Acoustic Side-Channel Attacks: Stealing Data by Listening to Your Computer's Fan or HDD

SHILPI MONDAL | DATE: JANUARY 19, 2025

For decades, the "air gap" has been the gold standard for enterprise security. The logic is simple and seemingly foolproof: if a critical system is physically isolated from the internet-cables cut, Wi-Fi disabled, Bluetooth removed-it cannot be hacked remotely.

But here is the uncomfortable truth keeping C-suite leaders up at night: physics doesn't care about your network policies.Even when a computer is disconnected from the digital world, it remains a physical machine. It generates heat, it consumes power, and perhaps most importantly, it makes noise. As noted in a recent Blue Goat Cyber report, hackers are increasingly pivoting to side-channel attacks, which exploit these physical byproducts to bypass logical defenses.

This isn't science fiction. It is a sophisticated reality where the hum of a cooling fan or the scratch of a hard drive can betray your organization's most guarded secrets.

The Failure of the "Audio-Gap"

Security teams often try to mitigate acoustic risks by creating an "audio-gap" physically removing internal and external speakers from secure workstations. The assumption is that if a computer cannot play sound, it cannot transmit data via audio.

However, researchers have found that speakers are not required to generate noise. Every mechanical component in a server or workstation is a potential instrument.

According to a study on acoustic data exfiltration published by ResearchGate, malware can manipulate the mechanical operations of cooling fans and hard disk drives (HDDs) to generate specific sound waves. These sounds act as a covert carrier signal, transmitting sensitive data like encryption keys or passwords to a nearby recording device.

Fansmitter: Turning Cooling Systems into Transmitters

The most ubiquitous component in enterprise hardware is the cooling fan. It is also one of the most effective tools for adversaries. In a seminal paper on the Fansmitter attack available via arXiv, researchers demonstrated how malware can take control of a computer's fan speed. Changing how long electrical pulses last lets the malicious software tweak the speed of the spinning fan. This shift in rotation creates distinct sound tones deliberately. The method relies on precise timing adjustments hidden within normal operation signals.

A hum here, a different one there - that’s how it speaks. Malware picks 1,000 RPM for silence, meaning zero. A faster spin at 1,600 signals life: that’s the one

While the transmission speed is relatively slow, the reach is alarming. SC Media reports that utilizing higher RPM ranges (4,000–4,250 RPM) allows attackers to achieve transmission rates of roughly 900 bits per hour. That might sound sluggish compared to fiber optics, but it is fast enough to exfiltrate a complex password or a 4096-bit encryption key while your team is out for lunch.

What’s even more concerning is the range. The same research indicates that at lower frequencies, these signals can be picked up by a standard smartphone microphone from up to eight meters away. A compromised phone sitting in a visitor’s pocket across the room could be recording your "secure" data without anyone noticing.

DiskFiltration: The Sound of Seeking Data

If your secure systems still rely on mechanical hard drives, you have another

vulnerability to address.

Unlike fans, which produce a continuous drone, HDDs create noise through the rapid movement of the actuator arm the component that reads and writes data. When the arm moves to a new track, it creates a "seek" sound.

The DiskFiltration attack, detailed in a study from Ben-Gurion University, exploits this mechanic. Malware on the infected system generates a specific pattern of read/write operations, forcing the actuator arm to move in a rhythm that encodes binary data.

This method is significantly faster than fan manipulation. Research cited by DataBorder shows that DiskFiltration can achieve bitrates of 180 bits per minute (10,800 bits per hour). However, there is a trade-off: the acoustic signal from a hard drive is quieter than a fan, reducing the effective capture range to about two meters. This effectively turns the hard drive into a telegraph machine, tapping out secrets to a receiver located just on the other side of a thin partition or under a desk.

The PIXHELL Attack: When Screens Start Singing

You might be thinking, "We’ll just switch to solid-state drives and passive cooling." That solves the mechanical problem, but it doesn't solve the electronic one.

In a newer development known as the PIXHELL attack, detailed by The Hacker News, researchers found a way to make LCD screens generate noise. This technique targets the coils and capacitors in the monitor's power supply.

