HVACKer: Bridging the Air-Gap by Attacking the Air Conditioning System

Modern corporations physically separate their sensitive computational infrastructure from public or other accessible networks in order to prevent cyber-attacks. However, attackers still manage to infect these networks, either by means of an insider or by infiltrating the supply chain. Therefore, an attacker's main challenge is to determine a way to command and control the compromised hosts that are isolated from an accessible network (e.g., the Internet). In this paper, we propose a new adversarial model that shows how an air gapped network can receive communications over a covert thermal channel. Concretely, we show how attackers may use a compromised air-conditioning system (connected to the internet) to send commands to infected hosts within an air-gapped network. Since thermal communication protocols are a rather unexplored domain, we propose a novel line-encoding and protocol suitable for this type of channel. Moreover, we provide experimental results to demonstrate the covert channel's feasibility, and to calculate the channel's bandwidth. Lastly, we offer a forensic analysis and propose various ways this channel can be detected and prevented. We believe that this study details a previously unseen vector of attack that security experts should be aware of.

[1]  Ross Montgomery,et al.  Fundamentals of HVAC control systems , 2011 .

[2]  Sebastian Zander,et al.  A survey of covert channels and countermeasures in computer network protocols , 2007, IEEE Communications Surveys & Tutorials.

[3]  David G. Holmberg,et al.  BACnet wide area network security threat assessment , 2011 .

[4]  Uwe Fink Coding Theory Algorithms Architectures And Applications , 2016 .

[5]  Giovanni Vigna,et al.  ClearShot: Eavesdropping on Keyboard Input from Video , 2008, 2008 IEEE Symposium on Security and Privacy (sp 2008).

[6]  Steven J. Murdoch,et al.  Hot or not: revealing hidden services by their clock skew , 2006, CCS '06.

[7]  Mordechai Guri,et al.  AirHopper: Bridging the air-gap between isolated networks and mobile phones using radio frequencies , 2014, 2014 9th International Conference on Malicious and Unwanted Software: The Americas (MALWARE).

[8]  Markus G. Kuhn,et al.  Compromising Emanations , 2002, Encyclopedia of Cryptography and Security.

[9]  Eric Michael Hutchins,et al.  Intelligence-Driven Computer Network Defense Informed by Analysis of Adversary Campaigns and Intrusion Kill Chains , 2010 .

[10]  David Naccache,et al.  Temperature Attacks , 2009, IEEE Security & Privacy.

[11]  Eric Cole,et al.  Advanced Persistent Threat: Understanding the Danger and How to Protect Your Organization , 2012 .

[12]  Sebastian Zander,et al.  Capacity of Temperature-Based Covert Channels , 2011, IEEE Communications Letters.

[13]  Dongho Won,et al.  A Practical Study on Advanced Persistent Threats , 2012 .

[14]  Mordechai Guri,et al.  BitWhisper: Covert Signaling Channel between Air-Gapped Computers Using Thermal Manipulations , 2015, 2015 IEEE 28th Computer Security Foundations Symposium.

[15]  Stuart Harvey Rubin,et al.  Distributed denial of service attacks , 2000, Smc 2000 conference proceedings. 2000 ieee international conference on systems, man and cybernetics. 'cybernetics evolving to systems, humans, organizations, and their complex interactions' (cat. no.0.

[16]  Steven B. Smith,et al.  Digital Signal Processing: A Practical Guide for Engineers and Scientists , 2002 .

[17]  Luming Tan,et al.  Future internet: The Internet of Things , 2010, 2010 3rd International Conference on Advanced Computer Theory and Engineering(ICACTE).