Become a fan of Slashdot on Facebook


Forgot your password?
Hardware Hacking Security

Hack Air-Gapped Computers Using Heat 123

An anonymous reader writes Ben-Gurion University of the Negev (BGU) researchers have discovered a new method to breach air-gapped computer systems called "BitWhisper," which enables two-way communications between adjacent, unconnected PC computers using heat. BitWhisper bridges the air-gap between the two computers, approximately 15 inches apart that are infected with malware by using their heat emissions and built-in thermal sensors to communicate. It establishes a covert, bi-directional channel by emitting heat from one PC to the other in a controlled manner. Also at Wired.
This discussion has been archived. No new comments can be posted.

Hack Air-Gapped Computers Using Heat

Comments Filter:
  • by Anonymous Coward
    ...welcome our infrared overlords.
  • by Crashmarik ( 635988 ) on Tuesday March 24, 2015 @09:39AM (#49326777)

    Film at 11:00

  • by Anonymous Coward

    This article is just a bunch of hot air.

    • by gnupun ( 752725 )

      Is it TCP/IP over hot air? If so, who installed the server software on the air-gapped PC?

  • goddamnit!!! (Score:5, Informative)

    by Anonymous Coward on Tuesday March 24, 2015 @09:42AM (#49326795)

    they didn't "hack" the machine using heat!

    they gained control of both machines ahead of time, and THEN used heat (etc) to exfil data.

    they didn't gain control of an otherwise stock computer using heat over air gap. stop saying "hack".

    • by tiberus ( 258517 )
      Kinda reminds me of:

      Leonard: Not only is he still not talking to me, but there’s this thing he does where he stares at you and tries to get your brain to explode. You know, like in the classic sci-fi movie Scanners? (Put’s fingers to head) You know, bzzz-pchew! Never mind. How about this one. It says, “I know my physics, but I’m still a fun guy!”

      Series 1 Episode 09 – The Cooper-Hofstadter Polarization

    • Re:goddamnit!!! (Score:5, Informative)

      by Lumpy ( 12016 ) on Tuesday March 24, 2015 @10:10AM (#49326981) Homepage

      Just like the "hack using computer speakers" just install this malware first...

      It's an interesting out of band communications process, a very very VERY slow one... but still interesting.

    • by bondsbw ( 888959 )

      This technique re-establishes communication which provides a mechanism for a malicious user to regain control. It could be used to load new malicious software, download sensitive data, and establish a proxy into other disconnected internal systems.

      So I fail to care about which term is used, it is a security breach and one of the worst kind... the kind where you think you're completely safe, but you still aren't.

      • Re:goddamnit!!! (Score:4, Insightful)

        by LordLimecat ( 1103839 ) on Tuesday March 24, 2015 @11:22AM (#49327483)

        So I fail to care about which term is used, it is a security breach and one of the worst kind

        Except it will only work in the most esoteric scenarios with laboratory conditions, sure. 2 PCs, with side-vent cooling and no cold aisle, and a distance of 15 inches?

        Somehow I dont think this will threaten air-gapped secure networks. Those are going to have steady cold air coming in the front, and exhausting out the back; if theyre dumping significant heat through the side of the cases you're doing it wrong.

        • by healyp ( 1260440 )
          But what about the workstations that access those secure networks? The internal workstation may be sitting right next to an internet connected workstation.
          • It doesn't matter if the workstation hasn't already been compromised. You need to hack the computer before you can use this technique.
        • Re: (Score:2, Insightful)

          by Anonymous Coward

          Exploits only ever get better. That's threat analysis 101. And you've provided no evidence or analysis why you're supposed mitigations are an insurmountable defense; at best they're only a stop-gap.

          This is a proof of concept. And a pretty cool proof of concept. The idea of using a side channel like this isn't that novel (RSA key cracks via CPU acoustics was shown years ago), but just think of the all the little problems you'd have to solve to execute the concept. It's pretty awesome work.

          • And you've provided no evidence or analysis why you're supposed mitigations are an insurmountable defense; at best they're only a stop-gap.

            In THEORY breaking most encryption is just guessing the right 2048-bit code. At best, increasing the length from 1024 to 2048 is just a stopgap.

