Wednesday, April 22nd 2020

And Now, a Cyberattack That Uses Fan Vibrations to Steal Data: Air-ViBeR

Air-ViBeR is a new cyber-security vulnerability that uses changes in your PC's fan vibrations to sneak out data through an elaborate, convoluted method involving more than one compromised device. There is an infinitesimal and purely mathematical chance of this type of cyberattack affecting you, however one can't help but admire the ingenuity behind it, the stuff of Hollywood.

Created by Mordechai Guri at the Cyber Security Research Center at Ben-Gurion University, Israel, Air-ViBeR involves a compromised PC regulating its fan-speeds to alter the PC's acoustics rapidly, to relay data to an Internet-connected listening device, such as a compromised smartphone, which then converts those vibrations into ones and zeroes to transmit to the web. There's no way this method will transmit a your 100-gigabyte C: in a lifetime, let alone the few hours that your smartphone is placed on the same desk as your PC; but the attacker would look for something specific and something that fits within 4 KB (one block, or 32,768 bits). Guri demonstrated his method and wrote a paper on it explaining what he calls "air gap covert channels."
A video presentation by Mordechai Guri follows.

Source: HotHardware
Add your own comment

33 Comments on And Now, a Cyberattack That Uses Fan Vibrations to Steal Data: Air-ViBeR

#1
BrainCruser
...If someone compromised your airgapped system, and your phone, you have bigger issues than your system varying its fan speed to talk to the phone.
Posted on Reply
#2
jmcslob
Wow I can't come up with a smart ass enough remark for this...I sat here for 5 minutes trying to come with something.
Posted on Reply
#3
natr0n
"imagines farting hard at/on your pc during a compromise"

air gap covert channels has a new meaning.
Posted on Reply
#6
notb
Solaris17
This isnt new, fansmitter was published 4 years ago.
Different approach. Fansmitter exposes data over sound generated by the PC (components, not speakers). You need an active microphone to collect it.

This exposes data via desk vibrations, so you can collect via a smartphone with accelerometer.

Key difference:
Android (not sure about iPhone) doesn't have an accelerometer access policy, i.e. apps don't ask for permission (they do for the microphone).
You can even call the accelerometer from JavaScript. That's the security issue that has to be taken care of.
BrainCruser
...If someone compromised your airgapped system, and your phone, you have bigger issues than your system varying its fan speed to talk to the phone.
The whole point of these attacks is to find channels that go around the blocked (or tracked) network communication.

You have to consider that fan speed can be controlled without admin rights and smartphone accelerometer can be accessed with additional privileges.
So this opens a realistic possibility of moving data without network access. You only need a script on the computer and on the smartphone - both placed on the same desk. No admin rights. Hardly any trace left. It's not fast, but it works.

Remember that IT security is not just about blocking access from outside of the organization (i.e. hacking). It's also about making it harder for insiders to steal data.
So, you've locked the USB ports, you control network communication, you check everything that is sent to the printer.
That's why now people try to move data over sound and vibrations.
Posted on Reply
#7
Solaris17
Dainty Moderator
notb
Different approach. Fansmitter exposes data over sound generated by the PC (components, not speakers). You need an active microphone to collect it.
Thanks my fault for not reading the entire article.

The malware is neat but the concept I will standby is still not new. We have been looking into this for awhile.

journals.sagepub.com/doi/full/10.1155/2014/278560

The process in which they implement and weaponize it are interesting though.

What was used initially as a way to interpret stressors on bridges and other heavy equipment in engineering is now used to pickup passwords.

Pretty cool.
Posted on Reply
#8
notb
Solaris17
Thanks my fault for not reading the entire article.

The malware is neat but the concept I will standby is still not new. We have been looking into this for awhile.
Absolutely. Idea is not new and not that shocking as well. Researcher from Ben-Gurion basically provided a PoC.

Apart from targeting a particular company/PC, this has a lot of potential as a mass method.
Receiver is extremely easy to run (JS, apps). Sender will be a bit trickier but feasible (malware, JS). You'll get a match sooner or later.

Also, a slight detail easy to forget: this works perfectly well on Linux and MacOS. Even on servers if you place a receiver on the rack (consciously and likely not a phone ;)).
It may be even easier to run this on Macs, since there are so few variants. Because, of course, you either need to know the exact fan frequency spectrum or train the signal processing model.
Posted on Reply
#9
Solaris17
Dainty Moderator
notb
Even on servers if you place a receiver on the rack (consciously and likely not a phone ;)).
im willing to bet you could manipulate the software enough to use something like a laser microphone pointed at the machine itself, maybe glass on a window the building over when technology improves more.
Posted on Reply
#10
R-T-B
I'll take "how to know I am a high value target" for $1000, Alex...

