Mar. 24, 2015

BGU researcher Mordechai Guri, mentored by Prof. Yuval Elovici, has uncovered a new method to breach air-gapped systems. The new research finding is called BitWhisper and is part of the ongoing research on the topic of Air-Gap security at the BGU Cyber Security Research Center. His last finding on air-gap security, a method named Air-Hopper that utilized FM waves for data exfiltration, was published in August 2014. 

BitWhisper is a demonstration of a covert bi-directional communication channel between two nearby air-gapped computers communicating via heat. The method enables bridging the air-gap between the two physically adjacent and compromised computers by using their heat emissions and built-in thermal sensors to communicate. BitWhisper establishes a covert channel by emitting heat from one PC to the other in a controlled manner. By regulating the heating patterns, binary data is modulated into thermal signals. In turn, the adjacent PC uses its built-in thermal sensors to measure the environmental changes. These changes are then sampled, processed, and demodulated into binary data.  

Experimental results demonstrate that BitWhisper is capable of a rate of eight signals per hour. Although this rate may seem slow compared with other methods of bridging air-gaps, BitWhisper offers two unique and useful characteristics: 1) the channel supports bidirectional (half-duplex) communication as both PCs can act as a transmitter (producing heat) or receiver (by monitoring the temperature), and 2) establishing the channel is possible using off-the-shelf adjacent desktop PCs and requires no special hardware or supporting components.  

These properties enable the attacker to exfiltrate information from inside an air-gapped network, as well as transmit commands to it. Eight signals per hour is sufficient to exfiltrate sensitive information such as passwords or secret keys. Furthermore, the attacker can use BitWhisper to directly control a malware’s actions inside the network and receive feedback. 

The scenario of two adjacent computers is prevalent in many organizations where there are two computers on a single desk, one connected to the internal network and the other one connected to the Internet. The method demonstrated can serve both for data leakage for low data packages and for command and control. 

A PhD student in the Department of Information Systems Engineering, Mordechai Guri was recently selected to receive a prestigious 2015-2016 IBM PhD Fellowship Award.