from the data-transfer-rate-of-the-worst-ISPs dept.
Israeli researchers have demonstrated a proof of concept for defeating air-gapping through heat:
[...] [S]ecurity researchers at Ben Gurion University in Israel have found a way to retrieve data from an air-gapped computer using only heat emissions and a computer’s built-in thermal sensors. The method would allow attackers to surreptitiously siphon passwords or security keys from a protected system and transmit the data to an internet-connected system that’s in close proximity and that the attackers control. They could also use the internet-connected system to send malicious commands to the air-gapped system using the same heat and sensor technique.
...
currently, the attack allows for just eight bits of data to be reliably transmitted over an hour—a rate that is sufficient for an attacker to transmit brief commands or siphon a password or secret key but not large amounts of data. It also works only if the air-gapped system is within 40 centimeters (about 15 inches) from the other computer the attackers control. But the researchers, at Ben Gurion’s Cyber Security Labs, note that this latter scenario is not uncommon, because air-gapped systems often sit on desktops alongside Internet-connected ones so that workers can easily access both.
Oh yeah? Well, my computer's a difference engine, so there!
(Score: 5, Insightful) by Gravis on Thursday March 26 2015, @10:23AM
this only allows you to exfiltrate very very small amounts of data. this means you already need to have injected malware into the air-gapped machine and one sitting right next to it! in all honesty, this is merely a novel way communicate between two machines. if you can get malware onto an air-gapped machine, there are much better ways of secretly transmitting data.
(Score: 3, Insightful) by GreatAuntAnesthesia on Thursday March 26 2015, @10:38AM
if you can get malware onto an air-gapped machine, there are much better ways of secretly transmitting data.
Please expand on this, I'd love to hear some options. While this heat-attack is slow, it is incredibly sneaky and hard to detect. Also, while this was demonstrated using desktop PCs, it could theoretically be expanded to embedded electronics and other types of computer. The kind that might not have a convenient soundcard or wifi antennae to be used by your alternate attack vectors.
this means you already need to have injected malware into the air-gapped machine
I'm thinking this is the kind of thing that would be useful to Five-Eyes type agencies, or the Chinese gov. The kind of people who can manipulate hardware manufacturers / OS vendors to insert backdoors onto computers before they leave the factory.
(Score: 2) by iwoloschin on Thursday March 26 2015, @12:08PM
Power analysis could be one. If you're making more heat, you're drawing more power. Much easier, I would think, to drop a clamp on a line and monitor power draw. I mean, if you need to get within 15" of the damn thing anyways there's plenty of fun things you can do.
(Score: 2) by WillR on Thursday March 26 2015, @01:49PM
(Score: 2) by Hairyfeet on Thursday March 26 2015, @04:10PM
If you have already gotten malware onto an AIR GAPPED (I capitalized because some don't seem to be getting the concept, we're talking a stand alone PC where you have to have physical access to inject the malware) computer then you could 1.- Memorize more than 8 bits worth of data and transmit it when you are on a net box, 2.- Use the same method you used to get the malware on, be it flash or CD or floppy, 3.- Camera (they have cams now that can be the button on a shirt).
If you have the access to put malware on a computer where physical access is required? You are already home free, the hard part is over.
ACs are never seen so don't bother. Always ready to show SJWs for the racists they are.
(Score: 2) by GreatAuntAnesthesia on Thursday March 26 2015, @04:28PM
> If you have already gotten malware onto an AIR GAPPED (I capitalized because some don't seem to be getting the concept, we're talking a stand alone PC where you have to have physical access to inject the malware) computer
You might be missing the point:
1 - Hardware manufacturer / OS vendor (at the direction of scary TLA [1]) installs airgap software onto the computer at the factory. It's running silently and secretly in the background, waiting to be activated by the right stimulus.
2 - hardware goes out and gets installed in a sensitive location. Needn't be a desktop or a server, it might be the ECU of a car, or a controller in some industrial setup.
3 - TLA uses remote exploits (also installed at hardware / OS level[1]) to gain control of net-connected computer within reach of the air-gapped machine.
