If no Internet connection exists surely hackers would be unable to remotely steal data? Apparently not. Air-gapped computer data theft is possible according to a team of security researchers from Israel.
Israeli Researchers Demonstrate Air-Gapped Computer Data Theft
The most sensitive data stored by an organization is often located on a device that lacks an Internet connection. If the device cannot be accessed from outside of an organization, it is much harder for hackers to steal data. The only way of gaining access to data stored on these isolated systems is for an attacker to gain physical access to the device.However, the Israeli researchers have demonstrated that data can actually be stolen by hijacking computer fans on air-gapped devices.
The researchers have previously shown that data theft is possible using PC speakers, although by unplugging the speakers on air-gapped computers, data theft could be prevented. Unfortunately, unplugging the fan is not an option.
In the latest tests, the researchers were able to exfiltrate data by controlling the noise of the fans. Initially, access to a computer must be gained as it is necessary to install malware on the computer before data can be stolen.
The researchers developed a form of malware called fansmitter and loaded it onto an air-gapped Dell computer. By varying the speed of the fan the researchers were able to create variation in fan noise, which could be used to transmit small packets of data. The researchers were able to receive the data on a mobile phone.
In order to receive the data, the hackers would need to be in close proximity to the air-gapped device. In the tests, 8 meters was the maximum range that data could be transmitted.
A program on the phone deciphered the data and then relayed that to the researchers. The amount of data that can be transmitted using this method is limited. Data transfer of 15 bits per second was possible. According to the researchers, that would be sufficient to send encryption keys and passwords, rather than files.
It is perhaps unlikely that this method of attack would ever be used due to the difficulty in pulling it off, but it is possible. Organizations that want to ensure they are protected from this type of attack should use non-fan based cooling systems or should prohibit the use of mobile phones within 10M of an air-gapped device.