Heat attacks on Air-Gapped
Good afternoon my Cheshire cat🐈⬛
Today we're going to talk about thermal attacks on Air-Gapped
An Air-Gapped network is a computer network in which security measures are taken to maintain physical and logical separation from other, less secure networks.
This term can sometimes refer to an interface between two systems or networks where data transfer is done manually (e.g. the owner copies data from one system to a thumb drive and then switches to the other system and connects the thumb drive to it).
Air-gap networks are often used when the information stored or generated by the network is very sensitive or at risk of data leakage.
You might have thought that physically separating Air-Gapped computers provides a reliable level of security, for example that if two adjacent computers were compromised, there would be no covert exchange of data between them...
But from this post and the article below you will learn about a method where heat from one computer is radiated and detected by the other computer and a channel can be opened through which keys, passwords and even malware can be transmitted. To or from the attacker.
The bridge, which they called BitWhisper, can provide an air gap between two machines.
To connect two separate computers, the channel relies on a thermal ping by repeatedly merging the two networks through proximity and heat.
This helps create a bridge between the public network and the internal network. Once the airspace is bridged, attackers can do several things, including use the channel to spread keys, launch a worm, send a command to a control system, or spread malware to other parts of the network.
Generally speaking, it's not the fastest way to transmit information - the speed of change in the heat signal between computers can be slow - very slow - it often takes several minutes to transmit just one signal.
At most, BitWhisper can process eight signals per hour.
How does it work?
BitWhisper establishes a hidden channel, sending heat from one PC to another.
In doing so, one of the devices must be controlled by the attackers and regulate the heating modes. Binary data is converted into heat signals and thus transmitted.
In turn, the neighboring PC uses built-in thermal sensors to measure environmental changes.
These changes are then sampled, processed and demodulated into binary data.
BitWhisper offers two unique features:
1) The channel supports bidirectional (half-duplex) communication, as both PCs can act as transmitter (generating heat) or receiver (controlling temperature)
2) The channel can be installed using off-the-shelf adjacent desktop PCs and does not require special hardware or auxiliary components. An intruder can use BitWhisper for direct control.
BitWhisper, as a versatile covert channel, can be used for a variety of purposes.
However, we investigate its use as a method to bridge the air gap between physically separated networks.
The attack model consists of several phases
In the first phase, the attacker infects the networks, part of the attack, which can be achieved using malicious emails in combination with social engineering and other similar techniques.
In the second, much more complex stage, the attacker continues to infect the internal network node. This can be done by attacking the supply chain, or installing an infected USB drive, using a malicious insider, or some equivalent tactic.
On the third entrenchment in both networks, an attacker can overcome Air-Gapped between networks to covertly exfiltrate a very sensitive piece of information (e.g., passwords or secret keys).
Alternatively, an attacker could trigger a worm attack inside an isolated network or send a malicious command to an isolated industrial control system. Once the networks are infected, the malware spreads across both networks and searches the environment for additional computers in close proximity.
Proximity is determined by periodically sending "heat echo requests" through the air.
Once the connection attempt is successful, the logical connection between the public network and the internal network is established.
At this point, the attacker can communicate with the previously isolated network however he wants, issuing commands and receiving responses.
Technical details
Like many electrical systems, PCs emit heat.
The law of conservation of energy states that energy is conserved over time. Excess power is dissipated in the form of heat, primarily in a physical process called Joule heating.
It occurs when an electric current passes through a conductor and generates heat. The heat generated is proportional to the current and voltage of the system.
Complex electronic systems such as the CPU of a modern PC require different power(current and voltage) in proportion to the system load.
This workload directly affects the amount of heat generated by the system. The increased workload of the CPU in a modern system causes increased power consumption across the board, therefore also an increase in temperature.
In addition to the CPU, modern computers also contain other components that generate a significant amount of heat.
Electronic systems such as computers and smartphones include several thermal sensors to monitor their various components and ambient temperatures, including the GPU and other motherboard components such as VRMs and I/O controllers.
As other sources of heat in a computer include mechanical systems such as a hard drive or optical drive.
Thermal sensors allow the system, to protect itself from damage or performance degradation.
Some computer components can become temporarily unusable or permanently damaged if not properly cooled.
Thermal sensors are responsible for the stable continuous operation of a PC, these components must receive sufficient cooling to counteract their thermal emissions.
There are two methods of cooling: passive and active.
Passive methods cool a component by allowing heat to dissipate into the air on its own or by using a heat sink.
For most chips used in PCs, this is the cooling method used.
Active methods try to speed up the convection process, including a fan or possibly other mechanisms.
Which use liquid or gaseous coolants. The most common active cooling method used in PCs is to connect a fan to a radiator because it is inexpensive and efficient.
We release a certain amount of heat into which converted as a CPU load. And that's how we transfer information.
The thermal properties of the PC are important because they directly affect the quality of the signal.
The study identified three types of sensors that are significantly affected by the environment
1) The internal temperature sensor of the CPU
2) Temperature sensors, such as in the CPU and HD
3) Fan speed in rpm, the workload of the PC directly affects the temperature.
A covert channel uses the thermal radiation emitted by one computer operating within acceptable thermal limits to deliver information to a neighboring computer equipped with standard thermal sensors.
While the physical properties of the channel may be asymmetric, the communication channel is symmetric because each side communicates with the other using the same protocol.
For simplicity, we can refer to computers communicating as sender and receiver, although the channel is bidirectional.
Having two neighboring computers A and B, we denote S as the heat propagation delay (from A to B), and L as the cooling. The transmitter and receiver need these parameters to successfully transmit data over the physical link.
For optimal throughput, the best approach would be based on detecting the L1 parameters at runtime.
A better approach would be based on detecting L1 parameters at runtime. For the interacting parties and conduct a protocol handshake prior to any actual data transfer.
This initial process also serves to determine if a receiver is in range.
For the presented algorithms, both parties use a rounding function(e.g., round the calculated time to the nearest minute).
The main purpose of the handshake protocol is to communicate and agree on the parameters used for the communication protocol, the heat propagation delay and the cooling time.
After the handshake phase, each side will know its delays and cooling times.
Because of the static nature of the location and layout of the computers, the handshake can be performed during the initial communication setup and then performed from time to time (e.g., once a week).
In the handshake algorithm, we arbitrarily name the initiator of the handshake as A and the other party (the recipient) as B.
You can read about encoding algorithms in the article below. As you can see Air-Gapped is possible to hack even with heat.
And what are the protective measures against such threats?
Well how is it not obvious is the regulation of dew between devices or strict monitoring.
As a countermeasure against attacks such as BitWhisper, a "zone" approach should be used to determine the physical distances required for potentially heat-emitting and heat-sensitive components connected to different networks.
In some cases, mainly due to space constraints, maintaining minimum distances between computers is impractical, and obviously managing the physical distances between different networks is difficult in terms of space and administration costs.
One solution might be to place thermal sensors between computers containing sensitive information and all other computers to detect abnormal thermal emissions or to use existing monitoring solutions to detect attempted thermal communications.
These monitoring systems, commonly used for servers, already monitor CPU usage and temperature sensors to maintain availability.
Logs and alerts from these monitoring systems can be used to detect communication attempts.
And that's it, thanks for reading❤️
For a fuller introduction read the article below.
And here is a video demonstration of the attack youk
And remember even if the rabbit hole is poured out Alice can always go down it🐇🗝