Researchers Create Malware That Jumps Air Gaps Using Inaudible Sound

Researchers have created malware that uses inaudible audio signals to transmit stolen data without the need for an Internet connection, using standard laptop microphones and speakers.

The researchers, from the Fraunhofer Institute for Communication, Information Processing, and Ergonomics in Germany, adapted a system used for underwater communications to carry out “covert acoustical communication over the air”.

They successfully showed a method of having malware – a “multi-hop acoustical keylogger” –  transmit pilfered data over inaudible frequencies in the ultrasonic or near ultrasonic frequency range.

Malware over the air

In an experiment involving a host of Lenovo laptops running Debian Wheezy, the researchers were also able to send stolen keystrokes to a remote email server, using a mesh network.

In their paper, they theorised that worse things could be done using this setup, such as stealing authentication credentials, encryption keys, or other vital data. Pilfering anything that would use up greater bandwidth, however, would not be possible due to the small transmission rate of approximately 20bps.

Given many critical infrastructure setups involve an air gap as a security measure, the findings may prove alarming. The beauty of the technique is that it does not initially rely on an Internet connection, although effective data exfiltration would require connectivity.

Governments would likely be interested in the project, one of the paper’s authors, Michael Hanspach, told TechWeekEurope. The Fraunhofer Institute is involved in a number of public defence projects too, some of which focus on securing systems rather than anything offensive.

“Those with the highest security precautions need to be aware of this attack pattern and have to implement countermeasures,” Hanspach added, in an email.

Limitations

There are simple precautions organisations can take. One easy way to prevent such sneaky malware transmission is to turn audio off. As the paper says, it “would be an easy solution to just disallow access to the audio hardware”. The proof of concept would largely be applicable from PC to PC, given they tend to have audio switched on the majority of the time.

Another limitation would be that the “drones” involved would need to have a compatible acoustic communication system.

Distance would be another issue, as signals would weaken the longer they travelled. The researchers were successful in a 25 metre-long corridor.

People might get in the way too. “In another test, the absorption of acoustic waves by humans, walking through the experiment setup and, therefore, blocking the line of sight between two nodes, was found to have an adverse effect on connectivity,” the paper read.

The idea of malicious types transmitting data over audio frequencies has been getting much attention of late, since security expert Dragos Ruiu claimed the BadBIOS malware was doing just that. But there has been no peer review of his theories and he tweeted in November that the “odd items I’ve seen in earlier dumps aren’t there”. “My apologies for wasting anyone’s time.”

Researchers have advised anyone concerned to adopt a security-in-depth strategy.

“There are always new ways to penetrate a system but this only reinforces the need to have multi-layered and integrated defenses in place,” Francois Paget, a McAfee Labs researcher, told TechWeekEurope.

“Intelligence needs to be built into the defenses in order to properly protect these types of attacks.  Having a bunch of point solutions can’t properly protect from this type of attack.”

Are you a security expert? Try our quiz!

Thomas Brewster

Tom Brewster is TechWeek Europe's Security Correspondent. He has also been named BT Information Security Journalist of the Year in 2012 and 2013.

Recent Posts

Craig Wright Sentenced For Contempt Of Court

Suspended prison sentence for Craig Wright for “flagrant breach” of court order, after his false…

2 days ago

El Salvador To Sell Or Discontinue Bitcoin Wallet, After IMF Deal

Cash-strapped south American country agrees to sell or discontinue its national Bitcoin wallet after signing…

2 days ago

UK’s ICO Labels Google ‘Irresponsible’ For Tracking Change

Google's change will allow advertisers to track customers' digital “fingerprints”, but UK data protection watchdog…

2 days ago

EU Publishes iOS Interoperability Plans

European Commission publishes preliminary instructions to Apple on how to open up iOS to rivals,…

3 days ago

Momeni Convicted In Bob Lee Murder

San Francisco jury finds Nima Momeni guilty of second-degree murder of Cash App founder Bob…

3 days ago