By displaying crafted patterns of pixels often at brightness levels so low the screen appears black malware can cause these electronic components to vibrate and emit high-pitched acoustic signals (coil whine).

As described in the Ben-Gurion University Research Portal, this attack is particularly insidious because it works even when the computer appears to be asleep or locked. It bypasses the "audio-gap" by exploiting the screen itself, proving that if electricity flows through it, it can likely be weaponized.

The Receiver Problem: Smartwatches and AI

For these attacks to work, there must be a "listener." In the past, this required a spy with a parabolic microphone. Today, the threat is likely wearing a smartwatch.

A paper on the SmartAttack vector hosted on arXiv identifies smartwatches as a critical gap in physical security policies. Not every locked-down site blocks smartwatches, even though phones aren’t allowed. Because these wrist gadgets pack tiny mics tuned to catch sounds beyond normal hearing - some hit 22,000 cycles per second - they might record more than expected. Once outside the controlled area, they could send those clips through wireless links like Bluetooth or internet networks.

Furthermore, the rise of AI has made these attacks more viable. As highlighted in a survey on AI-driven side-channel attacks by MDPI, Deep Learning models can now filter out background noise like air conditioning or conversation and reconstruct data signals with up to 95% accuracy.

Building a Defense Against the Invisible

What happens if the machines meant to protect us are actually the weak point? Security needs more than just unplugging devices - it demands layers of protection working together in ways most people never think about.

Hardware Modernization:

The most effective fix for mechanical vulnerabilities is to remove the moving parts. Transitioning from HDDs to Solid State Drives (SSDs) eliminates the acoustic risk of DiskFiltration entirely, as noted in the DataBorder DiskFiltration report. Similarly, where possible, implementing passive cooling solutions or liquid cooling can mitigate fan-based attacks.

Algorithmic Monitoring:

We need to get smarter about what we monitor. Security software should include Control-Flow Integrity (CFI) checks. As suggested by researchers at the NIH, systems can be trained to detect the abnormal hardware control patterns associated with exfiltration such as a fan speed that oscillates rhythmically without a corresponding change in CPU temperature.

Acoustic Jamming:

If you can't silence the machine, drown out the signal. Some secure areas use sound tools that fill rooms with scrambled audio across the frequencies targeted by spying methods. Because of this, signals get buried under chaos - so much so that pulling useful information becomes unworkable. The clarity needed to decode stolen data vanishes when background distortion takes over completely.

Policy Overhaul:

Finally, we must rethink our "no-device" policies. If a room is truly air-gapped, it must be a "No-Microphone Zone." This includes smartwatches, fitness trackers, and even seemingly benign peripherals like printers or monitors with integrated audio hardware.

Conclusion

The era of "set it and forget it" security is over. Not every empty space stops attacks - just part of a bigger safety net. When hackers use natural forces to grab information, protection can’t stay stuck online - it has to stretch into the real world too.

At AmeriSOURCE, along with our entities IronQlad and AQcomply, we understand that true digital transformation requires a holistic view of security. It’s not just about firewalls anymore; it’s about ensuring your silence really is golden.

KEY TAKEAWAYS

Physics Overrides Logic:

Nothing escapes physics. Air-gapped machines still give off clues through noise, warmth, or invisible waves. These tiny leaks carry secrets without touching software defenses. Signals slip out despite isolation walls. Reality always finds a path.

Fans As Silent Transmitters: 

In the Fansmitter attack, ordinary cooling fans are repurposed as covert transmitters. By carefully modulating fan speeds, attackers can exfiltrate data at rates of up to 900 bits per hour from distances approaching eight meters without raising any obvious alarms.

Hard Drives Still Talk: 

DiskFiltration leverages the mechanical movements of traditional HDDs to “tap out” binary data, reinforcing why SSDs should be mandatory in high-security environments.

Noise from the Unexpected: 

Even components with no moving parts aren’t safe. Attacks like PIXHELL manipulate LCD screens to generate data-carrying acoustic signals through electronic coil whine.

Defense Must Be Holistic: 

Mitigation isn’t about a single control. It requires modern hardware choices (like SSDs), continuous software monitoring (such as CFI), and strict physical security policiesincluding banning smart wearables in sensitive areas.