Scientist-developed malware prototype covertly jumps air gaps using inaudible sound -------------------- Malware communicates at a distance of 65 feet using built-in mics and speakers. by Dan Goodin - Dec 2, 2013 7:29 pm UTC http://arstechnica.com/author/dan-goodin https://twitter.com/dangoodin001 "Dan is the IT Security Editor at Ars Technica, which he joined in 2012 after working for The Register, the Associated Press, Bloomberg News, and other publications." http://arstechnica.com/security/2013/12/scientist-developed-malware-covertly-jumps-air-gaps-using-inaudible-sound/ -------------------- Topology of a covert mesh network that connects air-gapped computers to the Internet: http://cdn.arstechnica.net/wp-content/uploads/2013/12/acoustical-mesh-network.jpg http://www.jocm.us/index.php?m=content&c=index&a=show&catid=124&id=600 -------------------- "Computer scientists have proposed a malware prototype that uses inaudible audio signals to communicate, a capability that allows the malware to covertly transmit keystrokes and other sensitive data even when infected machines have no network connection. The proof-of-concept software-or malicious trojans that adopt the same high-frequency communication methods-could prove especially adept in penetrating highly sensitive environments that routinely place an "air gap" between computers and the outside world. Using nothing more than the built-in microphones and speakers of standard computers, the researchers were able to transmit passwords and other small amounts of data from distances of almost 65 feet. The software can transfer data at much greater distances by employing an acoustical mesh network made up of attacker-controlled devices that repeat the audio signals. The researchers, from Germany's Fraunhofer Institute for Communication, Information Processing, and Ergonomics[1], recently disclosed their findings in a paper published in the Journal of Communications[2]. It came a few weeks after a security researcher said his computers were infected with a mysterious piece of malware that used high-frequency transmissions to jump air gaps[3]. The new research neither confirms nor disproves Dragos Ruiu's claims of the so-called badBIOS infections, but it does show that high-frequency networking is easily within the grasp of today's malware." [1] http://www.fkie.fraunhofer.de/en.html [2] http://www.jocm.us/index.php?m=content&c=index&a=show&catid=124&id=600 [3] http://arstechnica.com/security/2013/10/meet-badbios-the-mysterious-mac-and-pc-malware-that-jumps-airgaps/ ""In our article, we describe how the complete concept of air gaps can be considered obsolete as commonly available laptops can communicate over their internal speakers and microphones and even form a covert acoustical mesh network," one of the authors, Michael Hanspach, wrote in an e-mail. "Over this covert network, information can travel over multiple hops of infected nodes, connecting completely isolated computing systems and networks (e.g. the internet) to each other. We also propose some countermeasures against participation in a covert network." The researchers developed several ways to use inaudible sounds to transmit data between two Lenovo T400 laptops using only their built-in microphones and speakers. The most effective technique relied on software originally developed to acoustically transmit data under water. Created by the Research Department for Underwater Acoustics and Geophysics in Germany, the so-called adaptive communication system (ACS) modem was able to transmit data between laptops as much as 19.7 meters (64.6 feet) apart. By chaining additional devices that pick up the signal and repeat it to other nearby devices, the mesh network can overcome much greater distances. The ACS modem provided better reliability than other techniques that were also able to use only the laptops' speakers and microphones to communicate. Still, it came with one significant drawback-a transmission rate of about 20 bits per second, a tiny fraction of standard network connections. The paltry bandwidth forecloses the ability of transmitting video or any other kinds of data with large file sizes. The researchers said attackers could overcome that shortcoming by equipping the trojan with functions that transmit only certain types of data, such as login credentials captured from a keylogger or a memory dumper. "This small bandwidth might actually be enough to transfer critical information (such as keystrokes)," Hanspach wrote. "You don't even have to think about all keystrokes. If you have a keylogger that is able to recognize authentication materials, it may only occasionally forward these detected passwords over the network, leading to a very stealthy state of the network. And you could forward any small-sized information such as private encryption keys or maybe malicious commands to an infected piece of construction." Remember Flame? The hurdles of implementing covert acoustical networking are high enough that few malware developers are likely to add it to their offerings anytime soon. Still, the requirements are modest when measured against the capabilities of Stuxnet, Flame, and other state-sponsored malware discovered in the past 18 months. And that means that engineers in military organizations, nuclear power plants, and other truly high-security environments should no longer assume that computers isolated from an Ethernet or Wi-Fi connection are off limits. The research paper suggests several countermeasures that potential