Fansmitter: Acoustic Data Exfiltration from Speakerless Air-Gapped Computers

This is why Clive Robinson on Schneier&#x27;s blog has been saying for close to a decade you need to think in terms of physics. Any way of moving matter or energy in any form to a receiver is a potential side channel. He inventee the term energy gapping to describe systems isolated from all forms of stray energy. Needless to say, it&#x27;s difficult.<p>He and I worked out some detsils on the blog years ago. We saw acoustic attacks coming since they were used with lasers in Cold War. So, were emanation and light-based attacks. Even toilets, plumbing, and air ducts can leak things out. So, you start with a SCIF style design with power filters, EMSwC masking, audio masking, careful attention to anything coming&#x2F;going, and no wireless anything allowed. Then you have to work on endpoint security ground up isolating and deprivileging everything. He also liked decomposing everything into resource-isolated functions with a hypervisor inspecting them on occasion.<p>Not much attack surface left at that point.

Makes you wonder what else can be used.<p>How about power draw? If you can load and unload the CPU at will, it could send detectable waves all the way out of the facility.<p>Many designers going after EMI shielding and standard compliance completely miss the concept of conducted emissions - the rf-range noise that goes out of the wires connected to the device, i.e. power, rather than RF.<p>Then, think of the laptop charge adaptors - most of them whine when plugged, and the pitch of the whine changes with the state of charge of the laptop. The computer might be secured, but a power supply on the other side of the air gap is easy to forget about.

Very inventive method of breaching the air and audio gaps.<p>I wonder if exploits like this might encourage the use of fanless computers in these ultra-secure locations? There are quite a few processors on the market now which give decent performance without the need for a fan.

900 bits&#x2F;hour. Slow, but if you&#x27;re after some crypto keys, useful.

seems to be something of a waste of time.<p>even if you could transmit anything usefull at 900 bits per hour.<p>you still cant install it on the machine in the first place.<p>and even if you can get equipment close enough to listen.<p>its not going to be as effective as pulling it from the rf emissions.<p>and any device that is rf isolated is also going to be audio isolated.

Skylake motherboards make high pitch noise, when switching between CPU power saving states. States change at ms scale and could carry kbps

There is precedent for these types of acoustic attacks. One interesting paper from 2014 that comes to mind is this: <a href="https:&#x2F;&#x2F;www.tau.ac.il&#x2F;~tromer&#x2F;acoustic&#x2F;" rel="nofollow">https:&#x2F;&#x2F;www.tau.ac.il&#x2F;~tromer&#x2F;acoustic&#x2F;</a><p>Basically, the idea is that even though clocks run at GHz (which in acoustics, would be impractical ultrasound), modular arithmetic (exponentiation) takes ~milliseconds to run, which means they produce acoustic signatures in the kHz range, which travels easily (and omnidirectionally from the kind of small aperture that the motherboard represents) in air and can be acquired with cheap microphones.

Cool, sure. Practical, no. It would be trivial to add some monitoring to detect this sort of thing. Lots of data centers already monitor fan speeds anyway.

Url changed from <a href="https:&#x2F;&#x2F;www.helpnetsecurity.com&#x2F;2016&#x2F;06&#x2F;24&#x2F;air-gapped-computers-fan-speed&#x2F;" rel="nofollow">https:&#x2F;&#x2F;www.helpnetsecurity.com&#x2F;2016&#x2F;06&#x2F;24&#x2F;air-gapped-comput...</a>, which points to this.