The soundest security advice managers of critical computing systems have been given is to air gap those machines. Don’t network them and don’t expose them to the Internet, and there’s no way hackers reach them from the Web and no way a direct infection replicates.

Recently, there’s been reason for pause in that thinking, starting with the speculation and skepticism over badBIOS, malware that allegedly can not only cross platforms, but can infect air-gapped machines using sound waves.

Now comes another attack using high-frequency sound waves to infect machines, bypassing the good old-fashioned ways of phishing emails and infected USB drives. Researchers at the Fraunhofer Institute for Communication, Information Processing and Ergonomics in Germany had a paper published last week in the scientific journal, Journal of Communications of San Jose, in which they describe how to use a communication system designed for underwater use to deliver or intercept short bits of code, such as passwords, over hops of air-gapped computers. The computers act as a mesh network where each node can send or receive code—in this case an audio emanation—and acts as a router sending data to the next hop in the chain before it’s received by the attacker.

Michael Hanspach, one of the researchers, along with colleague Michael Goetz, told Threatpost that there is no connection between their paper “On Covert Acoustical Mesh Networks in Air” and badBIOS. Hanspach said their attack is practical today because the utilized techniques are well documented.

“If we were able to come up with this research with very few people, time and budget (and with good intentions), so would be larger groups (maybe with a different intention),” Hanspach said via email. “Therefore, anyone working in a security critical context should be thinking about protection measures.”

The two scientists were able to use this underwater communication system based on the Generic Underwater Application Language (GUWAL), used for communication on networks with low bandwidth to exchange data between unconnected systems using only the built-in microphones and speakers that accompany today’s computers. They used a Lenovo T400 laptop running the Debian operating system. Devices such as microphones and speakers are not generally considered when network and security policies are developed, the scientists said, making them the perfect pawns for this kind of covert communication.

“The concept of a covert acoustical mesh network renders many conventional security concepts useless, as acoustical communications are usually not considered,” the scientists wrote in their paper.

The scientists were able to use ultrasonic frequencies, inaudible to humans, to transmit data almost 65 feet between laptops at a slow 20 bits per second rate with latency of 6 seconds per hop. Adding additional hops overcomes the distance problem, but for this particular scenario, limits the sophistication of the code sent.

“Of course, you could only transfer small-sized information over this network,” Hanspach told Threatpost. “But, the limit of 20 bit/s is just what we could reasonably achieve in the presented setup and is not necessarily a general limit.”

The research paper presents several scenarios in which such an attack would work. Starting with a computer compromised with a keylogger called logkeys, for example, keystrokes are written to a named pipe read out by the acoustic transmitter, the paper said, which sends the data to through the covert network until it reaches the attacker. Hanspach said the keylogger has been successfully tested in this setup.

Hanspach and Goetz also said that this type of covert network could be used to break two-factor authentication by listening for and transmitting the authentication feedback of a hardware dongle or smartcard. They also speculate it could be used to send data such as private encryption keys or text files of stolen data.

As for countermeasures, it may not always be possible to turn off audio devices because they would be needed for VoIP or video conferencing, so the scientists recommend the use of audio-filtering guards or a host-based audio intrusion detection guard, both of which analyze audio input and output looking for anomalous signals or hidden messages.

While the possibilities presented in this paper and by badBIOS might seem outlandish, they are new areas of research that defenders have not considered in policies or preventative technology.

“We have shown that the establishment of covert acoustical mesh networks in air is feasible in setups with commonly available business laptops,” the paper said. “Acoustical networking as a covert communication technology is a considerable threat to computer security and might even break the security goals of high assurance computing systems based on formally verified micro kernels that did not consider acoustical networking in their security concept.”

Categories: Malware

Comments (7)

  1. Anonymous
    1

    “…speculation and skepticism over badBIOS, malware that allegedly can not only cross platforms, but can infect air-gapped machines using sound waves.

    Now comes another attack using high-frequency sound waves to infect machines…”

    Emphasis mine. As far as I’ve seen, neither these researchers nor those looking at badBIOS have claimed that a machine can be infected through audio channels. In both cases they are referring to covert communication between already compromised machines. With badBIOS, the audio channel might be able to re-infect an imperfectly cleaned machine still running the audio-communication part of the malware.

    Reply
  2. Alonso
    3

    Come on Threatpost, you’re usually more thorough!
    I’ve read the paper, no where it is stated that a machine can be infected. Infected machines were shown to be able to covertly communicate with each other via audio signals, reaching 20 bps in perfect conditions (No noise, CPU is idle, etc.)

    We can worry about other things for now.

    Reply
    • CJ
      4

      Alonso – Mike didn’t say the paper itself indicated infection could occur this way. He only referred to “speculation over badBIOS, malware that can allegedly…infect”. This article is about how something unproven (and widely approached with skepticism) and something recently proven aren’t really very far apart. He isn’t saying the paper proves the “alleged” capabilities of badBIOS.
      Do you think it’s such a tremendous leap from “transmitting/receiving data on air-gapped systems” and “getting infected” by it?

      Reply
  3. JS
    5

    If computer speakers were bandpass filtered to, say, 40Hz to 16KHz, then any tone beyond most people’s ability to hear it could not be output. If the computers’ microphone was also filtered to that, then any ultrasonic tone could not be picked up. So even a machine with badBIOS could not communicate. I realize this would add perhaps fifty sense to the production cost of each laptop so it’s not going to happen.

    Reply
  4. TR
    7

    Anyone that doesn’t believe this is happening is in for a rude awakening. Trust me, you don’t want proof. All it did is cost me two jobs that I made a very good salary at, my image has gon from one of great respect to the guy in the tin foil hat. All my money was drained from my bank accounts in transactions that were between $6 & $9 at a time totaling thousands and thousands of dollars. Anytime I went for help, ‘I was off my to rocker’. Any calls to my cellphone provider, manufacturer, internet provider, bank all were handled as expected and I hung up satisfied I had gotten a solution only to not see any changes. I ended up going to these places in person to find out what was going on only to have them tell me there’s no record of any of my calls. I went to the nearest FBI office, they told me there’s nothing they can do. I have lost everything. I’ve been diagnosed with PTSD and major depression and just a year ago I was a happy healthy person who enjoyed golf and company. I have since pawned my golf clubs and avoid people because I’m constantly mocked. Note: bank of America acknowledged theft from my account and reimbursed me close to $6000. They never found out where it ended up. It was taken by iTunes on first glance, new.itunes.com when tracking that down. Apple took my iPhone and gave me a new one but wouldn’t talk about it. No engineer would even see me. The guy I spoke to said he used to be a banker and predicted my banking problems. So you don’t believe me, I can come to your house, just let me hook my laptop up to your network or even leave it next to your computer unplugged for a couple hours and see how your luck goes after that.

    Reply

Leave A Comment

Your email address will not be published. Required fields are marked *

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>