Hack Air-Gapped Computers Using Heat 123
An anonymous reader writes Ben-Gurion University of the Negev (BGU) researchers have discovered a new method to breach air-gapped computer systems called "BitWhisper," which enables two-way communications between adjacent, unconnected PC computers using heat. BitWhisper bridges the air-gap between the two computers, approximately 15 inches apart that are infected with malware by using their heat emissions and built-in thermal sensors to communicate. It establishes a covert, bi-directional channel by emitting heat from one PC to the other in a controlled manner.
Also at Wired.
I, for one... (Score:1)
Skynet foiled by ceiling fan (Score:5, Funny)
Film at 11:00
Re: (Score:2)
How cares about skynet when it comes to heat and computers... I worry more about the Matrix instead.
Nonsense (Score:1)
This article is just a bunch of hot air.
Re: (Score:3)
Is it TCP/IP over hot air? If so, who installed the server software on the air-gapped PC?
goddamnit!!! (Score:5, Informative)
they didn't "hack" the machine using heat!
they gained control of both machines ahead of time, and THEN used heat (etc) to exfil data.
they didn't gain control of an otherwise stock computer using heat over air gap. stop saying "hack".
Re: (Score:1)
Leonard: Not only is he still not talking to me, but there’s this thing he does where he stares at you and tries to get your brain to explode. You know, like in the classic sci-fi movie Scanners? (Put’s fingers to head) You know, bzzz-pchew! Never mind. How about this one. It says, “I know my physics, but I’m still a fun guy!”
Series 1 Episode 09 – The Cooper-Hofstadter Polarization
Re:goddamnit!!! (Score:5, Informative)
Just like the "hack using computer speakers" just install this malware first...
It's an interesting out of band communications process, a very very VERY slow one... but still interesting.
Re: (Score:2)
Which step is it that installs the customized thermal sensors?
Re: (Score:2)
Which step is it that installs the customized thermal sensors?
Step 2: Drop some customized thermal sensors.
Re: (Score:3)
This technique re-establishes communication which provides a mechanism for a malicious user to regain control. It could be used to load new malicious software, download sensitive data, and establish a proxy into other disconnected internal systems.
So I fail to care about which term is used, it is a security breach and one of the worst kind... the kind where you think you're completely safe, but you still aren't.
Re:goddamnit!!! (Score:4, Insightful)
So I fail to care about which term is used, it is a security breach and one of the worst kind
Except it will only work in the most esoteric scenarios with laboratory conditions, sure. 2 PCs, with side-vent cooling and no cold aisle, and a distance of 15 inches?
Somehow I dont think this will threaten air-gapped secure networks. Those are going to have steady cold air coming in the front, and exhausting out the back; if theyre dumping significant heat through the side of the cases you're doing it wrong.
Re: (Score:1)
Re: (Score:2)
Re: (Score:2, Insightful)
Exploits only ever get better. That's threat analysis 101. And you've provided no evidence or analysis why you're supposed mitigations are an insurmountable defense; at best they're only a stop-gap.
This is a proof of concept. And a pretty cool proof of concept. The idea of using a side channel like this isn't that novel (RSA key cracks via CPU acoustics was shown years ago), but just think of the all the little problems you'd have to solve to execute the concept. It's pretty awesome work.
Re: (Score:3)
And you've provided no evidence or analysis why you're supposed mitigations are an insurmountable defense; at best they're only a stop-gap.
In THEORY breaking most encryption is just guessing the right 2048-bit code. At best, increasing the length from 1024 to 2048 is just a stopgap.
In reality, some attacks are so esoteric and hard to pull off (famous example: hard drive magnetic domain remnant detection) that they are not a real-world threat. MAYBE they could adapt this, but it already requires
A) a machine connected to the internet that is compromised (!)
B) an AIR-GAPPED, high-security machine directly adjacent to it (!!!)
C) That that air-g
Re: (Score:2)
So I fail to care about which term is used, it is a security breach and one of the worst kind
It is not a security breach at all, and I'm not sure you could even recognize a buffer overflow if you saw one (bro, do you even asm?).
