Air-gapped systems, which are isolated from the Internet and are not connected to other systems that are connected to the Internet, are used in situations that demand high security because they make siphoning data from them difficult.

Air-gapped systems are used in classified military networks, the payment networks that process credit and debit card transactions for retailers, and in industrial control systems that operate critical infrastructure. Even journalists use them to prevent intruders from remotely accessing sensitive data. To siphon data from an air-gapped system generally requires physical access to the machine, using removable media like a USB flash drive or a firewire cable to connect the air-gapped system directly to another computer.

But security researchers at Ben Gurion University in Israel have found a way to retrieve data from an air-gapped computer using only heat emissions and a computer's built-in thermal sensors. The method would allow attackers to surreptitiously siphon passwords or security keys from a protected system and transmit the data to an internet-connected system that's in close proximity and that the attackers control. They could also use the internet-connected system to send malicious commands to the air-gapped system using the same heat and sensor technique.

In a video demonstration produced by the researchers, they show how they were able to send a command from one computer to an adjacent air-gapped machine to re-position a missile-launch toy the air-gapped system controlled.

The proof-of-concept attack requires both systems to first be compromised with malware. And currently, the attack allows for just eight bits of data to be reliably transmitted over an hour—a rate that is sufficient for an attacker to transmit brief commands or siphon a password or secret key but not large amounts of data. It also works only if the air-gapped system is within 40 centimeters (about 15 inches) from the other computer the attackers control. But the researchers, at Ben Gurion's Cyber Security Labs, note that this latter scenario is not uncommon, because air-gapped systems often sit on desktops alongside Internet-connected ones so that workers can easily access both.

The method was developed by Mordechai Guri in a project overseen by his adviser Yuval Elovici. The research represents just a first step says Dudu Mimran, chief technology officer at the lab, who says they plan to present their findings at a security conference in Tel Aviv next week and have released a paper describing their work (.pdf).

"We expect this pioneering work to serve as the foundation of subsequent research, which will focus on various aspects of the thermal channel and improve its capabilities," the researchers note in their paper. With additional research, they say they may be able to increase the distance between the two communicating computers and the speed of data transfer between them.

In their video demonstration, they used one computer tower to initiate a command to an adjacent computer tower representing an air-gapped system. But future research might involve using the so-called internet of things as an attack vector—an internet-connected heating and air conditioning system or a fax machine that's remotely accessible and can be compromised to emit controlled fluctuations in temperature.

How It Works

Computers produce varying levels of heat depending on how much processing they're doing. In addition to the CPU, the graphics-processing unit and other motherboard components produce significant heat as well. A system that is simultaneously streaming video, downloading files and surfing the internet will consume a lot of power and generate heat.

To monitor the temperature, computers have a number of built-in thermal sensors to detect heat fluctuations and trigger an internal fan to cool the system off when necessary or even shut it down to avoid damage.

The attack, which the researchers dubbed BitWhisper, uses these sensors to send commands to an air-gapped system or siphon data from it. The technique works a bit like Morse code, with the transmitting system using controlled increases of heat to communicate with the receiving system, which uses its built-in thermal sensors to then detect the temperature changes and translate them into a binary "1" or "0."

To communicate a binary "1" in their demonstration for example, the researchers increased the heat emissions of the transmitting computer by just 1 degree over a predefined timeframe. Then to transmit a "0" they restored the system to its base temperature for another predefined timeframe. The receiving computer, representing the air-gapped system, then translated this binary code into a command that caused it to reposition the toy missile launcher.

The researchers designed their malware to take into consideration normal temperature fluctuations of a computer and distinguish these from fluctuations that signal a system is trying to communicate. And although their malware increased the temperature by just one degree to signal communication, an attacker could increase the temperature by any amount as long as it's within reason, to avoid creating the suspicion that can accompany an overactive computer fan if the computer overheats.

Communication can also be bi-directional with both computers capable of transmitting or receiving commands and data. The same method, for example, could have been used to cause their air-gapped system to communicate a password to the other system.

The malware on each system can be designed to search for nearby PCs by instructing an infected system to periodically emit a thermal ping—to determine, for example, when a government employee has placed his infected laptop next to a classified desktop system. The two systems would then engage in a handshake, involving a sequence of "thermal pings" of +1C degrees each, to establish a connection. But in situations where the internet-connected computer and the air-gapped one are in close proximity for an ongoing period, the malware could simply be designed to initiate a data transmission automatically at a specified time—perhaps at midnight when no one's working to avoid detection—without needing to conduct a handshake each time.

The time it take to transmit data from one computer to another depends on several factors, including the distance between the two computers and their position and layout. The researchers experimented with a number of scenarios—with computer towers side-by-side, back-to-back and stacked on top of each other. The time it took them to increase the heat and transmit a "1" varied between three and 20 minutes depending. The time to restore the system to normal temperature and transmit a "0" usually took longer.

Other Air-Gap Hacking Techniques

This isn't the only way to communicate with air-gapped systems without using physical media. Past research by other teams has focused on using acoustic inaudible channels, optical channels and electromagnetic emissions. All of these, however, are unidirectional channels, meaning they can be used to siphon data but not send commands to an air-gapped system.

The same Ben Gurion researchers previously showed how they could siphon data from an air-gapped machine using radio frequency signals and a nearby mobile phone. That proof-of-concept hack involved radio signals generated and transmitted by an infected machine's video card, which could be used to send passwords and other data over the air to the FM radio receiver in a mobile phone.

The NSA reportedly has been using a more sophisticated version of this technique to not only siphon data from air-gapped machines in Iran and elsewhere but also to inject them with malware, according to documents leaked by Edward Snowden. Using an NSA hardware implant called the Cottonmouth-I, which comes with a tiny embedded transceiver, the agency can extract data from targeted systems using RF signals and transmit it to a briefcase-sized relay station up to 8 miles away.

There's no evidence yet that the spy agency is using heat emissions and thermal sensors to steal data and control air-gapped machines— their RF technique is much more efficient than thermal hacking. But if university researchers in Israel have explored the idea of thermal hacking as an attack vector, the NSA has likely considered it too.