Feeling the Heat with Data Loss
Since heat is a natural byproduct of digital computation, why not use this electromagnetic emanation as a bypass for air-gap systems?
In previous blogs we have seen how ordinary computer chips can be manipulated to broadcast over radio waves usernames and passwords from air gapped systems. And how mobile devices with malware can be tuned to listen for these weak signals in the office and then broadcast them to the outside world. What about using other electromagnetic signatures to exfiltrate data? What about heat?
Heat is a natural byproduct of digital computation. As more electrons move through the gates within the chips, as the processing cycles increase, the heat inside the chip, let alone the device, increases. To protect the chips and the devices, various built-in sensors monitor these fluctuations. If the temperature rises too high, for example, the sensors may instruct that workloads be reduced, or internal fans activate to try and bring them back to baseline normal. When you think about it, said the authors of a recent study, thermal radiation is a form of electromagnetic emanation that can be measured precisely.
What if subtle fluctuations in computer temperature could be manipulated?
In a paper last spring, researcher Mordechai Guri, along with his team from Ben Gurion University in Israel describe how thermal fluctuations, like radio waves, can be used to create a simple binary Morse Code of 1s and 0s (either the temperature increases or it returns to baseline) to transmit data between air-gapped systems. The study authors point out that the attack does not require special hardware. Instead it relies upon software, which the research team created itself and dubbed BitWhisperer.
There are limits to this attack. It only has an effective rate of 1-8 bits per hour, which is enough for username and passwords, but not much else. And the computers must be within 18 inches of each other, however many cubical arrangements in open offices have computers that close or closer. And unlike a radio wave-based attack, this thermal attack does allow for bi-directional attacks.
Thermal sensors, whether inside a traditional computer, laptop or mobile device or inside the processor, monitor the temperature to protect the device from errors or outright harm.
Specialized processors like the Graphical Processing Unit (GPU) can get very hot rendering video or while playing games so there are core sensors inside the CPU and GPU and these sensors may record temperatures much warmer than the ambient temperature inside the computer itself.
Layout, how the computers are set in relation to each other, is also essential. The default position during the tests was to have the machines parallel to each other. Other layouts the team tested included stacked, where both PCs are placed horizontally, one on top of the other; "facing away" layout, where two computers placed back-to-back with the back panels facing each other; and quadrature layout, where two computers are positioned in some form of angle.
Using the parallel layout, the researchers found that when the machines were located near each other (18 inches) the transmitting computer could affect the receiving machine by as much as 1-4 degrees Celsius. Raising the other machine's temperature by 1 degree Celsius took only 3 minutes, they reported. After 26 minutes, the other machine was 4 degrees Celsius warmer.
So, how would this BitWhisperer attack work?
The software compromises would allow the thermal sensors on the transmitting computer to raise and lower the temperature such that a binary 1 is an increase in temperature and a 0 is the decrease over a predetermined timeframe. For a 0, they restored the system to its base temperature. The receiving computer could then translate these fluctuations into binary code.
According to Wired.com the researchers were able to have the transmitting computer instruct the receiving computer to reposition a toy missile launcher on the counter near the computers.
The time it took to raise the temperature 1 degree Celsius did vary depending on distance and layout. On average the researchers found it took about 20 minutes to raise the receiving computer's temperature 1 degree Celsius, but much longer to cool it back down to the baseline.
While the researchers only used traditional PCs in their tests, similar results might be achieved with other Internet-connected hardware systems. The Internet of Things opens a larger possibility of data exfiltration devices such as Heating, Ventilating, and Air Conditioning (HVAC) systems being enlisted as well. Suddenly every device in the office has the potential to leak data, even if it is only 8 bits per hour.
Robert Vamosi is a CISSP and award-winning journalist. He is also the author of When Gadgets Betray Us: The Dark Side of Our Infatuation With New Technologies (Basic Books).