All computers have built-in thermal sensors, which detect the heat produced by processors and trigger the rotation of fans to avoid damage to components. To achieve the hack in an office setting, snoopers would infect two adjacent desktop PCs—one air-gapped, the other connected to the Internet—with malware that can take control of the machines and enable them to decode messages hidden in the sensor data. A virus carrying the malware could infect the Internet-connected machine fairly easily, whereas a USB drive or other hardware approach would be required with the air-gapped machine—a feat that could prove difficult at high-security locations.
In a scenario in which a hacker sought a password stored on the air-gapped computer, the malware could instruct the computer’s central processor to perform work in a pattern of activity that reveals those characters. Each spate of activity would produce a puff of warm air that would travel to the connected computer, where its thermal sensors would log that single bit of information. Over time, voilà, a set of bits representing the password. The connected computer could then send that information to the interested party. The computer scientists call their hack BitWhisper.