Exfiltrating data from air-gapped computers by modulating fan speed

For the last few years, researchers from Ben-Gurion University of the Negev have been testing up new ways to exfiltrate data from air-gapped computers: via mobile phones, using radio frequencies (“AirHopper”); using heat (“BitWhisper”), using rogue software (“GSMem”) that modulates and transmits electromagnetic signals at cellular frequencies.

The latest version of the data-exfiltration attack against air-gapped computers involves the machine’s fans.

Fan locations within a standard workstation (including air-gapped computers): power supply unit fan, chassis fan, CPU fan

Dubbed “Fansmitter,” the attack can come handy when the computer does not have speakers, and so attackers can’t use acoustic channels to get the info.

The attack starts with the Fansmitter malware being implanted on the air-gapped computer.

“Our method utilizes the noise emitted from the CPU and chassis fans which are present in virtually every computer today. We show that a software can regulate the internal fans’ speed in order to control the acoustic waveform emitted from a computer. Binary data can be modulated and transmitted over these audio signals to a remote microphone (e.g., on a nearby mobile phone),” the researchers, lead by Mordechai Guri, head of R&D at the University’s CyberSecurity Research Center, explained.

“Using our method we successfully transmitted data from air-gapped computer without audio hardware, to a smartphone receiver in the same room. We demonstrated the effective transmission of encryption keys and passwords from a distance of zero to 8 meters, with bit rate of up to 900 bits/hour. We show that our method can also be used to leak data from different types of IT equipment, embedded systems, and IoT devices that have no audio hardware, but contain fans of various types and sizes.”