            In reality, some attacks are so esoteric and hard to pull off (famous example: hard drive magnetic domain remnant detection) that they are not a real-world threat. MAYBE they could adapt this, but it already requires
            A) a machine connected to the internet that is compromised (!)
            B) an AIR-GAPPED, high-security machine directly adjacent to it (!!!)
            C) That that air-g

      • So I fail to care about which term is used, it is a security breach and one of the worst kind

        It is not a security breach at all, and I'm not sure you could even recognize a buffer overflow if you saw one (bro, do you even asm?).

        Once security is breached through another method, this can be used for two already compromised computers to communicate. As a threat, it's less dangerous than a cat5 cable.

        • by bondsbw ( 888959 )

          Wow, please pay attention.


          I never stated that no other security breach already existed, but that a new one is being added.

          Consider this scenario: government systems, one computer is internet facing, the other computer is completely isolated. Joe Badguy installs each computer before they are put into real use, and adds the exploit to each. The government beefs up physical security, then enables the internal system confident that data added to it cannot leave. But sometime later, Joe Badguy connects

          • mov eax, $phantomfive_understands
            cmp eax, 0x1
            jne read


            • by bondsbw ( 888959 )

              Granted... from a "real security" standpoint, this is probably amongst the most difficult situations to exploit effectively. Heat transfer isn't exactly broadband. I imagine you'd be doing well to get 1 bpm (bit per minute) communications. The exploit code would probably need to include a sophisticated AI just to figure out what is important enough to transmit.

    • by Anonymous Coward

      they didn't "hack" the machine using heat!

      they gained control of both machines ahead of time, and THEN used heat (etc) to exfil data.

      they didn't gain control of an otherwise stock computer using heat over air gap. stop saying "hack".

      Well, yes they did, depending on what meaning you put into the word "hack". For a lot of us old-schoolers, "hack" means "do something cool" and is not limited to "gain unauthorized access to". To support this, we fall back on how the word "hack" was used in the 1960's at places like MIT. For example, look at the classic Jargon File, where the definition of "hack" does not mention anything illegal at. Using that defintion, I would say they did a hack using only heat to communicate.

      Then again, I am fully awar

      • Re:goddamnit!!! (Score:4, Informative)

        by Sique ( 173459 ) on Tuesday March 24, 2015 @10:42AM (#49327225) Homepage
        They used heat as an attack vector by creating a covered channel. It is not an attack vector to gain access, it's an attack vector to siphon data.
    • ...they didn't gain control of an otherwise stock computer using heat over air gap. stop saying "hack"....

      Stop saying "heat" as well. Heat in this context is nothing but low-frequency light.

      So the headline should read...

      Malware that was installed on computers uses light to send data to other computers similarly loaded with malware.

      But that doesn't make for a page-hit-generating headline.

    • by Anonymous Coward

      Hack doesn't mean "infiltrate".

      They are using a novel technique to achieve something unexpected - that is the definition of hacking.

      • "They are using a novel technique to achieve something unexpected"

        Infrared data exchange is decades old. hardly a 'novel technique'.

        But machines with microphones, cameras, wireless mice and keyboards are vulnerable, everything can be used, the nut before the keyboard included.

    • by Anonymous Coward

      The sad thing is, some security puke is going to read this and there will be studies initiated, PowerPoints distributed and ultimately everywhere there is an "air-gap" computer setup new rules will be implemented so that new chiller blankies will be disseminated to everyone at the cost of several billions of dollars.

      Yet another Security Decree. Just what we need. As if the 94 character random passwords with only two attempts allowed isn't enough.


      • So true. Air gapped PCs will now require to be separated by 5 feets. Just because, you know, more security is always better.
    • they didn't "hack" the machine using heat!

      they gained control of both machines ahead of time, and THEN used heat (etc) to exfil data.

      they didn't gain control of an otherwise stock computer using heat over air gap. stop saying "hack".

      I'm afraid you don't understand the meaning of the word "hack" in this context. It does not always mean "gain control/privileges on a computer system in excess of your authorization". In this context, it means "defeat a method used to guarantee a particular security property".


    • 'they didn't "hack" the machine using heat!'

      That's not the claim, so put your strawman away.

  • by OzPeter ( 195038 ) on Tuesday March 24, 2015 @09:44AM (#49326801)

    But how did the malware get on BOTH of the computers in the first place? TFA totally avoids that question.

    • I don't know, but one thing is sure, you need to be patient in order to use/exploit this thing... From Article : The time it took them to increase the heat and transmit a “1” varied between three and 20 minutes depending. The time to restore the system to normal temperature and transmit a “0” usually took longer.

