Proof-of-concept malware jumps air gap with sound card
Researchers demonstrate proof-of-concept malware exfiltrating data using high-frequency transmissions inaudible to humans
Security researchers have demonstrated proof-of-concept malware that can exfiltrate data using high-frequency transmissions inaudible to humans.
This means keystroke and other data can be captured and transmitted from “air-gapped” or isolated computers containing ultra-sensitive information or running control systems for critical infrastructure.
Researchers at Germany’s Fraunhofer Institute showed this can be done by hijacking the target machine’s sound card and built-in speakers to transmit data to a receiver almost 20 metres away.
The idea exploits the fact that computer operating systems do not control a program’s access to the built-audio devices very tightly. It is described in a paper entitled On Covert Acoustical Mesh Networks in Air.
Researchers sent transmissions at around 20kHz and used an existing communication protocol designed to send and receive data acoustically in underwater applications.
Acoustic mesh
By infecting multiple computers, the high-frequency data transmissions could hop undetected between several hijacked machines before being transmitted to the attackers.
In the proof-of-concept experiment, researchers recorded keystrokes at one computer and broadcast them through a chain of other computers before sending the data over the internet.
The researchers said the method could transmit other security data, such as private encryption keys or small text files containing classified information.
They said the experiment showed that establishing covert acoustical mesh networks in air is feasible, using commonly available business laptops.
Flame, discovered in May 2012, is an example of malware found in the wild that jumps air gaps by using Bluetooth to download contact information from nearby devices, according to the Telegraph.
USB threat
However, for real-world attackers to use this approach, they would first have to infect the target machine before any exfiltration of data could occur.
Truly air-gapped computers are not connected to any network and should have tight controls over who can physically access it.
But that does not make infection impossible, according to independent security advisor Graham Cluley.
“Imagine, for instance, malware planted on a USB stick known to be used by staff who use the computer, or meddling that could be done in the supply chain in regards to software destined for installation on the target computer, or if an employee of the targeted organisation turned rogue,” Cluley wrote in a blog post.
Cluley pointed out that the research does not mean malware can infect a computer using high-frequency transmissions, but merely shows how information can be transmitted from an infected computer through a chain of other infected computers.
The research highlights the importance of maintaining tight control over who has access to computers containing sensitive information or responsible for controlling critical infrastructure.
For absolute certainty, Cluley suggests disconnecting the audio devices as a simple, low-cost and effective way of preventing data exfiltration using the method demonstrated by Fraunhofer researchers.