1) CPU/GPU Thermal Sensors

CPUs and GPUs contain multiple built-in temperature sensing diodes. In the case of CPU s, these diodes enable the system to measure the internal temperature of each core of the CPU separately. In addition to the CPU core's internal sensors, some processors include sensors that monitor the outside of the CPU package. In a typical PC, the difference between the internal temperature of a CPU and the ambient temperature inside the PC's chassis may be tens of degrees. Interestingly, CPU sensors are designed to be more accurate at higher operating temperatures, while being notoriously inaccurate at lower temperatures [21].

2) Motherboard Thermal Sensors

Motherboards usually incorporate thermal sensors and cooling fan controls in order to activate buzzer alarms or emergency shutdowns at extreme temperatures, thus preventing damage to the computer's sensitive components. Sensing is usually performed by the I/O controller for easy monitoring by an application. It is common to place these sensors in locations that are relatively distant from heat sources, in order to monitor the motherboard's temperature itself. In many motherboard models, the overheat threshold (the CPU temperature at which the computer shuts down to prevent damage) can be changed in the BIOS.

3) Other Thermal Sensors

Voltage regulators in a PC supply the required voltage to its CPUs and GPUs. Voltage converters generate a significant amount of heat and require thermal sensing and control. Some computer cases have fans and other cooling methods intended to cool a specific component while dissipating heat from the entire chassis. To that end, thermal sensors are placed in the path of the airflow created by these fans or on the chassis itself. Most hard disk drives and solid-state drives have built-in temperature sensors. Diagnostic software can access these sensor readings through an interface called the Self-Monitoring Analysis and Reporting Technology (S.M.A.R.T) interface [22].

Table 1 summarizes the thermal sensors and their primary characteristics.

Table 1: Survey of thermal sensors (common values)

1) Test Environment

Tests were conducted in two environments: 1) a regular office room (3 by 4 meters) with standard furniture, no windows, and a closed door, and 2) a larger shared office space (4 by 9 meters) with a small window and an open door. The computers were either placed above or below a table or inside a computer desk tray. An additional experiment was conducted in an open room environment (described later in section V). Environmental temperature during the tests was controlled using the office's air-conditioning system.

2) Hardware

We used two sets of PCs for the experiments. The first set consisted of PCs with a GIGABYTE GA-H87M-D3H motherboard and a quad-core hyper-threaded Intel i7-4790 processor with a built-in Intel HD Graphics 4600 display adapter. Both computers had an identical, regular no-brand tower case, with one fan in the back of the case in addition to the CPU and PSU fans. The chassis had a perforated square area on the left side, in front of the CPU fan, and a perforated region near the back and PSU fans. The second set of PCs consisted of Lenovo m57-6072 computers with an Intel Q35 Express chipset, an Intel core 2-duo processor with an integrated display adapter. The Lenovo 6072 had a small-form-factor case with a perforated front and back panels with a single fan blowing air out of the back. We also conducted tests with a large tower case (measuring 9×48×41 cm) manufactured by Gigabyte from the GZ series with a H77-D3H motherboard, and a quadcore hyper-threaded Intel i7-3770 with a built-in Intel HD Graphics 4000 display adapter. For most of the tests, fan speeds were controlled by the default settings of the mother-board. The impact of environment temperatures on fan speeds was tested using an AK-FC-08-AT Asetek fan controller kit. The virtual machine heat emission experiment was conducted using Oracle VirtualBox. The environmental temperature and heat expansion around the PCs were captured by a Fluke VTO4A Visual IR thermometer and a FLIR T335 thermal imaging camera.

3) Software

In order to generate heat, we performed CPU and GPU stress tests. Our code placed heavy stress on the processors by performing CPU intensive calculations and busy loops. We also used FurMark, a GPU stress tester [23] and prime95, a program for finding Mersenne primes that induces a high CPU load and is popular for CPU benchmarking and stress testing [24]. For data recording during the experiments we used a program called HWInfo [25] which sampled and recorded the various thermal sensors and PC fan speeds. The sample rate was 0.5Hz, and all monitored sensors were CPU and motherboard stock sensors. Using the 0.5Hz sample rate, HWInfo in itself utilizes very little CPU time and we validated that it had a negligible effect on the measurements.