      • by Thanshin ( 1188877 ) on Tuesday March 24, 2015 @09:52AM (#49326875)

        The time it took them to increase the heat and transmit a 1 varied between three and 20 minute

        So, somewhere between Comcast's Standard and High Speed plans.

      • It would be an atrocious choice for exfiltrating most types of data, even a couple of pages of 'sensitive_memo.doc' would take ages; but there are some cryptographic private keys that I'd be more than willing to wait a month or two for...
        • That's what I was just thinking too. Just spitballing, if it averages out to one hour per two bits (since on average half will be 0s and they said it takes longer to cool back down), then you could exfiltrate a 128-bit key in 64 hours. Even bumping it up for longer keys, it still wouldn't take that long. Well worth it.

          That said, the fact that this requires that both machines have already been compromised severely limits the usefulness for this attack. After all, in most cases where you already compromised t

          • The article says you can steal passwords or "secret keys" (encryption keys?) with eight signals per hour. You could simply leave this behind so that you don't need physical access the next time the key changes.

            • But you'd need physical access to the machine 15 inches away, which likely has the same security safeguards in place. It seems like a solution looking for a problem.

    • Once you have the PoC ... the rest is just a little social engineering or covert attack.

      Knowing it can be done opens a lot of opportunities, and defeats a lot of security.

      • by Lumpy ( 12016 )

        No it doesnt defeat any security. It requires both machine to be pre infected to begin with, and the data rate is less than 1 bit per minute.

        • So did Stuxnet ... it relied on exploiting removable media in the airgapped machine.

          People who want to spy on you can be patient.

          It may not have much in the way of bandwidth, but it has the potential to bridge an airgap.

          Yes, it's far from perfect, and relies on getting installed in the first place. That doesn't mean it won't cause people in secure facilities a few more ulcers.

    • by pjt33 ( 739471 )

      Interdiction or USB. NSA has plenty of experience in that side of things.

    • But how did the malware get on BOTH of the computers in the first place? TFA totally avoids that question.

      TFA was either unclear or misrepresented: This technique is purely a demonstration of a sneaky covert channel implementation that requires only hardware likely to be present and functioning even on aggressively air-gapped systems. Actually getting the malware in place to use the covert channel is somebody else's problem, so TFA doesn't address it.

    • by Anonymous Coward

      But how did the malware get on BOTH of the computers in the first place? TFA totally avoids that question.

      Don't know, but theoretically this can be used in a stuxnet style attack.
      Say that you manage to infect a networked computer. You then use that one to infect any memory device used to upgrade the offline computer.
      With this method you can extract small amounts of data from the offline system without having to rely on the user put a writable device in it that later on will be put into an infected computer.
      You could also use it as a remove control. Instead of having the offline computer act at a specific time y

    • This isn't completely unexpected after seeing the title. "Security Researchers" often take liberties with the idea that a tool chains are comprised of individual components, so there is less of a need to offer a complete solution.

    • Well, by most reports the target computers of Stuxnet were airgapped. There are ways, usually through social engineering.

      Drop a particularly neat looking, high capacity (and extremely exploited) flash drive in the parking lot and wait for someone to pick it up. At worst they'll plug it into their open PC looking to see if they can find the owner. At worst they'll put it on their lanyard and start using it day to day, infecting every PC they plug it into. Yeah, airgapped PCs should have their USB disabled

    • Gravitational waves ;)
  • by Anonymous Coward on Tuesday March 24, 2015 @09:48AM (#49326839)

    Governments and business have been doing this for centuries, communicating by nothing more than hot air.

  • by Crookdotter ( 1297179 ) on Tuesday March 24, 2015 @09:50AM (#49326861)
    With chips being so complicated these days, who audits them all? What's to stop a manufacturer being exploited and this kind of malware being as standard in a lot of silicon? However, if that's the case then a more traditional attack would be warranted - the data rate here is awful.
  • Not hack. They have not infected computers using thermal energy. They just demonstrated slow (very slow) communication between two computers using heat and heat sensors. It uses a tremendous amount of battery power of little to no purpose, since both computers need to already have the software on them... stenography would be a more appropriate communication method (hiding communication in seemingly-innocuous em traffic).

    • by pjt33 ( 739471 )

      Stenography is typing. You mean steganography. But even that is missing the point, which is one thing the title does get right: air-gapped. There's not supposed to be any communications channel at all between the two computers, but this technique creates one.

