The soundest security advice managers of critical computing systems have been given is to air gap those machines. Don’t network them and don’t expose them to the Internet, and there’s no way hackers reach them from the Web and no way a direct infection replicates.
Recently, there’s been reason for pause in that thinking, starting with the speculation and skepticism over badBIOS, malware that allegedly can not only cross platforms, but can infect air-gapped machines using sound waves.
Now comes another attack using high-frequency sound waves to infect machines, bypassing the good old-fashioned ways of phishing emails and infected USB drives. Researchers at the Fraunhofer Institute for Communication, Information Processing and Ergonomics in Germany had a paper published last week in the scientific journal, Journal of Communications of San Jose, in which they describe how to use a communication system designed for underwater use to deliver or intercept short bits of code, such as passwords, over hops of air-gapped computers. The computers act as a mesh network where each node can send or receive code—in this case an audio emanation—and acts as a router sending data to the next hop in the chain before it’s received by the attacker.
Michael Hanspach, one of the researchers, along with colleague Michael Goetz, told Threatpost that there is no connection between their paper “On Covert Acoustical Mesh Networks in Air” and badBIOS. Hanspach said their attack is practical today because the utilized techniques are well documented.
“If we were able to come up with this research with very few people, time and budget (and with good intentions), so would be larger groups (maybe with a different intention),” Hanspach said via email. “Therefore, anyone working in a security critical context should be thinking about protection measures.”
The two scientists were able to use this underwater communication system based on the Generic Underwater Application Language (GUWAL), used for communication on networks with low bandwidth to exchange data between unconnected systems using only the built-in microphones and speakers that accompany today’s computers. They used a Lenovo T400 laptop running the Debian operating system. Devices such as microphones and speakers are not generally considered when network and security policies are developed, the scientists said, making them the perfect pawns for this kind of covert communication.
“The concept of a covert acoustical mesh network renders many conventional security concepts useless, as acoustical communications are usually not considered,” the scientists wrote in their paper.
The scientists were able to use ultrasonic frequencies, inaudible to humans, to transmit data almost 65 feet between laptops at a slow 20 bits per second rate with latency of 6 seconds per hop. Adding additional hops overcomes the distance problem, but for this particular scenario, limits the sophistication of the code sent.
“Of course, you could only transfer small-sized information over this network,” Hanspach told Threatpost. “But, the limit of 20 bit/s is just what we could reasonably achieve in the presented setup and is not necessarily a general limit.”
The research paper presents several scenarios in which such an attack would work. Starting with a computer compromised with a keylogger called logkeys, for example, keystrokes are written to a named pipe read out by the acoustic transmitter, the paper said, which sends the data to through the covert network until it reaches the attacker. Hanspach said the keylogger has been successfully tested in this setup.
Hanspach and Goetz also said that this type of covert network could be used to break two-factor authentication by listening for and transmitting the authentication feedback of a hardware dongle or smartcard. They also speculate it could be used to send data such as private encryption keys or text files of stolen data.
As for countermeasures, it may not always be possible to turn off audio devices because they would be needed for VoIP or video conferencing, so the scientists recommend the use of audio-filtering guards or a host-based audio intrusion detection guard, both of which analyze audio input and output looking for anomalous signals or hidden messages.
While the possibilities presented in this paper and by badBIOS might seem outlandish, they are new areas of research that defenders have not considered in policies or preventative technology.
“We have shown that the establishment of covert acoustical mesh networks in air is feasible in setups with commonly available business laptops,” the paper said. “Acoustical networking as a covert communication technology is a considerable threat to computer security and might even break the security goals of high assurance computing systems based on formally verified micro kernels that did not consider acoustical networking in their security concept.”