BitWhisper attack on air-gapped PCs uses heat to steal data

If you think having a computer isolated from the Internet and other computers will keep you “safe,” then think again. The same security researchers who came out with Air-Hopper have announced BitWhisper as another method to breach air-gapped systems.

This time the Cyber Security Research Center at Ben-Gurion University in Israel jump the air-gap by using heat. The researchers explained the proof-of-concept attack as:

BitWhisper is a demonstration for a covert bi-directional communication channel between two close by air-gapped computers communicating via heat. The method allows bridging the air-gap between the two physically adjacent and compromised computers using their heat emissions and built-in thermal sensors to communicate.

Computers monitor temperature via “built-in thermal sensors to detect heat” and to trigger internal fans to cool the PC down. BitWhisper utilizes those sensors “to send commands to an air-gapped system or siphon data from it.” In the video below, researchers demonstrate “BitWhisper: Covert Signaling Channel between Air-Gapped Computers using Thermal Manipulations.” It shows the computer on the left emitting heat and sending a “rotate command” to a toy missile launcher connected to the adjacent air-gapped PC on the right.

The Cyber Security Research Center said:

The scenario of two adjacent computers is very prevalent in many organizations in which two computers are situated on a single desk, one being connected to the internal network and the other one connected to the Internet. The method demonstrated can serve both for data leakage for low data packages and for command and control.

The researchers said they will publish the full research paper “soon.” For now, regarding BitWhisper, they pointed to a Wired article that explains that in order for a BitWhisper attack to be successful, both computers must be compromised with malware and the air-gapped system must be within 40 centimeters from the computer controlled by an attacker.

The researchers said only “eight bits of data can be reliably transmitted over an hour,” but that’s enough to steal a password or a secret key. They added that “future research” might involve “using the Internet of Things as an attack vector—an internet-connected heating and air conditioning system or a fax machine that’s remotely accessible and can be compromised to emit controlled fluctuations in temperature.”

Wired’s Kim Zetter explained that the BitWhisper attack works somewhat like Morse code, “with the transmitting PC using increased heat to communicate to the receiving PC, which uses its built-in thermal sensors to then detect the temperature changes and translate them into a binary ‘1’ or ‘0’.” She added:

The malware on each system can be designed to search for nearby PCs by instructing an infected system to periodically emit a thermal ping—to determine, for example, when a government employee has placed his infected laptop next to a classified desktop system. The two systems would then engage in a handshake, involving a sequence of “thermal pings” of +1C degrees each, to establish a connection. But in situations where the internet-connected computer and the air-gapped one are in close proximity for an ongoing period, the malware could simply be designed to initiate a data transmission automatically at a specified time—perhaps at midnight when no one’s working to avoid detection—without needing to conduct a handshake each time.

Air-Hopper method to breach air-gapped systems

Last year, the same Ben-Gurion University researchers revealed an Air-Hopper technique (pdf) to breach air-gapped systems; it used FM radio signals and a mobile phone to surreptitiously steal data.

Georgia Tech exploited side-channel signals to steal from ‘air-gapped’ PCs

In January, Georgia Institute of Technology researchers said don’t feel smugly safe if you are typing away but didn’t connect to a coffee shop’s Wi-Fi. “The bad guys may be able to see what you’re doing just by analyzing the low-power electronic signals your laptop emits even when it’s not connected to the Internet.” They explained how keystrokes could be captured from a disconnected PC by exploiting side-channel signals (pdf).

“People are focused on security for the Internet and on the wireless communication side, but we are concerned with what can be learned from your computer without it intentionally sending anything,” said Georgia Tech assistant professor Alenka Zajic. “Even if you have the Internet connection disabled, you are still emanating information that somebody could use to attack your computer or smartphone.”

Zajic demonstrated by typing “a simulated password on one laptop that was not connected to the Internet. On the other side of a wall, a colleague using another disconnected laptop read the password as it was being typed by intercepting side-channel signals produced by the first laptop’s keyboard software, which had been modified to make the characters easier to identify.”