Security Researchers Turn Cooling Fans, Graphics Processing Units Into Data Exfiltration Vectors

Researchers from the Ben-Gurion University of the Negev and Duo Security have separately announced two novel data exfiltration attacks against air-gapped computer systems — one by tapping into the vibration of computer fans, and the other by turning a system's graphics card into a software-defined radio.

Air-gapping is a common technique to protect high-security systems: An air-gapped system must have no connection to an external network of any kind, and in most cases also has any local means of exfiltrating data — such as USB ports — disabled. An attacker who gains physical access can use the system, but can't copy its data — unless a vulnerability is found.

Previous data exfiltration attacks have ranged from monitoring radio emissions from a monitor — known as a TEMPEST attack — to flashing a hard-drive status LED in a particular pattern. Now, there are two new approaches — starting with AiR-ViBeR, a system for turning data into surface vibrations using computer fans.

"In this paper, we introduce a new type of vibrational (seismic) covert channel," lead author Mordechai Guri explains. "We observe that computers vibrate at a frequency correlated to the rotation speed of their internal fans. These inaudible vibrations affect the entire structure on which the computer is placed. Our method is based on malware's capability of controlling the vibrations generated by a computer, by regulating its internal fan speeds.

"We show that the malware-generated covert vibrations can be sensed by nearby smartphones via the integrated, sensitive accelerometers. Notably, the accelerometer sensors in smartphones can be accessed by any app without requiring the user permissions, which make this attack highly evasive. We implemented AiR-ViBeR, malware that encodes binary information, and modulate it over a low frequency vibrational carrier. The data is then decoded by malicious application on a smartphone placed on the same surface (e.g., on a desk)."

The technique mimics that of SurfingAttack, though in reverse: Where SurfingAttack sent silent ultrasonic voice commands to target smartphones by vibrating the desk on which they sat, AiR-ViBeR sends data from a target computer to a receiving smartphone under the attacker's control.

Duo Security's approach, by contrast, is closer to the original TEMPEST attacks: It relies on generating radio signals which can be picked up by a traditional radio receiver. Rather than attacking the display, however, the researchers found a different way to generate the radio signals required: attacking the graphics card itself.

"Graphics cards these days can suck up a lot of power but they aim to be efficient in doing so by scaling power draw with performance requirements," Duo Security researchers Mikhail Davidov and Baron Oldenburg note. "This behavior is typically completely invisible to the end user outside of maybe the sound of a fan spinning up. Facilities vary from vendor to vendor as to how to adjust relevant power mode thresholds and as the machine we ordered has an ATI based GPU, we will be focusing on that.

"When the 214 MHz clock is enabled, we can absolutely pick it up at multiples of 214 MHz with 428 MHz being the loudest for our configuration. This is a great carrier! It is very loud over background and is a nice low frequency of 428 MHz which allows for great signal penetration. In my tests I was able to pick this particular signal up from over 50ft away through a wall. This gives us the ability to on-off key messages one bit at a time, but that is quite slow and we can do much better. The amdgpu driver also lets you configure the actual clock values themselves in 1 MHz increments. So let’s write a script to do just that and step through the lowest 5 frequencies dwelling on each one for half a second."

With finer-grained control comes the ability to encode more data: "Not only can we control the duration of a transmission to encode data," the pair write, "but now we can start to form an alphabet using a technique called sequential multiple frequency shift keying to encode a lot more data per transmission! We can even vary the rate at which we shift from frequency to frequency to further pack additional data."

Guri's AiR-ViBeR paper has been published on arXiv.org under open-access terms; more information on Duo Security's attack can be found on the company blog.