4) Layouts and Distances

We conducted tests with different layouts of adjacent pairs of PCs. The layouts reflected common scenarios in which two PCs are placed next to one another in typical office environments. Close proximity between PCs may occur in an office shared by two employees with adjacent desks or in a private office in which a single employee has more than one personal computer near his desk. The latter is common in work environments with air-gapped networks since security measures usually require the employee to have a separate computer for each network. In a typical workplace scenario, due to work area sizes, two desktops are placed side by side (Figure 2) at distances ranging from 1 cm to 1 meter. Moreover, the PCs were generally positioned with the back panel facing the same direction. This layout is used in our experiments unless otherwise mentioned, and is referred to as the parallel layout. Other layouts tested include: 1) both PCs placed horizontally, one on top of the other, with the transmitting computer placed either on the top or the bottom (i.e., stacked layout); 2) two computers placed back-to-back, with the back panels facing each other; this layout reflects the common scenario of two employees sharing an office with desks facing each other (i.e., face-away layout), and 3) two computers positioned in some form of angle (i.e., quadrature layout). An illustration of the different layouts is given in Appendix A.

Figure 2:

Two air-gapped PCs positioned in the parallel layout. The computer on the left transmits a command that instructs the computer on the right to calibrate and fire a USB game rocket.

View All

1) Warming and Cooling

Figure 3 shows a PC's temperature captured by its various thermal sensors over 40 minutes of 100% CPU utilization followed by 40 minutes of nearly 0% utilization. It is apparent that CPU loads have a direct impact on the CPU core's thermal sensors (sensor group A) due to an almost instantaneous increase of about 20°C in the temperature. The motherboard's temperature sensors (sensor group C) showed a +10°C change over 30 minutes. The voltage regulator temperature remained static for the entire duration of the test and was removed from the figures in all further analysis. From a spatiotemporal perspective, the sensors closer to the heat source were affected to a greater extent. Note that it takes about 1.5-3 minutes of continuous work for the ambient temperature sensor to increase by 1°C. This rate decreases slightly as temperatures rise but then remains constant for a maximum of 10°C above the idle temperature.

Figure 3:

Temperature readings from various thermal sensors in a desktop PC as influenced by 100% CPU utilization over 40 minutes.

View All

Once the full CPU utilization stops (minute 40), its internal temperature immediately drops. The ambient case temperature sensor shows that it took about 1–3 minutes for a drop of 1°C, with the rate decreasing slightly as it gets closer to the idle temperature.

In general, we observed that the PC heats up faster near its idle temperature and cools faster near its maximum temperature. This is because at higher temperatures, the fans rotate faster in order to conduct the heat at a faster rate.

2) Casual Thermal Emissions

It is important to measure the heat that a PC generates during casual work in order to anticipate its effect on the thermal communication channel. Obviously, a frequently changing PC workload can generate internal heat that interferes with the original heat transfer. Therefore it is clear that the optimal time to emit thermal signals would be when the PC is idle (e.g., during the night). However, in order to demonstrate the negligible effects casual usage has on the channel, we evaluated the system's thermal emissions during typical daily tasks.

Figure 4 shows a PC's internal ambient temperature alongside its CPU utilization and CPU internal temperature during 30 minutes of daily work. As a reference, we used a typical workstation with an Intel i7-4790 processor, running Windows 7 64Bit. The user's activities include writing a document using Microsoft Word, browsing several websites concurrently using Google Chrome with multiple tabs, and watching video stream on YouTube. As can be observed from the test, none of the workloads accompanies by a rise in ambient temperature. The thermal level remained essentially the same while the ambient temperature was constant at 32°C. Therefore, it is feasible to use a workstation as a receiver during regular work hours, as long as the local CPU does not have an unusual workload. As can be noticed, the CPU heating sensor is much prone to interference by a user's regular work patterns.

Figure 4:

A PC's internal ambient temperature compared to its CPU internal temperature and utilization during routine use.

View All

1) Sensor Selection

A Single Input Multiple Output (SIMO) channel correlates a signal received from multiple vantage points, thereby boosting the signal with respect to natural noise and other interferences. It is possible to form a SIMO channel by correlating all of the thermal sensors together. However, for simplicity, we will only view the channel as a single input single output (SISO) channel. Improving the results (e.g., bandwidth) by using a SIMO channel will be addressed in future dedicated research.

A receiver PC on the channel output must monitor its thermal sensors continuously in order to identify changes in the ambient temperature. To maximize the signal quality, we performed experiments in order to identify the sensors which best capture the environmental temperature changes. Based on our experiments, we identified two important aspects of thermal sensors related to receiving signals on the channel's output: 1) the sensor's technical specifications, and 2) its location within the receiver.

