• Welcome to TechPowerUp Forums, Guest! Please check out our forum guidelines for info related to our community.

Attackers Can Use HVAC Systems to Control Malware on Air-Gapped Networks

biffzinker

biffzinker

Joined
Mar 23, 2016
Messages
4,839 (1.64/day)
System Specs
Processor Ryzen 9 5900X
Motherboard MSI B450 Tomahawk ATX
Cooling Cooler Master Hyper 212 Black Edition
Memory VENGEANCE LPX 2 x 16GB DDR4-3600 C18 OCed 3800
Video Card(s) XFX Speedster SWFT309 AMD Radeon RX 6700 XT CORE Gaming
Storage 970 EVO NVMe M.2 500 GB, 870 QVO 1 TB
Display(s) Samsung 28” 4K monitor
Case Phantek Eclipse P400S (PH-EC416PS)
Audio Device(s) EVGA NU Audio
Power Supply EVGA 850 BQ
Mouse SteelSeries Rival 310
Keyboard Logitech G G413 Silver
Software Windows 10 Professional 64-bit v22H2
Heating, ventilation, and air conditioning (HVAC) systems can be used as a means to bridge air-gapped networks with the outside world, allowing remote attackers to send commands to malware placed inside a target’s isolated network.

This type of attack scenario — codenamed HVACKer by its creators — relies on custom-built malware that is capable of interacting with a computer’s thermal sensors to read temperature variations and convert these fluctuations into zeros and ones — binary code.

The malware, already installed on a computer on an isolated network with no Internet access, reads the temperature variations created by the HVAC system and converts the received thermal signals into malicious operations.
Click to expand...


Source: Bleeping Computer

Edit:
According to tests carried out by the research team, they were able to send data inside an air-gapped network via HVAC systems at bit rates of 40 bits per second, a more than acceptable transmission speed.
Click to expand...

How could they manage to obtain a transfer rate of 40 bits per second? Seems highly improbable.
 
Last edited:
Papahyooie

Papahyooie

Joined
Mar 11, 2009
Messages
1,778 (0.32/day)
Location
Little Rock, AR
System Specs
System Name Gamer
Processor AMD Ryzen 3700x
Motherboard AsRock B550 Phantom Gaming ITX/AX
Memory 32GB
Video Card(s) ASRock Radeon RX 6800 XT Phantom Gaming D
Case Phanteks Eclipse P200A D-RGB
Power Supply 800w CM
Mouse Corsair M65 Pro
Software Windows 10 Pro
Pretty cool "proof of concept" and definitely qualifies as a hack! That being said... the transfer rate would be abysmally slow... you'd have to send a single bit at a time, and each bit would take several minutes, depending on the size of the room and the size of the A/C unit. Plus there's the fact that you'd have to already have said malware installed on said air-gapped system, which would require you to physically be there at some point in the past... I imagine it being Mission: Impossible - style myself... lol.
 
R-T-B

R-T-B

Supporter
Joined
Aug 20, 2007
Messages
20,787 (3.41/day)
System Specs
System Name Pioneer
Processor Ryzen R9 7950X
Motherboard GIGABYTE Aorus Elite X670 AX
Cooling Noctua NH-D15 + A whole lotta Sunon and Corsair Maglev blower fans...
Memory 64GB (4x 16GB) G.Skill Flare X5 @ DDR5-6000 CL30
Video Card(s) XFX RX 7900 XTX Speedster Merc 310
Storage 2x Crucial P5 Plus 2TB PCIe 4.0 NVMe SSDs
Display(s) 55" LG 55" B9 OLED 4K Display
Case Thermaltake Core X31
Audio Device(s) TOSLINK->Schiit Modi MB->Asgard 2 DAC Amp->AKG Pro K712 Headphones or HDMI->B9 OLED
Power Supply FSP Hydro Ti Pro 850W
Mouse Logitech G305 Lightspeed Wireless
Keyboard WASD Code v3 with Cherry Green keyswitches + PBT DS keycaps
Software Gentoo Linux x64
biffzinker said:
How could they manage to obtain a transfer rate of 40 bits per second? Seems highly improbable.
Click to expand...

It's not improbable if you consider the insanely long latency involved. That would be the big deal.
 
Papahyooie

Papahyooie

Joined
Mar 11, 2009
Messages
1,778 (0.32/day)
Location
Little Rock, AR
System Specs
System Name Gamer
Processor AMD Ryzen 3700x
Motherboard AsRock B550 Phantom Gaming ITX/AX
Memory 32GB
Video Card(s) ASRock Radeon RX 6800 XT Phantom Gaming D
Case Phanteks Eclipse P200A D-RGB
Power Supply 800w CM
Mouse Corsair M65 Pro
Software Windows 10 Pro
R-T-B said:
It's not improbable if you consider the insanely long latency involved. That would be the big deal.
Click to expand...
I think he was saying it was improbable that it would be that fast. 40 bits per second? That's extremely fast for an HVAC system to change the temp in a room... I'd say physically impossible. It simply isn't possible to change the temperature in a room (enough for a PC to detect it,) that fast. Assuming you had a full custom firmware on the thermostat, you might be able to transfer a single bit in a couple of minutes. But realistically, "normal" HVAC systems these days have 5 to 10 minute delays between on/off to help keep the pressures at safe levels and to avoid the system getting out of whack and freezing up (as they will do if the A/C is on, but the fan is not. I used to be an HVAC technician.)

40 bits per second? They'd have to have the "PC" open-faced, laying inside the ductwork, with a custom heating/cooling system that could handle switching that fast, and blast the bare motherboard with severe alternating heat/cold. If they got 40 bits per second, it was in a custom lab setup. In the real world... I'd say a single bit per 10 minutes would be about realistic.
 
You must log in or register to reply here.
Top