Researchers recently demonstrated that air-gapped computers can communicate through heat emissions and thermal sensors, which can potentially lead to loss of sensitive data. How does the attack work? Should enterprises be worried about how it could affect embedded systems and the Internet of Things?
State-sponsored attackers and security researchers with significant resources to devote to an attack can find very novel methods to achieve their goals. Knowing that a target environment is using an air-gapped computer -- common in high-security environments like SIPRNet -- gives an attacker a clear starting point in his attack; he knows communication between the classified and nonclassified systems will require something other than traditional IP and network connections.
The attack in question works by installing malware, via a malicious insider or infected USB drives, on two endpoints to transmit a small amount of highly valuable data over a covert channel, which is set up by one device's malware code changing its power consumption to generate more heat. The heat change is then detected by the second device's heat sensor -- heat sensors are common on devices; they turn on a fan to cool the device so it doesn't overheat.
While this is a low-bandwidth communication channel, it could be used to extract valuable data by modulating binary data into thermal signals, which are then received by the thermal sensors of the adjacent computer. However, enterprises do not need to panic unless they think they are targets of state-sponsored or other attackers with significant attack resources.
Nonetheless, organizations may want to ensure they are using strong physical protections on any devices that could be compromised to transmit sensitive data. This will affect any enterprise with high security requirements, and may also affect embedded systems and IoT devices, which could be manipulated remotely to emit heat signals. An enterprise using or manufacturing devices that might be physically targeted to be compromised should use tamper-evident cases. In addition, enterprises should use sufficient shielding on the device to protect it from heat or sound changes, and potentially place the devices in a secure physical location.
Ask the Expert:
Want to ask Nick Lewis a question about enterprise threats? Submit your questions now via email. (All questions are anonymous.)
Learn best practices for implementing an air-gapped computer in the enterprise