Sensor specifications include: 1) sampling rate, 2) accuracy, 3) sample quantization resolution, and 4) value range (minimum and maximum temperature). Most sensors offer a sampling rate higher than required for accurate measurements. A more accurate sensor with higher quantization resolution can better distinguish between subtle changes in temperature level, thereby increasing the channel bit-rate. The range of the sensor must include the minimum and maximum temperatures used by the channel.

The experimental results indicate that the ambient sensor from sensor group B is the best sensor to use in the SISO channel. This is due to its accurate response to environmental temperature changes and the fact that it is relatively unaffected by the sharp CPU spikes caused by casual background processes. Some of the tests results appear in Figure 5.

We note that in cases in which a PC is unequipped with these thermal sensors (e.g., they are taken out or inaccessible), even the thermal sensor of the HD may be used to sense the channel's output.

Figure 5:

Temperature readings from various thermal sensors in a desktop PC as externally influenced by a transmitting computer over 40 minutes.

View All

2) Distances

An important part of the channel setup is the distance between the transmitter and receiver. The effect of the heat emitted from a PC's exhaust ports has a limited radius, thereby limiting the maximum channel distance. Beyond that radius, the heat intensity fades and expands across the room. Moreover, in common with all physical communication channels, there is a propagation delay between a channel's inputs (transmission) and outputs (its reception some distance away). The propagation delay is directly correlated to the distance between the two parties. During the experiments we observed that the receiver was not able to sense the change in temperature at a distance of more than 40 cm from the transmitter.

In order to measure and evaluate channel properties, we had the transmitter send a steady signal using consistent heat generation, to a receiver computer. The receiver logged the observed temperatures, each time at an increased distance. In this experiment, we used the common parallel layout and conducted a series of trials at distances of 0, 5, 10, 15,20, 25, 30, and 35 cm, and the results of the trials are documented in Figure 6. We observed that at short distances, the transmitter could affect the receiver by 1–4°C. For example, when placed next to each other (∼0 cm), the heat propagation delay for the first 1°C increase was three minutes. After 26 minutes the receiver recorded a +4°C relative change.

At longer distances (e.g., 30–35 cm), we observed that the transmitter could increase the receiver's temperature by at most 1°C. We mention this observation as a constraint for the digital modulation method in section VI.

The experiment clearly demonstrates the relationship between the channel distance and the channel capacity (here represented as the output signal's heat propagation delay). When within a certain radius from the transmitter, there is a near linear relationship: every 1 cm of distance from the receiver increases the heat propagation delay by approximately 0.35 minutes.

Figure 6:

Relationship between distance and rate of temperature increase in the parallel layout.

View All

3) Channel Asymmetry

When the channel is used as a half-duplex channel, we noticed that the transmission times for each direction were different. Intuitively, this type of asymmetric relation could be caused simply because of the variety of PC cases or different hardware components. However, more interestingly, when using the same type of case and hardware, the channel was still asymmetric. We found, however, that this was based on case orientation: for each common case orientation, the relative spatial locations of the motherboard's heating sources had created different obstacles between them with respect to the other party's sensors.

Figure 7 illustrates the asymmetry of the half-duplex channel's capacity between a pair of adjacent PCs in the parallel layout. As can be seen, the heat propagation delay in left-to-right transmissions is smaller than a right-to-left. In the first scenario, the left PC is transmitting and the right PC is receiving. In this case, the heat propagation delay was less than 3 minutes. In the second scenario, the right PC is transmitting and the left PC is receiving. In this case, the heat propagation delay is around 7 minutes.

The asymmetrical property of the thermal channel is even more substantial when examining other case orientations like the stacked layout discussed in the following subsection and in Table 3.

Figure 7:

Channel asymmetrical properties.

View All

4) Effects of Different Orientations

The attacker is usually unaware of the physical layout of the communicating PCs with respect to one another within the context of the attack scenario (section II), and obviously cannot control the layout. We explore the channel's effectiveness across different possible layouts in order to determine the best and worst case scenarios in term of distances. The different layouts are depicted in Appendix A.

Table 3 provides a summary of the results when a transmitter sends a steady signal to the receiver for computers positioned in the stacked layout, comparing those with top computer heating to those with bottom computer heading. Our experiment showed that the computers variously have a heating propagation delay of five minutes (transmitter at top) or 12 minutes (transmitter at bottom). As previously explained, the difference is due to the location of the motherboard in relation to the receiver's case: top computer motherboard is at the lower part of the case, closer to the bottom computer.

Table 3: Properties of the stacked layout.