Daily Double!
Posted on Reply
#11
Solaris17
Dainty Moderator
R-T-B
I'll take "how to know I am a high value target" for $1000, Alex...

Daily Double!
yeah, usually games at this level aren’t public until the tech to do it is freely available.

being on the receiving end of that kind of sophistication is a target in itself outside of the attackers. Especially if your an entity that isn’t supposed to have something that warrants that kind of fire power.
Posted on Reply
#12
Vayra86
Next: data mining over coil whine
Posted on Reply
#13
xtreemchaos
its a bit late for april the 1ST isnt it, ill give a big prize for anyone who can hack my pc through the darn fans :). its like pull the other one its got bells on... its like i brought this app that says it will clean my pc, its been a week now and my rigs still dirty :)
Posted on Reply
#14
notb
Vayra86
Next: data mining over coil whine
Well, you can joke all you want, but this is how industrial espionage really works (probably the gov one as well). :D
Phishing, a lot of psychological attacks, laser microphones (already mentioned by @Solaris17 - beautiful stuff).

On this forum we talk a lot about CPU vulnerabilities and things like that, but most real life attacks are made surprisingly code-less. :p
Posted on Reply
#15
silentbogo
That's probably the worst covert channel you can possibly imagine. Not only is it susceptible to interference from other fans(gpu, chassis etc) and HDD vibrations, but also won't do shit until the building is empty, which in all likeliness is going to happen when a person takes his/her phone home (that's why dude left the table in the video). Also, controlling fans in a precise manner is super-hard on most systems. There are things like delays, hysteresis, finicky controllers, and different implementations of fan control in PCs, which these attention-seeking "hackers" conveniently omit by pluging a PWM signal to RPi GPIO.
It reminds me of all those late 90's early 2000's "hacks" from computer magazines (I mean the ones made of paper), with things like making an optical modem out of laser pointer and generic IR receiver, or making "covert" data transmission using PC buzzer and mic.
It's not even a "proof-of-concept", just a fun weekend project you can do with your kids.
Posted on Reply
#17
Bones
Essentially it's a form of morse code for electronics when you think about it.
Posted on Reply
#18
Caring1
xtreemchaos
its a bit late for april the 1ST isnt it, ill give a big prize for anyone who can hack my pc through the darn fans :). its like pull the other one its got bells on... its like i brought this app that says it will clean my pc, its been a week now and my rigs still dirty :)
Did you try turning it off, then on again? :D
Posted on Reply
#19
Cidious
People have too much time on their hands during quarantine. This is just ridiculous. I thought 1st of April had passed already.
Posted on Reply
#20
R-T-B
Cidious
People have too much time on their hands during quarantine.
It's security research, a job field that never sleeps. Quarantine has nothing to do with it.
Bones
Essentially it's a form of morse code for electronics when you think about it.
Pretty much the concept. Clever if really really impractical.
BrainCruser
...If someone compromised your airgapped system, and your phone, you have bigger issues than your system varying its fan speed to talk to the phone.
It happened to Iran. And yes, they then did have much bigger issues. Stuxnet. Cool case study, that.
Posted on Reply
#21
Ferrum Master
Here come Delta fans to the rescue... 12V only.

Real men use real fans indeed :D
Posted on Reply
#22
thekaidis
BrainCruser
...If someone compromised your airgapped system, and your phone, you have bigger issues than your system varying its fan speed to talk to the phone.
Right? Priorities, man. Kind of like saying "if someone breaks into your house and takes you hostage, they might be able to access your browser history!"
Posted on Reply
#23
R-T-B
thekaidis
Right? Priorities, man. Kind of like saying "if someone breaks into your house and takes you hostage, they might be able to access your browser history!"
Again, stuxnet is a good counterpoint to that. It shows attacks like this aren't completely useless, but they are usually reserved for really high level spy type stuff that would never bother any "lame" civilian like us.

Personally, I'm interested in a less nefarious use of this novel tech: Fan based networking to my smartphone. Screw you, bluetooth! :roll:
Posted on Reply
#24
Ferrum Master
R-T-B
Again, stuxnet is a good counterpoint to that. It shows attacks like this aren't completely useless, but they are usually reserved for really high level spy type stuff that would never bother any "lame" civilian like us.

Personally, I'm interested in a less nefarious use of this novel tech: Fan based networking to my smartphone. Screw you, bluetooth! :roll:
Imagine, you could actually feel the data flow :D
Posted on Reply
#25
silentbogo
R-T-B
Again, stuxnet is a good counterpoint to that.
People keep quoting Stuxnet, but so far anything but banal infection by removable media no "sophisticated" techniques have been confirmed, and all the odd stuff probably originated from tinfoil-hat weirdos.
Removable media is the oldest attack vector (older than me). No magic microphones or fan oscillations, just plain-old flash drives.
Posted on Reply
Add your own comment