Once security is breached through another method, this can be used for two already compromised computers to communicate. As a threat, it's less dangerous than a cat5 cable.
Re: (Score:3)
Wow, please pay attention.
read:
I never stated that no other security breach already existed, but that a new one is being added.
Consider this scenario: government systems, one computer is internet facing, the other computer is completely isolated. Joe Badguy installs each computer before they are put into real use, and adds the exploit to each. The government beefs up physical security, then enables the internal system confident that data added to it cannot leave. But sometime later, Joe Badguy connects
Re: (Score:2)
mov eax, $phantomfive_understands
cmp eax, 0x1
jne read
Nice
Re: (Score:2)
Granted... from a "real security" standpoint, this is probably amongst the most difficult situations to exploit effectively. Heat transfer isn't exactly broadband. I imagine you'd be doing well to get 1 bpm (bit per minute) communications. The exploit code would probably need to include a sophisticated AI just to figure out what is important enough to transmit.
Re: (Score:1)
they didn't "hack" the machine using heat!
they gained control of both machines ahead of time, and THEN used heat (etc) to exfil data.
they didn't gain control of an otherwise stock computer using heat over air gap. stop saying "hack".
Well, yes they did, depending on what meaning you put into the word "hack". For a lot of us old-schoolers, "hack" means "do something cool" and is not limited to "gain unauthorized access to". To support this, we fall back on how the word "hack" was used in the 1960's at places like MIT. For example, look at the classic Jargon File, where the definition of "hack" does not mention anything illegal at. Using that defintion, I would say they did a hack using only heat to communicate.
Then again, I am fully awar
Re:goddamnit!!! (Score:4, Informative)
Re: (Score:2)
Lets say you have two systems A and B. System A has very important data, and it is important not only that the data is protected from access, it is also important that if it is accessed unauthorizedly, to know at least, if any data was sent to the outside. System B is less important and in a DMZ. If system B is compromised, you just power
Re: (Score:1)
...they didn't gain control of an otherwise stock computer using heat over air gap. stop saying "hack"....
Stop saying "heat" as well. Heat in this context is nothing but low-frequency light.
.
So the headline should read...
Malware that was installed on computers uses light to send data to other computers similarly loaded with malware.
But that doesn't make for a page-hit-generating headline.
Re: (Score:1)
Hack doesn't mean "infiltrate".
They are using a novel technique to achieve something unexpected - that is the definition of hacking.
Re: (Score:2)
"They are using a novel technique to achieve something unexpected"
Infrared data exchange is decades old. hardly a 'novel technique'.
But machines with microphones, cameras, wireless mice and keyboards are vulnerable, everything can be used, the nut before the keyboard included.
Re: (Score:1)
The sad thing is, some security puke is going to read this and there will be studies initiated, PowerPoints distributed and ultimately everywhere there is an "air-gap" computer setup new rules will be implemented so that new chiller blankies will be disseminated to everyone at the cost of several billions of dollars.
Yet another Security Decree. Just what we need. As if the 94 character random passwords with only two attempts allowed isn't enough.
FML.
Re: (Score:1)
Re: (Score:3)
I'm afraid you don't understand the meaning of the word "hack" in this context. It does not always mean "gain control/privileges on a computer system in excess of your authorization". In this context, it means "defeat a method used to guarantee a particular security property".
Pr
Re:goddamnit!!! (Score:5, Insightful)
If anything, then, I'd say they've hacked the air gap, not the computers.
Re: (Score:2)
'they didn't "hack" the machine using heat!'
That's not the claim, so put your strawman away.
Sure, great, new comms channel (Score:5, Interesting)
But how did the malware get on BOTH of the computers in the first place? TFA totally avoids that question.
Re: (Score:3)
I don't know, but one thing is sure, you need to be patient in order to use/exploit this thing... From Article : The time it took them to increase the heat and transmit a “1” varied between three and 20 minutes depending. The time to restore the system to normal temperature and transmit a “0” usually took longer.
