Researchers at David Ben Gurion University in Israel have demonstrated controlling a toy rocket launcher attached to an air gapped computer by another computer nearby (see article).
There are lots of limitations to this attack, but still it shows how a motivated attacker like the NSA or its competitors, can suck data out of a computer if they want to.
This is likely not an attack we should worry about protecting our home or business computer from, still it is impressive.
Current limitations on the attack include that there have two be two computers within 15 inches of each other, with one being the air gapped one and the other being connected to the Internet. This is not an uncommon situation in places like oil refineries or nuclear power plant control rooms.
Both computers need to be infected with the malware and the data rate is really slow – about 8 bits an hour. The key to this is to send very small commands and very small responses.
The technique works by raising the temperature of one computer a little bit and having the other computer’s heat sensors detect it and then lower that temperature for 1s and 0s.
The technique does suggest that physically separating those two classes of computers in a high security environment is probably a good idea.
The same folks at Ben Gurion previously showed that they could take an infected video card and use the FM radio receiver in a mobile phone to transmit data from the PC to the phone. This new attack, while having a much lower data rate, is bidirectional.
The article also talks about the NSA version of these techniques. The basis for that is documents leaked by Edward Snowden and dated 2008, so things are probably way better by now.
Tailored Access Operations Division (TAO) of NSA is known for modifying hardware, although with software getting a lot better, that is likely becoming less important. If you mess with the hardware, you have to get physically near by either the manufacturer or the attack target. With software, you can do it from the other side of the globe.
One NSA technique, called Cottonmouth-1 , embeds a tiny tranmitter and receiver into a USB connector to both extract data and inject malware. It can transmit to a suitcase sized controller up to 8 miles away. Obviously, this could be detected by spectral analysis (watching for unexpected radio signals) or RF shielding, but that would likely only happen in an ultra secure government facility (hopefully like an embassy or military installation) but if you are hacking bad guys or businesses, it is highly unlikely that they would detect it.
If you are into James Bond-esque stuff, Bruce Schneier talks about Cottonmouth, Straitbizarre, Genie, Chimneypool and Howlermonkey, among other NSA goodies here.