Stealing data from air-gapped computers is one of the great exercises in computer security: advanced attackers covet what’s stored on these isolated machines, while researchers try to figure out the novel ways adversaries could jump those gaps.
The latest effort doesn’t involve USBs, heat, acoustical mesh networks, or decoding radio signals. Instead, researchers from Ben-Gurion University in Israel believe they’ve figured a way to exfiltrate data by using acoustic signals created by manipulating the mechanical movements of a computer’s hard-disk drive.
Researchers Mordechai Guri, Yosef Solewicz, Andrey Daidakulov and Yuval Elovici of the Negev Cyber Security Research Center at Ben-Gurion University say this covert channel, which they call DiskFiltration, can be used in conjunction with a receiver to steal sensitive information from air-gapped computers.
Their approach, they admit, does have its limitations, primarily that a targeted machine must first be infected with malware.
“A malware installed on a compromised machine can generate acoustic emissions at specific audio frequencies by controlling the movements of the HDD’s actuator arm,” the researchers wrote in a paper published this week entitled, “DiskFiltration: Data Exfiltration from Speakerless Air-Gapped Computers via Covert Hard Drive Noise.” “Digital Information can be modulated over the acoustic signals and then be picked up by a nearby receiver (e.g., smartphone, smartwatch, laptop, etc.).”
The researchers contend that DiskFiltration solves a problem encountered in high-value environments where machines that are physically disconnected from networks such as the Internet are not allowed to have speakers or audio hardware. Such policy moves close off the potential for attacks where malware is used to transmit exfiltrated data via ultrasonic signals through the speakers.
“Based on our proposed method, we developed a transmitter on a personal computer and a receiver on a smartphone, and we provide the design and implementation details,” the researchers said. “We also evaluate our covert channel on various types of internal and external HDDs in different computer chassis and at various distances.”
The researchers wrote that they were able to transmit passwords, encryption keys, keystrokes and more from air-gapped machines from six feet away at 180 bits-per-minute. The malware, the paper said, steals data from the compromised machine and then manipulates the actuator arm on the hard disk drive to transmit it to a receiver, such as a smartphone or smartwatch app.
“The acoustic signals are generated by performing intentional seek operations which cause the HDD actuator arm to make mechanical movements,” the researchers wrote. “The nearby receiver receives the transmission, decodes the data, and transfers it to the attacker via mobile data, SMS, or Wi-Fi.”
Seek operations are a reference to the actuator arm moving to a spot on the disk where data is read or written.
“The time it takes to move the head to the desired track is called the seek time,” the researchers wrote. “The movement of the head assembly on the actuator arm during the seek operation emits acoustic noise.”
The paper also points out that this attack can also be used against networked computers whose network traffic is highly guarded by network security devices.
Despite the low practicality of the attack, the best mitigation, however, might be the use of solid state drives, the researchers wrote, which store data in flash memory and have no moving parts.