Re:Sure, great, new comms channel (Score:5, Funny)
The time it took them to increase the heat and transmit a 1 varied between three and 20 minute
So, somewhere between Comcast's Standard and High Speed plans.
Re:Sure, great, new comms channel (Score:5, Funny)
Re: (Score:3, Funny)
Speak for yourse
NO CARRIER
Re: (Score:3)
Re: (Score:2)
That's what I was just thinking too. Just spitballing, if it averages out to one hour per two bits (since on average half will be 0s and they said it takes longer to cool back down), then you could exfiltrate a 128-bit key in 64 hours. Even bumping it up for longer keys, it still wouldn't take that long. Well worth it.
That said, the fact that this requires that both machines have already been compromised severely limits the usefulness for this attack. After all, in most cases where you already compromised t
Re: (Score:2)
The article says you can steal passwords or "secret keys" (encryption keys?) with eight signals per hour. You could simply leave this behind so that you don't need physical access the next time the key changes.
Re: (Score:2)
But you'd need physical access to the machine 15 inches away, which likely has the same security safeguards in place. It seems like a solution looking for a problem.
Re: (Score:2)
Once you have the PoC ... the rest is just a little social engineering or covert attack.
Knowing it can be done opens a lot of opportunities, and defeats a lot of security.
Re: (Score:3)
No it doesnt defeat any security. It requires both machine to be pre infected to begin with, and the data rate is less than 1 bit per minute.
Re: (Score:2)
So did Stuxnet ... it relied on exploiting removable media in the airgapped machine.
People who want to spy on you can be patient.
It may not have much in the way of bandwidth, but it has the potential to bridge an airgap.
Yes, it's far from perfect, and relies on getting installed in the first place. That doesn't mean it won't cause people in secure facilities a few more ulcers.
Re: (Score:2)
Or, you're an idiot.
Stuxnet didn't magically cross the airgap, and I never said it did. What it did was find ways to cross that used the humans involved, and the fact they needed to get data onto those systems at some point.
Which means it is a solved problem to cross the air gap by coming at the problem from a different direction.
So saying this won't work because it requires the secure system to be compromised is crap ... beca
Re: (Score:2)
Interdiction or USB. NSA has plenty of experience in that side of things.
Re: (Score:3)
But how did the malware get on BOTH of the computers in the first place? TFA totally avoids that question.
TFA was either unclear or misrepresented: This technique is purely a demonstration of a sneaky covert channel implementation that requires only hardware likely to be present and functioning even on aggressively air-gapped systems. Actually getting the malware in place to use the covert channel is somebody else's problem, so TFA doesn't address it.
Re: (Score:1)
But how did the malware get on BOTH of the computers in the first place? TFA totally avoids that question.
Don't know, but theoretically this can be used in a stuxnet style attack.
Say that you manage to infect a networked computer. You then use that one to infect any memory device used to upgrade the offline computer.
With this method you can extract small amounts of data from the offline system without having to rely on the user put a writable device in it that later on will be put into an infected computer.
You could also use it as a remove control. Instead of having the offline computer act at a specific time y
Re: (Score:2)
This isn't completely unexpected after seeing the title. "Security Researchers" often take liberties with the idea that a tool chains are comprised of individual components, so there is less of a need to offer a complete solution.
Re: (Score:2)
Well, by most reports the target computers of Stuxnet were airgapped. There are ways, usually through social engineering.
Drop a particularly neat looking, high capacity (and extremely exploited) flash drive in the parking lot and wait for someone to pick it up. At worst they'll plug it into their open PC looking to see if they can find the owner. At worst they'll put it on their lanyard and start using it day to day, infecting every PC they plug it into. Yeah, airgapped PCs should have their USB disabled
Re: (Score:2)
Nothing new here (Score:3, Funny)
Governments and business have been doing this for centuries, communicating by nothing more than hot air.
Next step - embed it in a chip (Score:3)
Bad Title (Score:2)
Not hack. They have not infected computers using thermal energy. They just demonstrated slow (very slow) communication between two computers using heat and heat sensors. It uses a tremendous amount of battery power of little to no purpose, since both computers need to already have the software on them... stenography would be a more appropriate communication method (hiding communication in seemingly-innocuous em traffic).