4 - Hacked online machine reaches out to airgapped machine, sending through the correct trigger to activate the sleeper code and take control of the PC.
5 - pwned.
As you can see, no physical access is required in the way you are thinking of it. Physical access at the factory I'll grant you, but try not to think about that for too long because when you realise your computer is running a US operating system on a chinese-made processor you'll want to sell your computer and go live in a yurt.
[1] We know they are not above this kind of shit.
(Score: 2) by Hairyfeet on Thursday March 26 2015, @05:15PM
Again if you have an enemy making the hardware? You be ALREADY fucked because there is a hell of a lot more they can do than just steal your data...imagine having all your PCs encrypt themselves with passwords of long strings of gibberish so that at a crucial time your PCs are all plastic bricks for instance.
Former AR Gove Huckabee may be an asshole but one thing he got spot on the nose is when you are having critical equipment made by a country you can't trust? You are an idiot.
ACs are never seen so don't bother. Always ready to show SJWs for the racists they are.
(Score: 2) by WillR on Thursday March 26 2015, @08:55PM
If you have already gotten malware onto an AIR GAPPED (I capitalized because some don't seem to be getting the concept, we're talking a stand alone PC where you have to have physical access to inject the malware)
...or your malware has to be disguised as something the owner of the air gapped network wants, and you let him install it for you. Like Stuxnet.
(Score: 2) by janrinok on Thursday March 26 2015, @12:25PM
I agree, but I think that the interesting thing about this report is that data transfer using the inbuilt temperature sensors is possible at all. Of course, both target and collector systems have to run specialised software but with NSA's efforts to penetrate each and every computer should they wish so to do, it might not be too long before it becomes easier for such an attack to be carried out. We should, rightly, be reluctant to accept such reports as describing practical attacks today, but it is also likely that the problems will be further researched and possibly overcome in the future. We mustn't blind ourselves to potential use of such attacks in the years ahead, and we cannot expect another warning from the agencies who might be using the techniques either.
(Score: 2) by FatPhil on Thursday March 26 2015, @12:26PM
Great minds discuss ideas; average minds discuss events; small minds discuss people; the smallest discuss themselves
(Score: 2) by WillR on Thursday March 26 2015, @02:10PM
(Score: 0) by Anonymous Coward on Thursday March 26 2015, @02:52PM
There are rules on all of those things on classified and unclassified systems including separation distance. If the rules are followed there is no problem.
(Score: 2) by FatPhil on Friday March 27 2015, @10:27AM
Great minds discuss ideas; average minds discuss events; small minds discuss people; the smallest discuss themselves
(Score: 2) by urza9814 on Friday March 27 2015, @05:40PM
If so then the air gapped system is completely pointless, isn't it?
(Score: 2) by maxwell demon on Friday March 27 2015, @09:51PM
No, because being air gapped would be a big part of the reason why the machine is malware free.
The Tao of math: The numbers you can count are not the real numbers.
(Score: 1, Touché) by Anonymous Coward on Thursday March 26 2015, @10:27AM
Does it make a difference if air-gapped the computer is standing up with the motherboard side facing the internet connected computer? What about if air-gapped the computer is facing away? How about lying flat? Or if the fans are a bit clogged and not cooling the CPU effectively? Of if the graphics card is generating too much heat? Or if it's running an i7 or a Celeron or an older/newer AMD chip? Or if there's an AC vent under the desk or directly above the rack? What if there's several computers in the rack but only one is air-gapped? Or the disk array is near the air-gapped computer? Or my laptop's power supply? Or ... or ... or ...
I think that under ideal conditions this may work occasionally as long as the internet connected computer knows exactly when the air-gapped computer is processing a key/password/whatever. Otherwise they just might be trying to get their 8bph from some guy playing Duke Nukem: Red Herring.
(Score: 0) by Anonymous Coward on Thursday March 26 2015, @06:37PM
All of that is just noise, you simply need to filter it out.