targets can adopt. One approach is simply switching off audio input and output devices, although few hardware designs available today make this most obvious countermeasure easy. A second approach is to employ audio filtering that blocks high-frequency ranges used to covertly transmit data. Devices running Linux can do this by using the advanced Linux Sound Architecture in combination with the Linux Audio Developer's Simple Plugin API. Similar approaches are probably available for Windows and Mac OS X computers as well. The researchers also proposed the use of an audio intrusion detection guard, a device that would "forward audio input and output signals to their destination and simultaneously store them inside the guard's internal state, where they are subject to further analyses." *************************** Update *************************** On Wednesday Hanspach issued the following statement: Fraunhofer FKIE is actively involved in information security research. Our mission is to strengthen security by the means of early detection and prevention of potential threats. The research on acoustical mesh networks in air was aimed at demonstrating the upcoming threat of covert communication technologies. Fraunhofer FKIE does not develop any malware or viruses and the presented proof-of-concept does not spread to other computing systems, but constitutes only a covert communication channel between hypothetical instantiations of a malware. The ultimate goal of the presented research project is to raise awareness for these kinds of attacks, and to deliver appropriate countermeasures to our customers. Story updated to add "prototype" to the first sentence and headline and to change "developed" to "proposed," in the first sentence. The changes are intended to make clear the researchers have not created a piece of working malware." -------------------- RE: #badBIOS, badBIOS, bad BIOS -------------------- *************************** Some User Comments: *************************** "What makes so many people here think that getting a computer first infected is such an impossible task? Who is to To say computers don't come pre-configured with that ability in hardware, say the CPU? We know that the NSA has altered silicon in the "distant" past and if there is anything recent revelations have taught us then it is that things have only ever become technically more advanced and aggressive in the last ten years or so. Remember: just because you're not paranoid doesn't mean they are not out to get you....Australia being happy to share medical records of its ordinary citizens being a prime example of that in today's press." Amadeus71 Smack-Fu Master, in traininget Subscriptor http://arstechnica.com/security/2013/12/scientist-developed-malware-covertly-jumps-air-gaps-using-inaudible-sound/?comments=1&post=25785017#comment-25785017 -------------------- "This was controversial at the time Dragos Ruiu brought it up. My guess was that it was possible, I'm glad to see someone actually put in the hard work to find out! Good job Fraunhofer." MujokanArs Praetorian http://arstechnica.com/security/2013/12/scientist-developed-malware-covertly-jumps-air-gaps-using-inaudible-sound/?comments=1&post=25785087#comment-25785087 -------------------- "Human hearing also gets worse at high frequencies before cutting out: http://en.wikipedia.org/wiki/Equal-loudness_contour Several years ago, I had a neighbor with an old-fangled CRT TV. I couldn't hear its 15.9kHz squeal from my apartment, but it did show up clearly in spectral graphs of recordings I made while it was on. It's not hard to imagine something using audio band frequencies at volumes low enough to escape audibility but still able to be picked up by nearby microphones." LnxPrgr3 Smack-Fu Master, in training http://arstechnica.com/security/2013/12/scientist-developed-malware-covertly-jumps-air-gaps-using-inaudible-sound/?comments=1&post=25785217#comment-25785217 -------------------- "The signal can be hidden in fully audible sounds, so that wouldn't help much. As other commenters have alluded, using spread-spectrum techniques, a signal can be hidden in a way that looks like just part of the ambient noise environment, at many different frequencies, perhaps both at the same time and in a time-varying distribution. For example, if there is a fan (perhaps a notebook fan) going in the environment, that can be measured, and information could be encoded in a slight deformation of that sound signature, in a way that no one would notice. Or if someone is speaking, tiny undetectable side-frequencies could be added in a way that sounds like part of their voice, but isn't really. Or if you use a random spread-spectrum approach, it could just sound like a slight bit of white noise in the background, a little hiss, that mingles with all the noise around you. Be afraid. In cyberspace, all microphones can hear you scream." AreWeThereYeti Ars Scholae Palatinaeet Subscriptor http://arstechnica.com/security/2013/12/scientist-developed-malware-covertly-jumps-air-gaps-using-inaudible-sound/?comments=1&post=25785535#comment-25785535 -------------------- "If you're breaking your laptop open to put a capacitor across your speaker why not cut the wires or put a mechanical switch in instead?" Wickwick Ars Scholae Palatinae http://arstechnica.com/security/2013/12/scientist-developed-malware-covertly-jumps-air-gaps-using-inaudible-sound/?comments=1&post=25786631#comment-25786631 -------------------- "Personally I would physically disable every