Re: (Score:3)
Stenography is typing. You mean steganography. But even that is missing the point, which is one thing the title does get right: air-gapped. There's not supposed to be any communications channel at all between the two computers, but this technique creates one.
Re: (Score:2, Insightful)
Air gap... like Bluetooth?
I know what the term means, but heat is just another type of EM radiation (infra-red) that doesn't have dedicated communication hardware. The accomplishment is neat, but not useful.
As a counter-example, the paper on reading monitors from their diffuse reflected luminance [kodu.ut.ee] is actually useful. You get a high-bandwith, air-gapped eavesdropping method. This communication by heat is more likely to be detected (as a problem, not necessarily as communication) than a steganographic (thank y
Re: (Score:2)
Just because you don't want to use it doesn't mean it's not useful to anybody.
Re: (Score:2)
Now that it's known
Re: (Score:2)
So basically, this "hack" is likely really a hack on the administrative apparatus of the state in causing justification for certain paper pushers to request larger offices with bigger desks.
They're fishermen, not engineers. (Score:2)
Zalewalski shit (Score:3)
Re: (Score:1)
Wireless technology (Score:2)
An easy fix (Score:2)
The larger problem is (Score:2)
the air-gapped system must already be infected. So while this is cute and all, on its own it does nothing.
Re:The larger problem is (Score:5, Insightful)
And how did Stuxnet spread?
In some cases, by exploiting removable media.
If you think there's no precedent for getting the infection onto the machine, you're horribly mistaken.
Re: (Score:2)
If you are able to do that you almost certainly have a far simpler attack vector to extract data from the air-gapped machine. Think about your case: a usb stick. If it can carry in then it can also carry out and is not dependent upon precise proximity of the air and non-gapped computers.
Or... (Score:1)
Finally, malware that gives computers a fever. (Score:5, Funny)
Re: (Score:2)
Re: (Score:1)
Re: (Score:2)
communication with thermal wavelenght of em spec? (Score:1)
Now, i seem to be missing something here...
Please enlighten Me, how this is news ?
C'mon ffs, Stalin was spied this way from 50-70 meters using Ir produced by His windows (the Idiot was always yelling) (200ft for those of you who don't buy Royale with cheese).
Sneakernet would be just as vulnerable (Score:2)
If your server were air-gapped so totally that all transfers to and from it had to be with a human, malware could just as easily be transmitted by flash drive.
Re: (Score:1)
Communication methods (Score:1)
I guess the only thing missing is smell data transfer and smoke signals.
Maybe a good kickstarter project...
Re: (Score:2)
Re: (Score:2)
Re: (Score:2)
Bah, you have a 50/50 chance ... send two mice.
Re: (Score:1)
Re: (Score:2)
You missed audio/sound
Old hat (Score:1)
Like most recent technical advances, this is merely a corollary of pre-existing xkcd research [xkcd.com].
What is ... (Score:2)
Norton Coffee (Score:2)
Re: (Score:2)
And far more if you want MILSPEC coffee which has been rigorously tested to withstand an atomic blast 3 miles away.
Re: (Score:2)
What's next - "Computer hacked over power line"? (Score:2)
"Air gap" shouldn't be taken literally (Score:1)
In security terms, "air gap" should be taken to mean "direct communications gap".
If two machines an "talk" to each other without involving a human or a third-party computer* to do your dirty work for you.
--
*If the third-party computer is being used "in real time" it doesn't count as a "direct communications gap." However, if the computer hijacks the local router in the stand-alone network so that the next time it is hooked to an external network, it does bad things on behalf of the evil computer, that woul
Hack the planet (Score:2)
Hacking and destroying air gapped computers (Score:1)
Using heat. Lots of it. I'd call it "fire".
15 inches apart (Score:2)
If you have to get the computer that close to the machine you want to hack, then you could just drop by occasionaly and connect a cable/wifi to it and do a data dump.
Cooperative use (Score:1)
Replace your wifi. Right??