New malware concept transmits data with no network connection

Nope, this isn’t out of the pages from a science fiction novel but is actually token of reality.

A group of computer scientists from the Fraunhofer Institute for Communication, Information Processing and Ergonomics in Wachtberg, Germany published a journal (you can read the PDF online) divulging how an attacker could bypass traditional network policies by modulating and demodulating inaudible signals through the air.  The process exploits an existing communication method known as the Adaptive Communication System (ACS) which is already used in underwater communication.

The authors of the abstract, Michael Hanspach and Michael Goetz, refer to this discrete method of information exchange as “covert acoustical communication”

Fortunately, Hanspach and Goetz delineate countermeasures to this nascent threat but it could become a real problem that no one is really prepared to address.

The problem

After reading the paper it becomes obvious that network security, which is already an issue, could become even more of an issue in the future.

Let me ask you a question: do you know what Air Gapped computing is?

It’s a way to make a network with top secret information completely insular from the internet which is ridden with all sorts of digital dangers.   The unsecure side of the network is referred to as the low side (black) and the secure side is called the high side (red).  In order to move data between the red and the black you have the undergo a rigorous process that scrutinizes the data transmission.

An Air Gapped network is virtually the most secure protection method a network can use because it’s effectively a closed system. a complete network ostracized from the the world.

That’s why financial stock exchanges and military networks love to use it so much – but Hanspach and Goetz have just demonstrated that even an air-gapped network may be at risk now.

The Test

Using nothing but the integrated microphones and speakers from basic computers, Hanspach and Goetz effectively sent passwords through the air as far as almost 65 feet.

So we know high-frequency networking is possible but we also know this may be the newest attack vector we’ll have to deal with.

One can easily imagine what Hanspach calls a “covert acoustical mesh network” where information proliferates like a worm through a network.  In an email he explained:

In our article, we describe how the complete concept of air gaps can be considered obsolete as commonly available laptops can communicate over their internal speakers and microphones and even form a covert acoustical mesh network.  Over this covert network, information can travel over multiple hops of infected nodes, connecting completely isolated computing systems and networks (e.g. the internet) to each other.

The Limitations

First there’s the distance barrier, with a limit of 65 feet, the attack needs to be in proximity to your computer; however, Hanspach and Goetz illustrated how a resolute attacker could forge a acoustical mesh network of devices that boost the signal as it starts to attenuate (decrease).

The second problem is throughput.  Currently the researchers demonstrated that you can only transmit data at about 20 bps.

Twenty bits per second is mind fumblingly slow but considering it takes 8 bits to produces a single character, an attacker could still transmit basic data such as a password or credit card number in a reasonable amount of time.

The Objections

Since the exploit relies on acoustics wouldn’t it get kind of hard to successfully execute the threat in a noisy server room?

That’s a good question but I don’t think it’s relevant Hanspach and Goetz note the aural signals are operating in the ultrasonic realm (20 kHz) so it’s not audible and therefore I would imagine it’s impervious to audio signals below the 20 kHz mark.

Also, you might be thinking that ordinary computers have a pretty hard time dealing with high fidelity frequencies so couldn’t you preclude this vulnerability by snipping the speaker wires? And my answer to that is yes; but how many ordinary users do you see doing that?  Most people don’t know how to open their laptops much less identify the electrical components leading to their speakers and mic.

The Bottom Line

The point is this: just because your computers are unplugged from the internet and don’t even have the Wi-Fi hardware physically installed, it’s still not immune to malware.  Fortunately you can avert the problem by disabling your audio input and output devices; however, it’s still a real issue that we’ll most likely have to contend with in the future.

What do you guys think about all this?  Should we be paranoid?  You can read the full 10 page paper on the Journal of Communications.


Connect with Vonnie on Twitter

Posted in News, Security Tagged with:
  • Mister JavaSirpt

    “The point is this: just because your computers are unplugged from the internet and don’t even have the Wi-Fi hardware physically installed, it’s still not immune to [acoustically transmitted] malware.” This is perhaps the dumbest thing I’ve ever read. If your normal, off-the-shelf consumer computer does not have software for picking up and decoding audio signals, and this software is not running while an infected computer was attempting a transmission, there would be no way to infect it with malware acoustically. It would first have to be infected via other means, such as a Stuxnet-like bug which piggybacks on flash drives (and with modern systems having auto-run disabled by default, this is near-impossible to do passively, i.e., by simply inserting an infected device). Computers are not magic.

    • Fair point and thanks for clarifying.

      • Mister JavaSirpt

        You’re welcome. Sorry if I was a bit belligerent, but there seems to be a great deal of misunderstanding about this particular whitepaper, even from people in the malware detection and removal business. Case in point: there’s a gentleman who swears he has been hit by persistent malware which attacks the BIOS or UEFI of multiple computers, and is able to jump air gaps acoustically. The worst part is, people are taking him seriously because he has a reputation as a “hacker”. While I have not thoroughly investigated his claims, plenty of people have, and have declared him to be Chicken Little.

  • Mister JavaSirpt

    By the way, I want to balance out my earlier comment by noting that I’ve learned three things from reading this website that I didn’t know about already: 1) the discontinuation of WinAmp by AOL, 2), and 3) Sharefest. But please, balance out your FUD better. Malware isn’t magic; it can only exploit existent channels.