mic and speaker on these air-gapped computers, juts in case." blacke Ars Praetorianet Subscriptor http://arstechnica.com/security/2013/12/scientist-developed-malware-covertly-jumps-air-gaps-using-inaudible-sound/?comments=1&post=25789071#comment-25789071 -------------------- "I wonder if you couldn't just cut off a jack from some old headphones, and keep it plugged in as a countermeasure..." zantoka Smack-Fu Master, in training http://arstechnica.com/security/2013/12/scientist-developed-malware-covertly-jumps-air-gaps-using-inaudible-sound/?comments=1&post=25791713#comment-25791713 -------------------- "NorthGuy wrote: My florescent light has been buzzing for weeks, do you think it's trying to hack my computer?" Li-Fi http://www.newscientist.com/article/mg21128225.400-will-lifi-be-the-new-wifi.html Jimmy McNulty Smack-Fu Master, in training http://arstechnica.com/security/2013/12/scientist-developed-malware-covertly-jumps-air-gaps-using-inaudible-sound/?comments=1&post=25792319#comment-25792319 -------------------- "are the sounds in their [mainstream] music transmitting data to invaded brains?" DaHum Smack-Fu Master, in training http://arstechnica.com/security/2013/12/scientist-developed-malware-covertly-jumps-air-gaps-using-inaudible-sound/?comments=1&post=25799877#comment-25799877 -------------------- The New Zealand Copyright Act 1994 specifies certain circumstances where all or a substantial part of a copyright work may be used without the copyright owner's permission. A "fair dealing" with copyright material does not infringe copyright if it is for the following purposes: research or private study; criticism or review; or reporting current events. -------------------- *************************** Related Story: *************************** Researchers create malware that communicates via silent sound, no network needed "When security researcher Dragos Ruiu claimed malware dubbed "badBIOS"[1] allowed infected machines to communicate using sound waves alone-no network connection needed-people said he was crazy. New research from Germany's Fraunhofer Institute for Communication, Information Processing, and Ergonomics suggests he's all too sane. As outlined in the Journal of Communications (PDF)[2] and first spotted by ArsTechnica[3], the proof-of-concept malware prototype from Michael Hanspach and Michael Goetz can transmit information between computers using high-frequency sound waves inaudible to the human ear. The duo successfully sent passwords and more between non-networked Lenovo T400 laptops via the notebooks' built-in microphones and speakers. Freaky-deaky! "The infected victim sends all recorded keystrokes to the covert acoustical mesh network. Infected drones forward the keystroke information inside the covert network till the attacker is reached." The most successful method was based on software developed for underwater communications. The laptops could communicate a full 65 feet apart from each other, and the researchers say the range could be extended by chaining devices together in an audio "mesh" network, similar to the way Wi-Fi repeaters work. While the research doesn't prove Ruiu's badBIOS claims, it does show that the so-called "air gap" defense-that is, leaving computers with critical information disconnected from any networks-could still be vulnerable to dedicated attackers, if attackers are first able to infect the PC with audio mesh-enabled malware." [1] http://www.pcworld.com/article/2060360/security-researcher-says-new-malware-can-affect-your-bios-be-transmitted-via-the-air.html [2] http://www.jocm.us/uploadfile/2013/1125/20131125103803901.pdf [3] http://arstechnica.com/security/2013/12/scientist-developed-malware-covertly-jumps-air-gaps-using-inaudible-sound/ -------------------- Sending data via sound http://images.techhive.com/images/article/2013/12/air-gap-keystrokes-100154940-orig.png -------------------- "Transmitting data via sound waves has one glaring drawback, however: It's slow. Terribly slow. Hanspach and Goetz's malware topped out at a sluggish 20 bits-per-second transfer rate, but that was still fast enough to transmit keystrokes, passwords, PGP encryption keys, and other small bursts of information. "We use the keylogging software logkeys for our experiment," they wrote. "The infected victim sends all recorded keystrokes to the covert acoustical mesh network. Infected drones forward the keystroke information inside the covert network till the attacker is reached, who is now able to read the current keyboard input of the infected victim from a distant place." In another test, the researchers used sound waves to send keystroke information to a network-connected computer, which then sent the information to the "attacker" via email. Now for the good news: This advanced proof-of-concept prototype isn't likely to work its way into everyday malware anytime soon, especially since badware that communicates via normal Net means should be all that's needed to infect the PCs of most users. Nevertheless, it's ominous to see the last-line "air gap" defense fall prey to attack-especially in an age of state-sponsored malware run rampant." ##### The New Zealand Copyright Act 1994 specifies certain circumstances where all or a substantial part of a copyright work may be used without the copyright owner's permission. A "fair dealing" with copyright material does not infringe copyright if it is for the following purposes: research or private study; criticism or review; or reporting current events. ##### EOT