How malware could steal data from an air-gapped PC - via its fan

Imagine you’re a cybercriminal and you want to steal information from a malware-infected PC that isn’t connected to the internet, isn’t connected to any other computers, and that you don’t have any physical access to.

How would you do it?

Without being able to physically reach the isolated computer, and without any network connections, you’re going to have to use your imagination.

And that’s precisely what researchers from the Ben-Gurion University of the Negev in Israel have done, dreaming up the the concept of the Fansmitter malware, capable of transmitting sensitive information from the PC by adjusting its fan speed.

In their technical paper, entitled “Fansmitter: Acoustic data exfiltration from (speakerless) air-gapped computers”, Mordechai Guri, Yosef Solewicz, Andrey Daidakulov, Yuval Elovici describe how such an attack works:

“Our method utilizes the noise emitted from the CPU and chassis fans which are present in virtually every computer today. We show that a software can regulate the internal fans’ speed in order to control the acoustic waveform emitted from a computer. Binary data can be modulated and transmitted over these audio signals to a remote microphone (e.g., on a nearby mobile phone).”

Similar attacks have been postulated by malware sending high frequency sounds through a computer’s built-in speaker in the past, but there has been an obvious (if rudimentary) solution to that threat – remove the speaker.

Such a solution isn’t really practical when it comes to your computer’s fan.

Before you get too fearful that your computer’s fan is sharing your personal or business secrets, it’s important to underline some important points:

1. Your computer cannot be infected by malware via sound. Your computer would need to be already compromised and infected by malware to interpret sound waves collected by its microphone as malicious instructions. And if a computer is already infected, where would be the attraction in infecting it again via the sound of some noisy fans?
2. If your computer is air-gaped from the rest of the world, what are the chances that a malicious attacker would be able to infect it with malicious code in the first place to start sharing its secrets by messing around with its fan speed? The most likely route might be via malware on a USB stick being shared with individuals who use the victim PC, or to have meddled with its software somewhere along it’s supply chain – but it’s not a method of attack that is likely to be deployed against the vast majority of computer users.
3. You don’t just have to have a target computer that has been compromised and pumping out data via the fan. You also need a device which can receive the data – it needs to be physically close by (the researchers claim from one to four meters distance).
4. Not only does the surveillance device picking up on the sound of the fan need to be close by, it also needs to be present for an extended period of time. In some of its tests the researchers were only able to steal 3 bits (not bytes!) per minute – getting as high as 15 bits per minute when they raised the fan’s oscillation speed.

In short, the method of attack is unusual and interesting, but probably not practical in the vast majority of cases. Aside from the difficulty of infecting a target computer in the first place, there are some obvious other considerations.

For instance, any attacker using the method faces the challenge of either having users notice the unusually loud behaviour fo their computer’s fan, or drastically reduce the distance over which data can be stolen.

For now I wouldn’t lose too much sleep about this particular elaborate method of data exfiltration. Although it never makes sense to turn an entirely blind eye to potential threats, there are much more serious real and present dangers that the typical IT security manager should be treating as a priority instead.