The most secure computers in the world can't “Google” a thing—they are disconnected from the Internet and all other networks. The U.S. military and the National Security Agency rely on this attack-prevention measure, known as air-gapping, as does The Intercept, the media outlet co-founded by Glenn Greenwald, who was instrumental in disclosing the nsa's extensive domestic surveillance program. But where there's a will, there's a way: a team of doctoral students at Ben-Gurion University of the Negev in Israel announced it can obtain information from an air-gapped computer by reading messages encoded in the heat given off, like smoke signals, by its processors.
All computers have built-in thermal sensors, which detect the heat produced by processors and trigger the rotation of fans to avoid damage to components. To achieve the hack in an office setting, snoopers would infect two adjacent desktop PCs—one air-gapped, the other connected to the Internet—with malware that can take control of the machines and enable them to decode messages hidden in the sensor data. A virus carrying the malware could infect the Internet-connected machine fairly easily, whereas a USB drive or other hardware approach would be required with the air-gapped machine—a feat that could prove difficult at high-security locations.
In a scenario in which a hacker sought a password stored on the air-gapped computer, the malware could instruct the computer's central processor to perform work in a pattern of activity that reveals those characters. Each spate of activity would produce a puff of warm air that would travel to the connected computer, where its thermal sensors would log that single bit of information. Over time, voilà, a set of bits representing the password. The connected computer could then send that information to the interested party. The computer scientists call their hack BitWhisper.
If it sounds awfully slow, it is. The compromised computers can transmit only a maximum of eight bits per hour and can be located no more than 16 inches apart. But that rate is enough to get what you need, says Yisroel Mirsky, one of the co-authors of the research, which will be presented at the IEEE Computer Security Foundations Symposium in Verona, Italy, this month. “You need only about five bits,” he says, for a simple message, such as a command from the connected computer to the disconnected one, to initiate a data-destroying algorithm.
BitWhisper might seem too elaborate—after all, if one can get malware onto a computer via USB, why bother with the heat channel? Mirsky notes that this setup allows a hacker to control an air-gapped computer without physically sitting at it. Also, a computer heating up is unremarkable, so the hack could escape notice, says Anil Madhavapeddy, who studies unconventional ways to transmit information at the University of Cambridge and was not involved in the study. “In general, as computers get faster and the data contained in them more valuable,” he explains, “even the very slow covert channels are useful for attackers because they can just sit back and let them run for hours or even days to leak important information while staying under the radar.”
Of course, stopping such an attack is simple: keep air-gapped computers far away from any computers on a network or insert a sheet of insulation between machines. Given all the conditions BitWhisper would need to work in the real world, it might just be easier to find a whistle-blower.
