Search the Community
Showing results for tags 'heat'.
When heat from one computer is emitted and detected by an adjacent computer, a channel can be opened that researchers are claiming can facilitate the spread of keys, passwords and even malware. According to researchers from the Cyber Security Research Center at Ben Gurion University in Israel, the bridge, something they’ve dubbed BitWhisper, can allow for communication between the two air-gapped machines. Researchers Mordechai Guri and Matan Munitz discovered the method and were overseen by Yuval Elovici, a professor at the school’s Department of Information Systems Engineering. The three plan to publish a paper on their research, “BitWhisper: Covert Signaling Channel between Air-Gapped Computers Using Thermal Manipulations,” soon. To connect two otherwise separate computers – a common sight in specialized computer labs, military networks, etc. – the channel relies on something the researchers call “thermal pings,” the repeated fusion of two networks via proximity and heat. This helps grant a bridge between the public network and the internal network. “At this stage, the attacker can communicate with the formerly isolated network, issuing commands and receiving responses,” the report reads. Once the airgap has been bridged, attackers can do a handful of things, including using the channel to spread keys, unleash a worm, send a command to an industrial control system, or spread malware to other parts of the network. “BitWhisper provides a feasible covert channel, suitable for delivering command and control (C&C) messages, and leaking short chunks of sensitive data such as passwords,” the paper warns. In a video posted to YouTube, the researchers demonstrate how they were able to send a command from one machine to another in order to reposition and then launch a small, toy missle: For their study the researchers positioned personal computers next to one another – side-by-side, back-to-back, even stacked on top of each other – to determine how quickly data traveled between the two. The researchers then ran the machines through a rigorous series of calculations and “busy loops” in order to get them to give off more heat. From there they were able to gauge which of the computers’ temperature sensors were affected by a difference in heat and in turn could be manipulated. Guri and company were left with a complicated attack environment that’s dependent upon multiple, highly-calibrated parameters being set in place in order to carry out an attack. It’s not the speediest method to transfer information – the thermal signal’s rate of change between computers can be slow – very slow – oftentimes taking several minutes to transfer just one signal; at the most, BitWhisper can process eight signals per hour. While slow, the team’s video helps illustrate that the mode of transfer is possible but it just may make more sense to transfer small bits of information. The attack requires no special hardware or additional components, it just requires that both machines are infected by malware. On top of that the channel is bi-directional, meaning the sender could be the receiver in some instances. The attack should work as long as one computer is producing heat and another is monitoring that heat. End-users who wanted to theoretically prevent an attack like this from happening could keep computers far apart from each other. While that may seem like the most sensible move, researchers stress it may be difficult. “Keeping minimal distances between computers is not practical,” the researchers said, “and obviously, managing physical distances between different networks has its complexity in terms of space and administration overheads that increases with every air-gap network used.” Guri and a trio of researchers found a technique last year to use FM waves for data exfiltration. Guri and his team presented the malicious program, AirHopper, at MALCON, a conference in Mumbai last year, and showed how it could be used to decode a radio signal sent from a computer’s video card. That attack helped clarify what is and isn’t possible when it comes to staging threats against air-gapped machines. The threat landscape is a field of great interest to researchers at the university. Going forward Guri states that he and his team are hoping to see if they can get two computers to send and receive information at the same time and to see if it’s possible to get two computers in the same room, giving off heat, to boost the channel’s effective transmission range. Source
AIR-GAPPED SYSTEMS, WHICH are isolated from the Internet and are not connected to other systems that are connected to the Internet, are used in situations that demand high security because they make siphoning data from them difficult. Air-gapped systems are used in classified military networks, the payment networks that process credit and debit card transactions for retailers, and in industrial control systems that operate critical infrastructure. Even journalists use them to prevent intruders from remotely accessing sensitive data. To siphon data from an air-gapped system generally requires physical access to the machine, using removable media like a USB flash drive or a firewire cable to connect the air-gapped system directly to another computer. But security researchers at Ben Gurion University in Israel have found a way to retrieve data from an air-gapped computer using only heat emissions and a computer’s built-in thermal sensors. The method would allow attackers to surreptitiously siphon passwords or security keys from a protected system and transmit the data to an internet-connected system that’s in close proximity and that the attackers control. They could also use the internet-connected system to send malicious commands to the air-gapped system using the same heat and sensor technique. In a video demonstration produced by the researchers, they show how they were able to send a command from one computer to an adjacent air-gapped machine to re-position a missile-launch toy the air-gapped system controlled. The proof-of-concept attack requires both systems to first be compromised with malware. And currently, the attack allows for just eight bits of data to be reliably transmitted over an hour—a rate that is sufficient for an attacker to transmit brief commands or siphon a password or secret key but not large amounts of data. It also works only if the air-gapped system is within 