Using the microphones and speakers that come standard in many of today's laptop computers and mobile devices, hackers can secretly transmit and receive data using high-frequency audio signals that are mostly inaudible to human ears. Two researchers at Germany's Fraunhofer Institute for Communication, Information Processing, and Ergonomics, Michael Hanspach and Michael Goetz, recently performed a proof-of-concept experiment that showed that "covert acoustical networking," a technique that had been hypothesized but considered improbable by most experts, is indeed possible. Their findings could have major implications for electronic security. In particular, it means "air-gapped" computers — that is, computers that are not connected to the Internet — are vulnerable to malicious software designed to steal or corrupt data.

Researchers recently performed a proof-of-concept experiment that showed that "covert acoustical networking," a technique that had been hypothesized but considered improbable by most experts, is indeed possible.
(Photo: hackNY)

"This is indeed a newsworthy development," said retired Navy Capt. Mark Hagerott, a cybersecurity professor at the U.S. Naval Academy in Annapolis, MD who was not involved in the study. "These arms races between defensive and offensive advanced technologies have been going on for [a long time], but now, with the low cost of writing code, it may get progressively more challenging to defend against."

In their experiments, Hanspach and Goetz were able to transmit small packets of data between two air-gapped Lenovo business laptops separated by distances of up to about 65 feet (20 meters). Moreover, by chaining additional devices that picked up the audio signal and repeated it to other nearby devices, the researchers were able to create a "mesh network" that relayed the data across much greater distances. Importantly, the researchers were able to emit and record the ultrasonic and near-ultrasonic frequencies, which cannot be detected by humans, using the sound processor, speakers and microphone that came standard with the laptops.

The researchers experimented with a variety of software, but the best one was a program originally developed to transmit data acoustically under water. Created by the Research Department for Underwater Acoustics and Geophysics in Germany, the so-called adaptive communication system modem proved more reliable than the other techniques, but it had one significant drawback — it could only transmit data at a paltry rate of about 20 bits per second — a tiny fraction of today's standard network connections. While not practical for transmitting video or other large files, this low transmission rate is still sufficient for sending and receiving keystrokes and other sensitive data such as private encryption keys or login credentials.

"If you have small-sized files of high value, you do not want to take the risk," Hanspach suggests.

The low transmission rate would also suffice to send an electronic signal to a malware program that had been inadvertently installed — through a tainted USB stick, for example — onto an air-gapped computer and trigger an electronic attack, said Hagerott. Moreover, if history is any guide, it will only be a matter of time before someone refines the technique and increases its maximum transmission rate. "Once you demonstrate that you can do something like this, other people will keep enhancing it," Hagerott said.

Hagerott also saw parallels between the current cyber arms race and the contest between real-world arms races of past eras. For example, experts once declared that there was no way a plane could sink a battle ship. "They said, the planes weren't big enough, but then they got bigger and began carrying bigger bombs. But sadly, the experts didn't fully absorb this lesson until two British battleships in 1941 were sent to the bottom," Hagerott said.

Military history also suggests that countermeasures will eventually be developed against the new security threat that Hanspach and Goetz demonstrated. In their paper, the researchers themselves suggest several that might work. For example, one could simply switch off the audio input and output of devices, or use audio-filtering techniques to block high-frequency audio signals. Devices running Linux could implement the latter technique using tools that have already been developed for the operating system, the researchers write. They also propose the use of an "audio intrusion detection guard," a device that Hanspach and Goetz said would "forward audio input and output signals to their destination and simultaneously store them inside the guard's internal state, where they are subject to further analyses."

Oftentimes, though, the weakest links in cyber security systems are not hardware or software, but the humans who interact with them. For example, the Stuxnet virus that spread to air-gapped machines in the Iranian Natanz nuclear facilities and the Conficker digital worm that turned millions of PCs into a giant botnet in the city of Manchester, England, are believed to have been spread when employees used infected USB sticks.

Source