We knew it could be done with a wireless mouse, a computer speaker, a microphone or a camera, but now you can steal data using… a fan. Yes, we can now transmit data using the variation in the speed of your computer’s fan. By infecting a computer with specific malware that can control your CPU, case, or power supply fan you can place a smartphone with a specific app nearby and transmit data to it.
From the Hot For Security blog:
“Before you get too fearful that your computer’s fan is sharing your personal or business secrets, it’s important to underline some important points:
- Your computer cannot be infected by malware via sound. Your computer would need to be already compromised and infected by malware to interpret soundwaves collected by its microphone as malicious instructions. And if a computer is already infected, where would be the attraction in infecting it again via the sound of some noisy fans?
- If your computer is air-gapped from the rest of the world, what are the chances that a malicious attacker would be able to infect it with malicious code in the first place to start sharing its secrets by messing around with its fan speed? The most likely route might be via malware on a USB stick being shared with individuals who use the victim PC, or to have meddled with its software somewhere along its supply chain – but it’s not a method of attack that is likely to be deployed against the vast majority of computer users.
- You don’t just have to have a target computer that has been compromised and pumping out data via the fan. You also need a device which can receive the data – it needs to be physically close by (the researchers claim from one to four metres distance).
- Not only does the surveillance device picking up on the sound of the fan need to be close by, it also needs to be present for an extended period of time. In some of its tests the researchers were only able to steal 3 bits (not bytes!) per minute – getting as high as 15 bits per minute when they raised the fan’s oscillation speed”
That’s 900 bits/hour of pure spy fun! This could be handy for getting something like a drive encryption key, but not for those Monty Python videos you have saved.