40 centimeters (about 15 inches) from the other computer the attackers control. But the researchers, at Ben Gurion’s Cyber Security Labs, note that this latter scenario is not uncommon, because air-gapped systems often sit on desktops alongside Internet-connected ones so that workers can easily access both. The method was developed by Mordechai Guri, Gabi Kedma and Assaf Kachlon and overseen by their adviser Yuval Elovici. The research represents just a first step says Dudu Mimran, chief technology officer at the lab, who says they plan to present their findings at a security conference in Tel Aviv next week and release a paper describing their work later on. “We expect this pioneering work to serve as the foundation of subsequent research, which will focus on various aspects of the thermal channel and improve its capabilities,” the researchers note in their paper. With additional research, they say they may be able to increase the distance between the two communicating computers and the speed of data transfer between them. In their video demonstration, they used one computer tower to initiate a command to an adjacent computer tower representing an air-gapped system. But future research might involve using the so-called internet of things as an attack vector—an internet-connected heating and air conditioning system or a fax machine that’s remotely accessible and can be compromised to emit controlled fluctuations in temperature. How It Works Computers produce varying levels of heat depending on how much processing they’re doing. In addition to the CPU, the graphics-processing unit and other motherboard components produce significant heat as well. A system that is simultaneously streaming video, downloading files and surfing the internet will consume a lot of power and generate heat. To monitor the temperature, computers have a number of built-in thermal sensors to detect heat fluctuations and trigger an internal fan to cool the system off when necessary or even shut it down to avoid damage. The attack, which the researchers dubbed BitWhisper, uses these sensors to send commands to an air-gapped system or siphon data from it. The technique works a bit like Morse code, with the transmitting system using controlled increases of heat to communicate with the receiving system, which uses its built-in thermal sensors to then detect the temperature changes and translate them into a binary “1” or “0.” To communicate a binary “1” in their demonstration for example, the researchers increased the heat emissions of the transmitting computer by just 1 degree over a predefined timeframe. Then to transmit a “0” they restored the system to its base temperature for another predefined timeframe. The receiving computer, representing the air-gapped system, then translated this binary code into a command that caused it to reposition the toy missile launcher. The researchers designed their malware to take into consideration normal temperature fluctuations of a computer and distinguish these from fluctuations that signal a system is trying to communicate. And although their malware increased the temperature by just one degree to signal communication, an attacker could increase the temperature by any amount as long as it’s within reason, to avoid creating the suspicion that can accompany an overactive computer fan if the computer overheats. Communication can also be bi-directional with both computers capable of transmitting or receiving commands and data. The same method, for example, could have been used to cause their air-gapped system to communicate a password to the other system. The malware on each system can be designed to search for nearby PCs by instructing an infected system to periodically emit a thermal ping—to determine, for example, when a government employee has placed his infected laptop next to a classified desktop system. The two systems would then engage in a handshake, involving a sequence of “thermal pings” of +1C degrees each, to establish a connection. But in situations where the internet-connected computer and the air-gapped one are in close proximity for an ongoing period, the malware could simply be designed to initiate a data transmission automatically at a specified time—perhaps at midnight when no one’s working to avoid detection—without needing to conduct a handshake each time. The time it take to transmit data from one computer to another depends on several factors, including the distance between the two computers and their position and layout. The researchers experimented with a number of scenarios—with computer towers side-by-side, back-to-back and stacked on top of each other. The time it took them to increase the heat and transmit a “1” varied between three and 20 minutes depending. The time to restore the system to normal temperature and transmit a “0” usually took longer. Other Air-Gap Hacking Techniques This isn’t the only way to communicate with air-gapped systems without using physical media. Past research by other teams has focused on using acoustic inaudible channels, optical channels and electromagnetic emissions. All of these, however, are unidirectional channels, meaning they can be used to siphon data but not send commands to an air-gapped system. The same Ben Gurion researchers previously showed how they could siphon data from an air-gapped machine using radio frequency signals and a nearby mobile phone. That proof-of-concept hack involved radio signals generated and transmitted by an infected machine’s video card, which could be used to send passwords and other data over the air to the FM radio receiver in a mobile phone. The NSA reportedly has been using a more sophisticated version of this technique to not only siphon data from air-gapped machines in Iran and elsewhere but also to inject them with malware, according to documents leaked by Edward Snowden. Using an NSA hardware implant called the Cottonmouth-I, which comes with a tiny embedded transceiver, the agency can extract data from targeted systems using RF signals and transmit it to a briefcase-sized relay station up to 8 miles away. There’s no evidence yet that the spy agency is using heat emissions and thermal sensors to steal data and control air-gapped machines— their RF technique is much more efficient than thermal hacking. But if university researchers in Israel have explored the idea of thermal hacking as an attack vector, the NSA has likely considered it too. Source