Site icon Sophos News

Can your computer fan be used to spy on you?

If you’ve ever been to an airshow (or watched the opening of the film Apocalypse Now), you’ll know about BPF, short for blade pass frequency.

If you count the number of whops per second in the whop-whop-whop sound that a single-rotor helicopter makes as it passes overhead, you’ll know its BPF.

Unsurprisingly, the higher the BPF, the higher the pitch of the sound, because sound rises with frequency – an octave for every doubling in frequency, as it happens.

You’ll also know, all other things being equal, that the higher the BPF, the louder the noise a fan makes.

In fact, the noise from a fan apparently increases as the fifth power of the BPF, which is why your bedroom fan goes from a mild buzz on setting I, through an annoying drone on II, to industrial-grade, sleep-busting noise pollution on level III.

This means, in theory, that in a controlled setting (such in the neighbourhood of the average PC or laptop), you can figure out the speed of one or more of a computer’s cooling fans by recording the ambient sound, isolating the fan noise, and estimating its frequency.

Furthermore, many computers have one or more fans built in, and the speed of those fans can often be controlled programmatically.

Covert channels

This makes the fan into a possible covert channel for leaking information from a computer, if there’s no official way of transmitting data from it.

A covert channel is a secret way of communicating something you’ve found out, but in such a way that no one realises you just sent a message.

Sound is one way to jump what’s often called an “network airgap”, in order to get data from a supposedly-secure, standalone device that is supposed to keep secrets…

…onto a nearby device that is online and can call home.

For example, we recently wrote about an Indian company that claimed to have just such a system for keeping track of what TV ads customers ere watching, even on unconnected, non-smart-TVs, by embedding ultrasound in TV ads and picking it up on nearby mobile phones.

There was also the BadBIOS story from 2013, in which a Canadian researcher thought he might have discovered a strain of in-the-wild BIOS malware that could jump between computers in a similar way.

Ultrasound is covert, at least as far as human ears are concerned, because it’s inaudible.

But we’re a bit doubtful about the general reliability of covertly sending and detecting ultrasound on commodity computer hardware, not least because built-in speakers and microphones are usually built down to a price.

Using devices that aren’t supposed to deal with high-frequency vibrations, and don’t need to, is a bit like aiming a cheap pair of binoculars at Saturn and expecting to see the rings.

Fansmitter

But we’re not so doubtful about a recent paper by researchers from Ben-Gurion University of the Negev in Israel, who have written up a way of using computer fan speed to exfiltrate data, dubbed the Fansmitter.

We used a utility called SMCKit to tweak the twin fans on an old MacBook Pro to run at their maximum speed of 6200rpm, and they were intrusively loud. In contrast, when we turned them “off”, (when they actually run at a minimum speed of 2000rpm), they were inaudible, even listening from just millimetres away. Detecting the difference programmatically ought to be easy.

Of course, using fans as a covert channel has its drawbacks.

Once you get used to a laptop, for example, you typically become pretty attuned to its fan noise, and what sort of activity makes the fans fire up and slow down. (Flash video, for example, but we hope that’s unlikely in a secure environment!)

The fans don’t usually speed up and slow down every few seconds in a vaguely random-sounding way.

In other words, fan speed might not be as covert as inaudible ultrasound twitterings would.

But there’s another problem, too.

To exfiltrate data via fan speed, you need to be patient.

The best data rate achieved by the researchers would have been considered “dead slow” even in the era of 300 baud modems: a mere 15 bits per minute, which adds up to just over 100 bytes an hour.

At that speed, it would take you just over a millennium to download the average OS X or iOS update.

Nevertheless, for a device that is not supposed to transmit at all, even 15 bits per minute is far too much.

What to do?

This trick requires unauthorised software (malware) on a supposedly-secure computer, in which case you probably have a lot more to worry about that improper fan noise.

Intrusion prevention, exploit detection, prompt patching, active anti-virus and application control can all help you keep secure devices secure.

The Fansmitter trick also requires a listening device, such as a malware-laden mobile phone, near the target system.

In a really secure area, consider controlling mobile phones (most of which have cameras as well as microphones) by requiring visitors to surrender them into safe-keeping at the entrance to the facility.

If you’re still worried about your fans being used as a secret signalling system, consider buying a fanless computer, such as a 12″ MacBook.

A crook can’t exploit a feature that isn’t there!


Exit mobile version