(Score: 0) by Anonymous Coward on Friday March 27 2015, @02:24AM
Noise is noise, but heat is heat. If you're stealing info a bit at a time via heat emissions you're not going to get different thermal fingerprints without perfect conditions and perfect timing.
(Score: 0) by Anonymous Coward on Thursday March 26 2015, @11:34AM
showing you why AI will win against humanity
(Score: 2) by kaszz on Thursday March 26 2015, @11:58AM
How is the heat difference measured reliable in another machine?
(and this just show how sneaky BIOS and harddrive firmware code injection attacks are)
(Score: 3, Insightful) by TK-421 on Thursday March 26 2015, @03:06PM
..for another reason to start implementing this [nytimes.com].
I suspect that putting your air gapped systems in a bath of oil would totally screw up the time it took to raise and lower a single degree.
So now I can claim power savings and added security by implementing this in the data center.
(Score: 2) by TK on Thursday March 26 2015, @07:08PM
I remember seeing a demonstration video of this maybe six years or so ago for someone's home PC. The oldest youtube video I found is nine years old [youtube.com], but I feel like the idea of hobbyists using this is much older.
I imagine a data center running on mineral oil wouldn't have the same dust problem as a typical one either, but that may depend on the solubility of dust in oil.
Off topic, I'm glad they finally fixed the kinks in the process by the time they got to you. You're the spitting image of the original if I do say so myself.
The fleas have smaller fleas, upon their backs to bite them, and those fleas have lesser fleas, and so ad infinitum
(Score: 2) by TK-421 on Thursday March 26 2015, @08:03PM
Thanks. Had I known I was doing tribute I would have picked a better signature quote.
(Score: 0) by Anonymous Coward on Thursday March 26 2015, @04:15PM
And the VM is physically separate from the air-gapped machine...
I would guess you could remove the heat info available to the Internet connected one (as the host OS should handle that???)
OTOH, a good hacker could probably break out of the VM into the host and get control of the thermal sensor. Bummer.
(Score: 4, Funny) by GreatAuntAnesthesia on Thursday March 26 2015, @04:53PM
Would it be possible to inexpensively defend against this by simply pointing an external fan over the airgapped machine? You'd probably want to vary the strength/ direction of the airflow and/or temperature of the blown air randomly over time.
Of course, that solution is only as reliable as the RNG in your fan-controller, so you'd need a fan to protect your fan, and another fan to protect that one...
(Score: 1, Insightful) by Anonymous Coward on Thursday March 26 2015, @06:47PM
Or you can simply have a computer that processes random information alongside the useful information to make it more difficult for an external thermal reader to decipher useful noise from non-useful noise.
While, technically, you can attempt to filter it out (and I know you mean that as a joke) I think the point is that if the cost of doing so is greater than the benefits then it probably won't be done. Lazy governments don't care too much to hide information from each other, governments are already aware of what other governments are doing through much easier means. They mostly just want to hide information from the public and they aren't going to go through the expensive and difficult task of using heat fluctuations to spy on their citizens (governments are lazy). However using thermal heat to extract useful information from a computer is not reliable and affordable enough for most people and governments to bother.
It's similar to everyone that uses a shredder. Yes, technically, some trash digger could piece together shredded documents but, by and large, they would try to find an easier target. It's just not worth it. Heck, even cryptography can be broken with enough processing power. The point is to make it unreasonably if not prohibitively expensive, not necessarily absolutely impossible, for an attacker.
(Score: 2) by GreatAuntAnesthesia on Thursday March 26 2015, @07:15PM
Point taken, although sometimes it seems that no cost is too high in the pursuit of the totalitarian state. This particular scenario strikes me as the kind of thing they would employ against a target like Iran's nuclear program.
(Score: 0) by Anonymous Coward on Friday March 27 2015, @01:15AM
What is more important here is how long they have been actively doing this, and much, much more that they are not telling us about. This story was approved for publication from higher authorities, so we know this technique may not be considered very useful by them.
This is not about people willingly giving all their private data to some overlord sitting at facebook/google/someone_else. This is for people not willing to join facebook/google and their CIA/NSA/Mossad friends, who become targets and enemies by not giving away their private data.