How Hackers Can Leak Data from Air‑Gapped PCs Using Fan Vibrations

Attack Overview

The AiR‑ViBeR attack consists of three stages:

Malicious code running on the air‑gapped host manipulates the speed of internal fans (CPU, GPU, or power‑supply fans) via standard fan‑control interfaces (e.g., ACPI or SMBus). Varying the fan RPM changes the mechanical vibration frequency.

A nearby smartphone (or any device with a MEMS accelerometer) is placed on the desk or within a few centimeters of the chassis. The accelerometer records the vibration waveform.

A companion application processes the sampled accelerometer data, demodulates the frequency‑shift keying (FSK) or on‑off keying (OOK) scheme used by the malware, and reconstructs the transmitted bits.

Prior Air‑Gap Covert Channels

LED‑it‑Go – data encoded in hard‑drive activity LED blinking.

USBee – electromagnetic radiation emitted from USB data lines.

AirHopper – GPU‑generated radio signals captured by nearby phones.

PowerHammer – data modulated onto power‑line fluctuations.

… and many other side‑channel techniques.

AiR‑ViBeR extends this line of research by using vibration as the transmission medium.

Technical Details

Fans generate measurable vibrations in the audible and near‑ultrasonic range. By controlling the fan’s duty cycle, the malware can produce a carrier frequency (typically a few hundred Hz) and modulate data by shifting the frequency or toggling the fan on/off. The smartphone’s accelerometer samples at up to several kHz, providing sufficient resolution to capture the carrier and its modulation.

Two collection scenarios are described:

Physical proximity: The attacker briefly accesses the target environment, places a smartphone on the workstation’s desk, and records vibrations without touching the computer.

Compromised employee device: Malware installed on an employee’s phone continuously monitors the accelerometer, allowing remote collection even when the attacker cannot physically approach the machine.

The channel’s raw throughput is approximately 0.5 bits / second, making it the slowest of Guri’s covert‑channel portfolio. Consequently, while technically feasible, the method is unlikely to be chosen when faster side‑channels are available.

Mitigation Strategies

Vibration detection: Deploy dedicated accelerometers on high‑value assets to monitor for anomalous vibration patterns and trigger alerts.

Fan‑control monitoring: Use endpoint‑protection or integrity‑monitoring tools to detect unauthorized calls to fan‑control APIs (e.g., ACPI, SMBus) and to block root‑kit techniques that bypass normal OS checks.

Physical isolation and damping: Enclose critical systems in vibration‑absorbing chassis, replace fans with liquid‑cooling loops, or introduce random fan‑speed jitter to obscure any intentional modulation.

Each countermeasure involves trade‑offs in cost, deployment complexity, and effectiveness.

References

Full technical details are available in the paper “AiR‑ViBeR: Exfiltrating Data from Air‑Gapped Computers via Covert Surface ViBrAtIoNs” (arXiv:2004.06195v1). Additional coverage can be found at ZDNet: https://www.zdnet.com/article/academics-steal-data-from-air-gapped-systems-using-pc-fan-vibrations/.

--END--

本公众号全部博文已整理成一个目录，请在公众号里回复「m」获取！
推荐阅读：
Linux下3种常用的网络测速工具
微信查看被谁删除好友的4种方法
面试了 15 位来自 985/211 高校的 2020 届研究生，思考许久，熬夜赶出了这篇文章
5T技术资源大放送！包括但不限于：C/C++，Linux，Python，Java，PHP，人工智能，单片机，树莓派，等等。在公众号内回复「1024」，即可免费获取！！