A group of Israeli security researchers at the Cyber Security Labs from Ben Gurion University have found a new technique to hack ultra-secure air-gapped computers and retrieve data using only heat emissions and a computer's built-in thermal sensors.
WHAT IS AIR-GAPPED COMPUTERS ?
Air-gapped computers or systems are considered to be the most secure and safest computer systems. These systems are isolated from the Internet or any other commuters that are connected to the Internet or external network.
Air-gapped systems are used in situations that demand high security because it's very difficult to siphon data from these systems, as it requires a physical access to the machine which is possible by using removable device such as a USB flash drive or a firewire cable.
Air-gapped computers are classified military networks, the payment networks that process credit and debit card transactions for retailers, and in industrial control systems that operate critical infrastructure of the Nation. Even journalists use them to prevent intruders from remotely accessing sensitive data.
HACKING AIR-GAPPED COMPUTERS USING HEAT
In August 2014, security researchers from Ben Gurion University found a new way to breach an air-gapped system by using a method called Air-Hopper which utilizes little more than a mobile phone's FM radio signals for data exfiltration.
The same security researchers have now discovered a new technique, dubbed BitWhisper, that could be used by hackers to hack air-gapped computers by utilizing heat exchange between two computer systems.
Dudu Mimran, the CTO of Cyber Security Labs, blogged on Monday, "BitWhisper is a demonstration for a covert bi-directional communication channel between two close by air-gapped computers communicating via heat. The method allows bridging the air-gap between the two physically adjacent and compromised computers using their heat emissions and built-in thermal sensors to communicate."
This new technique would allow hackers to stealthily siphon passwords or security keys from a secured system and send the sensitive data to an Internet-connected system which is placed in close proximity controlled by hackers.
Hackers could also use their Internet-connected system to send malicious commands to the air-gapped computer using the same heat and sensor technique in order to cause more severe danger to the secured infrastructure.
The team provided a video demonstration which shows how they were able to send a command from one computer to an adjacent air-gapped machine to re-position a toy missile launcher connected to the adjacent air-gapped system.
HOW BITWHISPER WORKS ?
Thermal sensors exist in computers used to trigger the internal fans to cool the PC down if overheating components such as CPU, GPU (graphics-processing unit) and other motherboard components threatens to damage them.
BitWhisper utilizes these sensors to send commands to an air-gapped system or siphon data from it. The different heat patterns generated from the computer is regulated and binary data is modulated into thermal signals.
The other adjacent PC in close proximity to the first one uses its built-in thermal sensors to measure the environmental changes. These changes are then sampled, processed, and demodulated into binary data in order to exfiltrate data.
Experts demonstrated that the communication can also be bi-directional with both computers capable of transmitting or receiving commands and data by using the heat emitted by computers' various components. A hacker simply needs to plant a piece of malware on each PC that need to communicate.
Dudu Mimran told The Hacker News in an email that Its "not easy (to install Malware,) but possible i.e via USB or bad firmware or infection via other computers in the internal network. Such malware can be installed long time before activation so there are quite a few chances. Our base assumption that air gapped computers can be infected."
The malware is designed to search for nearby systems by periodically emitting a thermal ping from the infected system in order to determine when a victim has placed his infected laptop next to a classified desktop system.
"Once a bridging attempt is successful, a logical link between the public network and the internal network in established," researchers explained. "At this stage, the attacker can communicate with the formerly isolated network, issuing commands and receiving responses."
Both the systems would then engage in a handshake, involving a sequence of "thermal pings", to establish a connection between them. But increased success of an operation is achieved outside work hours, when the internet-connected computer and the air-gapped one are in close proximity for an ongoing period and there is no need to conduct a handshake each time.
- The proof-of-concept attack requires both systems to first be compromised with malware.
- The attack currently allows for just 8 bits of data to be reliably transmitted over an hour, which is sufficient for an attacker to siphon a password or secret keys.
- The attack works only if the air-gapped system is within 40 centimeters/about 15 inches from the other computer controlled by an attacker.
However, researchers say they may be able to increase the distance between the two communicating computers and the speed of data transfer between them.
FUTURE ATTACK MAY INVOLVE IoT DEVICES
According to the security researchers, the future research might involve using the so-called internet of things (IoT) — an internet-connected heating and air conditioning system or a fax machine — as an attack vector instead of internet-connect computers.
The team of researchers Mordechai Guri and Matan Munitz, under the guidance of Professor Yuval Elovici, planned to present their findings at a security conference in Tel Aviv next week and publish a paper on their research, "BitWhisper: Covert Signaling Channel between Air-Gapped Computers Using Thermal Manipulations."