When the PCs were positioned in the face-away layout (where the backs of the PCs are facing each other), the heat propagation delay was almost 10 minutes, after which, no further increase was recorded. However, the cooling time with this layout is less than three minutes, which is relatively fast. Notably, no more than a 1°C increase was observed by receiver sensors during 40 minutes of heating. This suggests that the unobstructed intake of cool air from the sides of both cases has a significant cooling effect. Figure 8 details the sensor reading of a test preformed using this layout.

Figure 8:

Heat propagation during 40 minutes of heating, face-away layout.

View All

Although uncommon, we investigated the scenario in which the PCs are in the quadrature layout where the posterior side of transmitter points to the side of the receiver (Appendix A, layout B). From a distance of 6 cm between the transmitter and the receiver, the heat propagation delay is 115 seconds, which is relatively fast. An increase of 4°C took 11 minutes, and the cooling time was approximately 100 seconds. While uncommon, this layout demonstrates the importance of two parameters of computer case design and layout, the location of air intake and the direction of air exhaust.

5) Effects of Location Relative to Walls or Furniture

Based on our observations, the distance of the computers from other objects such as walls and furniture has a significant impact on the thermal channel properties. To better understand their effects, we placed a pair of PCs in the parallel layout on top of a table in the middle of a room. In this scenario, the heat propagation delay for 1°Cwas about 25 minutes, as shown in Figure 9. This was significantly longer compared with an arrangement in which the computers were even 35cm apart and placed near a wall or table, In which case the heat propagation delay for 1°C was only about 16 minutes. The main reason for the difference is that in the middle of the room (with no walls or surrounding furniture); the hot air exhaust from the heating computer is unobstructed and spreads to the entire room, hence requiring a larger heat increase before a change is registered in the receiver, causing a delay. Nevertheless, locating computers in the middle of the room with no adjacent walls or surrounding furniture is far less common than being under a table or close to walls.

Figure 9:

Heat propagation over 40 minutes, parallel layout in the middle of the room.

View All

1) Differential Non-Return-to-Zero

Differential non-return-to-zero (DNRZ) line code is a variant of NRZ [27] that we have modified to fit the slow moving trends of thermal signals and the unpredictable base temperature of the receiver. Binary symbols are decoded based on the previous base temperature (hence differential) instead of absolute levels. Meaning that, if the signal level has risen (on average) over the current interval ($T$) compared with the last symbol interval, then a ‘1’ is decoded. Conversely, if the level has decreased or stays the same, then a ‘0’ bit is decoded. Figure 12 details an example transmission and decoding of data using DNRZ with $T=40$ minutes.

Figure 12:

A DNRZ transmission of ‘11010’ using a symbol interval of T 40 minutes, where the PCs have a parallel layout, and distance of 10 cm.

View All

Following these rules, the transmitter decides whether to raise or lower the temperature (i.e. to heat or not heat up the CPU) at the beginning of the symbol interval for a period of $T$. A summary of the line coding and decoding rules can be found in Table 4 and Table 5. $\Delta t$ is the time since the beginning of the symbol interval $T$.

Table 4: Transmitter's line encoding rules

Table 5: Receiver's line decoding rules

As described in section V, the range of externally induced, relative temperature increase is sometimes very limited. This requires the transmitter to stop heating for the second part of the symbol period, allowing for the receiver to cool down before the next symbol period begins. Consequently, the symbol interval $T$ for DNRZ is $T=f(H)+f(L)$ with a bit-rate of $\frac{1}{f(H)+f(L)}$ bits per minute (bpm).

This line coding, assumes that $H$ and $L$ are known to both the receiver and transmitter prior to communication. Later in this section, we propose synchronization techniques for acquiring these values during the handshake phase.

2) Custom 8b/10b

DNRZ requires a significant cooling phase during each period to be included in each symbol period. Alternatively, this can also be avoided, to some extent, by using line coding schemes similar to 8b/10b coding, specifically designed to limit the number of consecutive ‘1” bits rather than evening the bits. This encoding allows the receiver to use the periods in which the transmitter is not generating heat (transmitting a ‘0’) for cooling down. The proposed custom 8b/10b line coding focuses on a separation of ‘1's and ‘O’ s. it is a word mapping that converts words with a length of 8 bits to 10 bits, where the 10 bit words ensure a transmission of at most two consecutive ‘1”s. The proposed custom 8b/10b line code is presented in Table 6 with the input byte values appearing in decimal and binary, and the encoded value in binary with a ‘WXYZ’ signifying that the input bit value is maintained for that position.

