the technology it is definitely not trivial but as we all know attackers are very sophisticated so non-trivial does not cut it anymore. In terms of a real attack scenario the main challenge is infecting the internal computer with malicious software which can be done well beforehand - infecting the externally connected computer is way easier since it is open to web browsing.”
He added that air-gapped PCs should never be treated as a “magic solution for security.”
“I think air-gap should not be treated as a magic solution for security. The physical setup and surrounding environment matter a lot and the only thing to do is to stay up to date on attack vectors like those we have disclosed and mitigate them.”
Jonathan Care, research director at Gartner, told SC that this was a useful side-channel attack, but said that the low bit-rate limited its effectiveness.
“This is a form of side-channel attack, where unintentional “side products” such as power fluctuation, sub-audio, and in this case, thermal emission are used to communicate between machines that have already been compromised,” he said via email.
“The bit rate is currently extremely low, and other side channels (such as sub-audible noise through speakers/mic), crafted DNS queries and responses, may have more efficacy.
“Where machines are in thermally controlled environments such as data centres, then this will affect the production and emission of heat due to greatly increased cooling designed to keep a machine outer casing at a constant temperature. In addition, it is common for security conscious data centre managers to zone servers according to the sensitivity of information thereon.
“It is not clear how this attack would function in a complex environment, such as bladed redundant processors or a virtualised environment."
Ken Munro, partner and founder of Pen Test Partners, added in an email to SC: “It's a nice attack, though just one of many side channel techniques. Security consequences of unexpected transmissions are covered in the TEMPEST specification.
“Shielding can help transmission of RF data, so one solution to heat leakage is of course to insulate the PC. That will cause mayhem with cooling of the system, so careful thought towards insulation of certain components may help.
“The attack is very low bandwidth, but is a timely reminder of systems leaking data in ways we didn't intend.”