      • Re: (Score:2, Insightful)

        by The Raven ( 30575 )

        Air gap... like Bluetooth?

        I know what the term means, but heat is just another type of EM radiation (infra-red) that doesn't have dedicated communication hardware. The accomplishment is neat, but not useful.

        As a counter-example, the paper on reading monitors from their diffuse reflected luminance [] is actually useful. You get a high-bandwith, air-gapped eavesdropping method. This communication by heat is more likely to be detected (as a problem, not necessarily as communication) than a steganographic (thank y

        • by fnj ( 64210 )

          Just because you don't want to use it doesn't mean it's not useful to anybody.

    • The proposed use case (probably realistic in a number of offices right now; quite possibly less so now that this paper is written and the word goes out) where somebody with suitably fancy access has one computer for access to the super-secret-special-network, and a separate one for boring email and web stuff; that are supposed to be totally disconnected from one another; but which are likely to be crammed next to each other because our hypothetical paper pusher has limited desk space.

      Now that it's known
      • by TheCarp ( 96830 )

        So basically, this "hack" is likely really a hack on the administrative apparatus of the state in causing justification for certain paper pushers to request larger offices with bigger desks.

  • As evidenced by them calling that gap between the computers 15 inches.
  • by bluefoxlucid ( 723572 ) on Tuesday March 24, 2015 @09:54AM (#49326895) Homepage Journal
    This is totally Zalewalski shit.
  • So, can I use a space heater to extend the range of this new wireless technology?
  • Just install a mains-powered fan [] between the two computers.
  • the air-gapped system must already be infected. So while this is cute and all, on its own it does nothing.

    • by gstoddart ( 321705 ) on Tuesday March 24, 2015 @10:15AM (#49327027) Homepage

      And how did Stuxnet spread?

      In some cases, by exploiting removable media.

      If you think there's no precedent for getting the infection onto the machine, you're horribly mistaken.

      • If you are able to do that you almost certainly have a far simpler attack vector to extract data from the air-gapped machine. Think about your case: a usb stick. If it can carry in then it can also carry out and is not dependent upon precise proximity of the air and non-gapped computers.

  • Or you could just go in with lots of guys with guns, take the computers, and dump the bodies at sea.
  • by Ihlosi ( 895663 ) on Tuesday March 24, 2015 @10:05AM (#49326957)
    Now all those viruses can finally give your computer proper disease symptoms.
  • Now, i seem to be missing something here...
    Please enlighten Me, how this is news ?
    C'mon ffs, Stalin was spied this way from 50-70 meters using Ir produced by His windows (the Idiot was always yelling) (200ft for those of you who don't buy Royale with cheese).

  • If your server were air-gapped so totally that all transfers to and from it had to be with a human, malware could just as easily be transmitted by flash drive.

    • If they use a flash drive with a (properly-implemented) hardware write protect switch, it might only allow one-way transfer, so this is still potentially useful as the return channel.
  • Wow! We have hardwire, ethernet, wifi, bluetooth, infrared, optical.... now heat to transfer data.

    I guess the only thing missing is smell data transfer and smoke signals.

    Maybe a good kickstarter project...
  • Like most recent technical advances, this is merely a corollary of pre-existing xkcd research [].

  • ... the signal to noise ratio in an office full of coffee cups?

  • Protect against this hack by placing a hot coffee beside your computer. Only $69.99 per cup of coffee.
    • And far more if you want MILSPEC coffee which has been rigorously tested to withstand an atomic blast 3 miles away.

  • Heat, light, ... whether electromagnetic or mechanical, you got waves, we'll talk.
  • Of course, it requires the computer to be compromised first . . . but once compromised it can turn lights on and off all over your house!
  • In security terms, "air gap" should be taken to mean "direct communications gap".

    If two machines an "talk" to each other without involving a human or a third-party computer* to do your dirty work for you.

    *If the third-party computer is being used "in real time" it doesn't count as a "direct communications gap." However, if the computer hijacks the local router in the stand-alone network so that the next time it is hooked to an external network, it does bad things on behalf of the evil computer, that woul

  • Hack the planet! With heat! Wait a minute...
  • Using heat. Lots of it. I'd call it "fire".

  • If you have to get the computer that close to the machine you want to hack, then you could just drop by occasionaly and connect a cable/wifi to it and do a data dump.

  • Replace your wifi. Right??

Keep up the good work! But please don't ask me to help.