Table 6: Custom 8b/10b encoding rules

This line coding is used with DNRZ in order to improve reliability of the channel and decrease the required symbol interval $T$ by allowing the transmitter to generate heat for the entire duration of $T$. Consequently, $T=MAX(H, L)$ However, In section V we saw that for most practical cases $L > H$ so $T=MAX(H, L)=L$. Due to the overhead of the added bits, the bit-rate will is slightly reduced. The bit-rate when using this line-coding scheme with DNRZ is $\frac{4}{5f(L)}$ bpm.

The last proposed line codes assume that both communicating computers have synchronized world clock times in a resolution of one minute. As previously described, the temperature changes measured by the sensors occur on a scale of minutes. Therefore, we assume that both computers have sufficiently synchronized clocks, whether they are using different time servers or none at all. Note that in administrated and managed networks this assumption is reasonable.

3) Time Index Signaling

Time Index Signaling (TIS) is a line coding in which signals are encoded over different allocated time-slots. Let the message to be transmitted be $M=\{X_{1},X_{2}, \ldots, X_{n}\}$ where $X\in\{0,1, \ldots,15\}$ value is indicating a hexadecimal symbol (4 bits). $D$ is a predefined interval of time in minutes. Both the receiver and transmitter wait until a predetermined world-clock time (such as 12:00am), at which point, the transmitter waits $X_{1}\ast D$ minutes and then heats the channel for $H$ minutes followed by a cooling phase of $L$ minutes. This is repeated $n$ times until the entire message $M$ is transmitted. The receiver decodes symbol $X_{i}$ by dividing the delay $(X_{i}\ast D)$ between signals by $D$ minutes. The following pseudo codes details the action of transmitter and receiver. The Generate-Heat function starts the heat emission (at the transmitter) for a period of $H$ minutes. The MonitorTemperatureRise function (at the receiver), monitors the temperature sensor and wait until an increase of 1°C is detected.

Algorithm 1: TIS Transmission

Algorithm 2: TIS reception

We assume that $H$ and $L$ parameters are synchronized and known by both sides, similar to the previous coding methods. In Figure 13 we can see a successful transmission of the B5 hexadecimal value using the TIS method. The parameters in this case are $D=2, H=6, \text{f}(H)=10$, and $L=30$. The first digit is 0xB which is 11 decimal, so the sender waits 22 minutes $(D^{\ast}11=2^{\ast}11=22)$ for the right timeslot. At the next step, the transmitter generates heat for 10 minutes $(H=10)$ and then remain idle for 30 minutes $(L)$. To signal the $0\times 5$ digit, it sleeps for an additional 10 minutes $(D^{\ast}2=5^{\ast}2=10)$ and generates a heat pulse for 10 minutes $(H)$. The receiver senses a temperature increase for B and 5 after approximately 28 and 77 minutes respectively. Decoding the data is performed by subtracting the heating time $H$ from the time of the sensed temperature increase to retrieve the time slot delay and divide it by the slot size $D$. in our example

View Source\begin{equation*} \left\lceil \frac{(28-0)-6}{2}\right\rceil=B\ \text{and}\ \left\lceil\frac{(77-62)-6}{2}\right\rceil=5. \end{equation*}

Figure 13:

A TIS transmission of hex values B5 using $\boldsymbol{D}=2\mathbf{min},\boldsymbol{H}=6\mathbf{min},\mathbf{f}(\boldsymbol{H})=10\mathbf{min},\boldsymbol{L}=30\mathbf{min}$, with a parallel layout and distance of 10cm.

View All

It is clear that the TIS scheme's bit-rate is variable based on the value of the message $M$. In the worst case where $M=\{F,\ F,\ F,\ \ldots\}$, the bit-rate of TIS is $\frac{4}{(f(H)+L+15D)}$ bpm.

During the experiments, we observed that $D=2$ minutes is a good interval for most cases. However, a smaller $D$ may be used in environments with a steady temperature. Moreover, a parity bit can be added to the transmission, allowing for useful error detection. Because in most cases, the received time index is not likely to drift by more than $D$ minutes, resulting in a change in parity. One of the advantage of this encoding scheme is that it minimizes the number of heat emissions required to only one emission for every 4 bits. This characteristic is especially important to the thermal based channel since each heating and cooling phase consumes resources and is prone to environmental interference.

4) Comparison of Digital Baseband Modulations

The bit-rates of each encoding scheme depend on $H$ and $L$, which vary between setups. To summarize, we present an example of bit-rates based on parameters from our experiments in Table 7. The $H$ and $L$ values are based on observations from a parallel layout setup with a 10 cm distance between the PCs. Although the parameters are not optimal, in order to more clearly demonstrate possible results.

Table 7: Data rate formulas and examples