Data safety is a top priority for organizations as breach incidents continue to climb and the cost of recovery soars. To safeguard extremely sensitive data, many companies leverage air-gapped machines that have no outside internet connection. But this method isn’t foolproof, and researchers have already found ways to grab data using internal or external speakers.
According to new research from the Ben-Gurion University of the Negev, even this may not be enough to stay safe. Researchers recently discovered a new method of exfiltrating data: Named Fansmitter, the technique uses a computer’s onboard fans to transmit information on command. Is this the new sound of stolen data?
The Insider Issue
While businesses have done a solid job of putting air-gapped machines beyond the reach of most cybercriminals, the issue of insiders — employees willing to steal or destroy data for their own agenda or under contract from cybercriminal groups — remains.
According to the Daily Mail, for example, a former Morgan Stanley staffer downloaded more than 730,000 client records onto his home server before the data was subsequently stolen and posted for sale online. Now the financial company is facing a $1 million fine for failing to adequately protect customers’ data.
It makes sense to separate computers that house critical data from average workstations by cutting internet connections and putting them in an access-controlled room. But there’s still a problem: Someone with the right permissions — a system admin or repair tech — could install malware, hide a wireless recording device nearby and then use internal or external speakers to transmit data.
It sounds cumbersome, but it’s enough of a problem that most air-gapped machines are now speakerless in an effort to limit this kind of larceny. Cybercriminals and security researchers, however, are not so easily deterred.
Not a Fan of the Fansmitter
According to SecurityWeek, the Ben-Gurion researchers have discovered a way to use an air-gapped machine’s CPU or chassis fans to transmit bits of data. The Fansmitter — a play on transmitter — method works like this: Insiders install a piece of malware designed to scrape certain kinds of data and control fan speeds on the target machine. A recording device is then placed in the same room and interprets different fan speeds as either a 0 bit or 1 bit, such as 1,000 RPM for 0 and 1,600 RPM for 1.
While this isn’t a speedy process — three bits per minute at low frequency, which works out to around three minutes for a single password character — increasing the RPM can significantly bump up the transfer rate. The malware can also be configured to run only during off hours to limit the chance of discovery by IT professionals. What’s more, the Ben-Gurion team found that almost any kind of audioless device with a cooling fan, such as a printer, control system or IoT sensor, is vulnerable to Fansmitter.
Malware-makers and complicit insiders aren’t going to let the absence of speakers stop their attempts to exfiltrate data. While cutting the internet and pulling the speakers helps lower the chance of a data breach, there’s no substitute for regular human assessment, oversight and — perhaps most importantly — suspicion.
Assumed safety is the cybercriminal’s bread and butter: Fansmitter is proof positive that innovation trumps supposed invincibility.