No matter how secure you think a computer is, there’s always a vulnerability somewhere that an attacker can utilize if they’re determined enough. To reduce the chance of sensitive material being stolen, many government and industrial computer systems are not connected to outside networks. This practice is called air-gapping, but even that might not be enough. The Stuxnet worm from several years ago spread to isolated networks via USB flash drives, and now researchers at Ben Gurion University in Israel have shown that it’s possible to rig up two-way communication with an air-gapped computer via heat exchange.
Researchers call this technique of harvesting sensitive data “BitWhisper.” It was developed and tested in a standard office environment with two systems sitting side-by-side on a desk. One computer was connected to the Internet, while the other had no connectivity. This setup is common in office environments where employees are required to carry out sensitive tasks on the air-gapped computer while using the connected one for online activities.
BitWhisper does require some planning to properly execute. Both the connected and air-gapped machines need to be infected with specially designed malware. For the Internet box, that’s not really a problem, but even the air-gapped system can be infected via USB drives, supply chain attacks, and so on. Once both systems are infected, the secure machine without Internet access can be instructed to generate heating patterns by ramping up the CPU or GPU. The internet-connected computer sitting nearby can monitor temperature fluctuations using its internal sensors and interpret them as a data stream. Commands can also be sent from the Internet side to the air-gapped system via heat.
The malware is able to use the heat patterns as a covert data channel between the machines, thus defeating the air-gap. The data rate between the connected and air-gapped computers isn’t particularly fast — it’s somewhere around eight bits per hour. Still, that’s enough to snatch passwords and text files over time. Because all the data theft takes place over invisible heat signals, there are almost no signs of intrusion in the secure network
Once the malware has found a home in the air-gapped network, it can be instructed to spread to other computers in search of more heat-driven communication channels. The researchers say a secure network is vulnerable to BitWhisper anywhere an internet-connected PC is 15-inches or less away from an air-gapped system. BitWhisper can seek out new connections by sending out periodic “thermal pings” to link up nearby computers.
The researchers demonstrated BitWhisper using a computer with a USB missile-launcher toy attached. In the video above, they were able to send heat commands from the connected system over the air-gap to the isolated system and control the missile launcher. There are a lot of things that can go wrong with this system — something as small as a desk fan could break the connection. Still, it’s an ingenious proof-of-concept.