Using Heat to Jump Air-Gapped Computers

Researchers claim that when thermal energy from one computer is detected by an adjacent computer it can facilitate the spread of keys and malware.

When heat from one computer is emitted and detected by an adjacent computer, a channel can be opened that researchers are claiming can facilitate the spread of keys, passwords and even malware.

According to researchers from the Cyber Security Research Center at Ben Gurion University in Israel, the bridge, something they’ve dubbed BitWhisper, can allow for communication between the two air-gapped machines.

Researchers Mordechai Guri and Matan Munitz discovered the method and were overseen by Yuval Elovici, a professor at the school’s Department of Information Systems Engineering. The three published a paper on their research, “BitWhisper: Covert Signaling Channel between Air-Gapped Computers Using Thermal Manipulations,” via Cornell University.

To connect two otherwise separate computers – a common sight in specialized computer labs, military networks, etc. – the channel relies on something the researchers call “thermal pings,” the repeated fusion of two networks via proximity and heat. This helps grant a bridge between the public network and the internal network.

“At this stage, the attacker can communicate with the formerly isolated network, issuing commands and receiving responses,” the report reads.

Once the airgap has been bridged, attackers can do a handful of things, including using the channel to spread keys, unleash a worm, send a command to an industrial control system, or spread malware to other parts of the network.

“BitWhisper provides a feasible covert channel, suitable for delivering command and control (C&C) messages, and leaking short chunks of sensitive data such as passwords,” the paper warns.

In a video posted to YouTube, the researchers demonstrate how they were able to send a command from one machine to another in order to reposition and then launch a small, toy missle:

For their study the researchers positioned personal computers next to one another – side-by-side, back-to-back, even stacked on top of each other – to determine how quickly data traveled between the two.

The researchers then ran the machines through a rigorous series of calculations and “busy loops” in order to get them to give off more heat. From there they were able to gauge which of the computers’ temperature sensors were affected by a difference in heat and in turn could be manipulated. Guri and company were left with a complicated attack environment that’s dependent upon multiple, highly-calibrated parameters being set in place in order to carry out an attack.

It’s not the speediest method to transfer information – the thermal signal’s rate of change between computers can be slow – very slow – oftentimes taking several minutes to transfer just one signal; at the most, BitWhisper can process eight signals per hour. While slow, the team’s video helps illustrate that the mode of transfer is possible but it just may make more sense to transfer small bits of information.

The attack requires no special hardware or additional components, it just requires that both machines are infected by malware. On top of that the channel is bi-directional, meaning the sender could be the receiver in some instances. The attack should work as long as one computer is producing heat and another is monitoring that heat.

End-users who wanted to theoretically prevent an attack like this from happening could keep computers far apart from each other. While that may seem like the most sensible move, researchers stress it may be difficult.

“Keeping minimal distances between computers is not practical,” the researchers said, “and obviously, managing physical distances between different networks has its complexity in terms of space and administration overheads that increases with every air-gap network used.”

Guri and a trio of researchers found a technique last year to use FM waves for data exfiltration. Guri and his team presented the malicious program, AirHopper, at MALCON, a conference in Mumbai last year, and showed how it could be used to decode a radio signal sent from a computer’s video card.

That attack helped clarify what is and isn’t possible when it comes to staging threats against air-gapped machines. The threat landscape is a field of great interest to researchers at the university. Going forward Guri states that he and his team are hoping to see if they can get two computers to send and receive information at the same time and to see if it’s possible to get two computers in the same room, giving off heat, to boost the channel’s effective transmission range.

This article was updated on March 30 to include a link to the now-public paper.

Suggested articles