Security News Malware Can Use Fan Noise to Exfiltrate Data from Air-Gapped Systems

Exterminator

Community Manager
Thread author
Verified
Staff Member
Well-known
Oct 23, 2012
12,527
Malicious applications can use the noise emanated by a computer's fan speed to relay information to a nearby recording device and steal data from air-gapped, isolated systems.

Other researchers proved in the past that malware could use low-frequency sounds sent through the computer's speakers to exfiltrate data from targeted systems to a nearby microphone-enabled device.

This particular scenario has been proven feasible over the past years, and because of the likelihood of something like this happening, in environments with tight security, some administrators have removed speakers from air-gapped systems.

Fansmitter, the malware that fiddles with your fan speed
Four researchers from the Ben-Gurion University of the Negev in Israel have created Fansmitter, a piece of malware that takes the above scenario, but instead of speakers, it uses a computer's fans to send data from the infected host.

Because all data is basically a sequence of ones and zeros, the researchers created Fansmitter to take over the computer's fan speed and make it work at two different speeds, corresponding to a binary "1" and a binary "0".

Fansmitter works with CPU, GPU, or chassis-mounted fans, and can be effective from one to four meters away. Researchers consider this a reliable distance up to which a microphone or a smartphone can be left behind to record sounds emanated from the computer.
Fansmitter attacks are very slow and time-consuming
The downside of a Fansmitter attack is the slow pace at which crooks can steal data. In one of their experiments, using 1000 RPM for "0" and 1600 RPM for "1," researchers were able to steal only 3 bits per minute.

They achieved a speed of 15 bits per minute by using 4000 and 4250 RPM. Increasing the distance between the infected computer and the microphone/smartphone reduced the exfiltration speed. For fan frequencies of 2000 and 2500 RPM, the speed was only 10 bits per minute.

Besides the obvious slow speed, Fansmitter has other drawbacks. The first is that computer fans, in general, emit noise in the range of 100 Hz to 600 Hz, which can be picked up by the human ear.

The attacker can use lower fan speeds, but this also reduces the distance at which the attack can be carried out. They could also use 0/1 frequencies that are closer together, but this also opens the data to background noise.

A compromised computer (A) - without speakers, and with audio hardware disabled - transmits sensitive information via acoustic signals. This information is received and decoded by a nearby mobile phone (B)
Air-gapped systems under attack
The researchers behind this study are Mordechai Guri, Yosef Solewicz, Andrey Daidakulov, and Yuval Elovici. Their paper, named Fansmitter: Acoustic Data Exfiltration from (Speakerless) Air-Gapped Computers, is available as a free download.

At the start of the month, another team of Israeli researchers used coil whine, the noise from the interactions between a computer's components, to extract cryptographic keys used in encrypted communications.

A few months earlier, the same team also extracted cryptographic keys from a computer in another room, through the wall, by using the electromagnetic field emanated by the victim's machine.

Besides sound-based exfiltration methods, researchers proved in the past that they could steal data from air-gapped systems using optic (LEDs), thermal (CPU or GPU heat), or electromagnetic channels.
 

XhenEd

Level 28
Verified
Honorary Member
Top Poster
Content Creator
Well-known
Mar 1, 2014
1,708
Since this attack still needs a malware on the targeted user's computer, AppGuard and other security software may still be able to prevent this kind of attack, right?
 

DardiM

Level 26
Verified
Honorary Member
Top Poster
Malware Hunter
Well-known
May 14, 2016
1,597
Thanks for the news, very Ingenious method :)

(Question : should we got to listen music on our PC to scramble the potential information sent ? :confused::rolleyes::p)
 
Last edited:
  • Like
Reactions: Der.Reisende

jamescv7

Level 85
Verified
Honorary Member
Mar 15, 2011
13,070
@XhenEd: Of course it will prevent considering that any rules that are not included on whitelist should block no matter what type of attack will be deliver.

----------------------

Attacks nowadays goes smarter since security programs have no ability to detect attacks to hardware base nor formulate techniques.
 
  • Like
Reactions: DardiM and XhenEd

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

User Menu

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top