Bridging an air gap by manipulating environment temperature (Cyber Security)

Not sure how many people are interested in this sort of thing but thought i’d throw it up here anyway.

Its a paper about - as the title suggests - bridging the air gap to a remote machine containing likely sensitive data. Compaies tend to keep these seperate from the internet to limit the threat of a cyber attack from the public net, so at that point you typically have two options: compromise the supply chain to gain access to the machine, or physically gain access. This paper proposes hijacking a HVAC system on the same premises as the machine that is not connected, and then using the ventilation system to send thermal signals covertly. It’s a one way system but interesting none-the-less, and explores an area in security that I personally havent seen or heard much about.

edit: forgot to link the damn paper


@Frog51 Should be able to chime in on these matters :slight_smile:

I know diddly squat on cyber security, other than don’t click on that “hot girls in your area want to meet you” or the investment emails from Russia…

1 Like

Started to read through that doc - but It’ll probably get my full attention when I have some time later. Sounds like a interesting concept.

I’m trying to get my head around the concept of the hack though. I mean, I get you could hack the HVAC which at some point will be connected to an external network… and by influencing that system, you can adjust the environmental of the room where the air-gapped system is and transmit signals to it? Do I have that right?

Are they saying that you’d need to initially hack the air-gapped system first using saying, a USB dongle or something and then use the thermal sensors to control the trojan that you have installed? or are they saying they can hack directly just through thermal controllers without any other influence. If that’s the case, then surely like any well written system that has an input, you need to sanitise the collected data to ensure its not a malicious package.

I’ve probably missed the point and will read the document more carefully and in full later :slight_smile:

1 Like

There was a piece in section 1.2

1.2 Exploitation of Local Networks

One example of such an insecure and seemingly innocent network and asset is the heating, ventilation, and
air conditioning (HVAC) system that is connected to an accessible network or even to the Internet. Today, many large buildings’ HVAC systems are connected together by a network in order to report failures and
to provide controls of their activity (such as setting the temperature in every room)

From my understanding of the paper you would have to first compromise the ‘air-gapped machine(s)’ and after you have that complete you would have a covert communication channel to send data. They were able to transmit about 40bits per hour this way, which is enough for remote execution. After doing some more reading I came across this article:

Apparently a similar type of attack actually happened to Google a few years ago too, so the vulnerabilites were in the maintenance control panel

The main use case for this is in covert exfiltration of data in situations where you can initially gain access for a short period of time but no continuous C&C.

It’s slow though…

1 Like

Looks like it would take nearly 5 days (103hrs) to transfer one sector, which is painfully slow - still an interesting concept though

Giving this some thought, surely an alternative to this would be to create malware that interrupts an LED on the system and transmits data out. Could be a HDD LED or even a network port. - transmitting data out as binary. You just need a camera to record it… so if the building’s security system was on a network you could hack their camera system… or even easier, if the security system recorded to an archive, you could manually infiltrate the security department and steal/copy the footage to review later.

1 Like

Doesn’t necessarily have to be binary, if you’re using an LED you could use morse code as well, which should be faster to transmit than binary. Seems like a better way to transmit if you have some way of being able to view the transmission. (better than thermals I mean)

Going by the same logic, and assuming that the room is sectioned off, you could use a mic and control the fan speed on the machine to accomplish the same goal I think, although this could be affected by ambient noise as well as other factors.

The LED one has already been used - but it’s only effective for those odd cases where you have line of sight.

1 Like

Thought it would have been hehe :slight_smile: - The aircon and LED method are proper “thinking outside the box methods” - So what’s the most elaborate hack you’ve heard of that was actually pulled off @Frog51? - I mean one that required social engineering or something really clever as apposed to direct use of technology/code

This kind of thing fascinates me.

Any of you guys read up on STUXNET, FLAME, GAUSS or DUQU?

Four crazy bits of malware linked with the US, UK and Israel.


Unlike most malware, Stuxnet does little harm to computers and networks that do not meet specific configuration requirements; "The attackers took great care to make sure that only their designated targets were hit… It was a marksman’s job."While the worm is promiscuous, it makes itself inert if Siemens software is not found on infected computers, and contains safeguards to prevent each infected computer from spreading the worm to more than three others, and to erase itself on 24 June 2012.

For its targets, Stuxnet contains, among other things, code for a man-in-the-middle attack that fakes industrial process control sensor signals so an infected system does not shut down due to detected abnormal behavior. Such complexity is very unusual for malware. The worm consists of a layered attack against three different systems:

  • The Windows operating system,
  • Siemens PCS 7, WinCC and STEP7 industrial software applications that run on Windows and
  • One or more Siemens S7 PLCs.

It found its way in to the air-gapped Natanz Nuclear facility in Iran and halted the enrichment process going to so far as to cause a nuclear accident that caused the Atomic Energy Minister to resign.

Then there is the 'Equation Group’ who pulled off the following:

They also identified that the platform had at times been spread by interdiction (interception of legitimate CDs sent by a scientific conference organizer by mail), and that the platform had the “unprecedented” ability to infect and be transmitted through the hard drive firmware of several of the major hard drive manufacturers, and create and use hidden disk areas and virtual disk systems for its purposes, a feat demanding access to the manufacturer’s source code of each to achieve, and that the tool was designed for surgical precision, going so far as to exclude specific countries by IP and allow targeting of specific usernames on discussion forums.

@vredesbyrd I’ve read up on Stuxnet when I was looking at ways to cross an air gap - fascinating how it spread and was deployed though!

I haven’t read up on the others you mentioned though - I’ll have a read up on them later on this evening I think!

@Jester @Frog51 I did see one use of covert exfitlration that used a printers internal electronics to emit high frequency ultra sounds, and even radio waves that could be picked up with a nearby transmitter - ill see if I can find the paper later and link it