A team of researchers claim they’ve developed malware that can extract data from an isolated computer with no internet connection, camera or audio hardware—all by using sounds generated by the machine’s processor and cooling fans.
In a new paper
, researchers at Israel’s Ben Gurion University describe an attack meant to be used against isolated or “air-gapped” machines that wouldn’t normally be accessible. While others have demonstrated ways of doing this using ultrasonic waves coming from a machine’s speakers, the method the Israeli researchers describe works by controlling and listening to the speed of the machine’s fans and CPU, and doesn’t require it to have any speakers, cameras or other hardware.
“Using our method we successfully transmitted data from [an] air-gapped computer without audio hardware, to a smartphone receiver in the same room,” the researchers write. “We show that our method can also be used to leak data from different types of IT equipment, embedded systems, and IoT devices that have no audio hardware, but contain fans of various types and sizes.”
The malware, which presumably infects machines via a sneaky double-agent wielding a USB stick, works a bit like morse code. Once installed, it locates data on the machine and transmits it by controlling the speed of the machine’s CPU and cooling fans, creating acoustic waveforms that are then received and deciphered by a nearby listening device.
Of course, that means that the transfer speed is relatively sluggish: The researchers say they were able to exfiltrate data at up to 900 bits/hour, with a listening device placed within 8 meters of the machine. While that’s hardly ideal for downloading a new Taylor Swift album, it’s just fine for stealing passwords and encryption keys.
The paper seems to be a continuation of the security research inspired by badBIOS, a somewhat mythical piece of malware that is said to burrow into a computers’ core operating system to leak data by emitting ultrasonic sound waves. Other research has shown how a similar method can be used to covertly log a user’s keystrokes by sending barely-audible sound through the computer’s speakers.Source