The only truly bulletproof system is a system that's turned off.
That said, this seems like a pretty far-fetched scenario. The "40 bits per second" transmission rate quoted is simply not realistic (by several orders of magnitude), and shoots down the credibility of the entire article. There is simply no way you can switch an AC system (or even a simple air baffle in a duct) on/off 40 times a second; and even if you could, thermal inertia of the ducts, air and objects in the room, and PC itself would prevent rapid temperature fluctuations from registering in a PC's temperature sensors. I'm thinking at best you might be able to get on the order of 1 or 2 bits per minute
, and even that's probably wildly optimistic.
The article also makes ridiculous leaps of illogic, like "Cyber-attacks involving HVAC systems have already taken place. For example, the source of the Target data breach was a provider of HVAC systems." The HVAC contractor had login credentials on the network; those login credentials were stolen and used to attack the network. The HVAC system
wasn't involved in the breach, nor was this an "air gapped" attack. It was a simple case of a careless idiot at the HVAC contractor, and sloppy network security at Target.
This article is an epic fail on bleepingcomputer's part.