A paper by Ben Gurion University researchers to be presented at a Tel Aviv security conference demonstrates “Bitwhisper,” a covert communications channel that allows computers to exchange data by varying their temperature, which can be detected by target machines within 40cm.
The backchannel is a threat to airgapped systems that are used to handle sensitive information, and which are often used alongside of networked machines, so that users can switch easily to an Internet-connected system. Both systems have to be compromised for this to work, of course, so the threat model is something like having an airgapped machine that is backdoored in transit (as with the NSA’s practice of diverting computer shipments and fitting them with malware). The researchers anticipate using embedded computers — such as those in printers — as a vector, since these have notoriously poor security.
The malware on each system can be designed to search for nearby PCs by instructing an infected system to periodically emit a thermal ping—to determine, for example, when a government employee has placed his infected laptop next to a classified desktop system. The two systems would then engage in a handshake, involving a sequence of “thermal pings” of +1C degrees each, to establish a connection. But in situations where the internet-connected computer and the air-gapped one are in close proximity for an ongoing period, the malware could simply be designed to initiate a data transmission automatically at a specified time—perhaps at midnight when no one’s working to avoid detection—without needing to conduct a handshake each time.
The time it take to transmit data from one computer to another depends on several factors, including the distance between the two computers and their position and layout. The researchers experimented with a number of scenarios—with computer towers side-by-side, back-to-back and stacked on top of each other. The time it took them to increase the heat and transmit a “1” varied between three and 20 minutes depending. The time to restore the system to normal temperature and transmit a “0” usually took longer.
Stealing Data From Computers Using Heat [Kim Zetter/Wired]