Infecting Air-gapped Computers with Malware Using Sound

December 6, 2013 | 03:26
Infecting Air-gapped Computers with Malware Using Sound
Infecting Air-gapped Computers with Malware Using Sound
A computer that receives data when when it's completely disconnected from any network. No power chord, no Ethernet cable, it's WiFi module physically removed. That's the bizarre story of computer security consultant Dragos Ruiu who has been witnessing this type of behavior on his machines ever since they were infected with a malicious piece of software he's dubbed badBIOS. The story was reported by Ars Technica's Dan Goodin little over a month ago.

Now German scientists of the Fraunhofer Institute for Communication, Information Processing and Ergonomics have presented proof-of-work of just how an air-gapped computer can be infected with malware. They used near ultrasonic frequencies to covertly establish a communication channel exploiting the in-built microphones and speakers of the target machine.

Audio components are seldom protected by security measures because they're not considered a channel of communication, Michael Hanspach and Michael Goetz write in their paper On Covert Acoustical Mesh Networks in Air. With their experiment they were able to compromise secure computers with strong protections against more conventional attacks.

To establish data links using acoustic waves, Goetz and Hanspach modified a network stack originally designed to set up communication networks under water. Audio is seldom used for data transmission on land because radio technologies allow for much higher bit rates but in a submarine environment electromagnetic waves are absorbed by sea water, therefore audio signals are used to transmit data.

The maximum range at which a connection between two devices could be established was 19.7 meters with a transmission rate of 20 bit/s. To cover more distance several scattered devices were infected with the malware to create a multi-hop communication channel. The compromised devices could be interconnected to form a mesh network to more effectively route traffic between the attacker and the target.

In their paper the authors propose several countermeasures besides removing the audio components. The system can be configured to filter out all inaudible frequencies with a low pass filter. A more sophisticated approach is to implement an audio intrusion detection system which scans for modulated audio signals.

Eric Byres CTO of Tofino Security said in an interview with Automation World that air-gapping is not a sustainable security model. Computer defense models should be modeled after the our immune system. The human body does not rely on keeping pathogens out, instead it has many defense mechanisms in place to combat them. Computer systems should mimic that strategy: 'Reduce to a minimum the unnecessary and risky data flows in, but accept that bad stuff will get in,' Byres told Automation World. 'Then when it does, have the technology in place to quickly detect the problem, control its spread and then neutralize it.'

Via Ars Technica
Loading comments...
related items