Nope, this isn’t out of the pages from a science fiction novel but is actually token of reality.
A group of computer scientists from the Fraunhofer Institute for Communication, Information Processing and Ergonomics in Wachtberg, Germany published a journal (you can read the PDF online) divulging how an attacker could bypass traditional network policies by modulating and demodulating inaudible signals through the air. The process exploits an existing communication method known as the Adaptive Communication System (ACS) which is already used in underwater communication.
The authors of the abstract, Michael Hanspach and Michael Goetz, refer to this discrete method of information exchange as “covert acoustical communication”
Fortunately, Hanspach and Goetz delineate countermeasures to this nascent threat but it could become a real problem that no one is really prepared to address.
After reading the paper it becomes obvious that network security, which is already an issue, could become even more of an issue in the future.
Let me ask you a question: do you know what Air Gapped computing is?
It’s a way to make a network with top secret information completely insular from the internet which is ridden with all sorts of digital dangers. The unsecure side of the network is referred to as the low side (black) and the secure side is called the high side (red). In order to move data between the red and the black you have the undergo a rigorous process that scrutinizes the data transmission.
An Air Gapped network is virtually the most secure protection method a network can use because it’s effectively a closed system. a complete network ostracized from the the world.
That’s why financial stock exchanges and military networks love to use it so much – but Hanspach and Goetz have just demonstrated that even an air-gapped network may be at risk now.
Using nothing but the integrated microphones and speakers from basic computers, Hanspach and Goetz effectively sent passwords through the air as far as almost 65 feet.
So we know high-frequency networking is possible but we also know this may be the newest attack vector we’ll have to deal with.
One can easily imagine what Hanspach calls a “covert acoustical mesh network” where information proliferates like a worm through a network. In an email he explained:
In our article, we describe how the complete concept of air gaps can be considered obsolete as commonly available laptops can communicate over their internal speakers and microphones and even form a covert acoustical mesh network. Over this covert network, information can travel over multiple hops of infected nodes, connecting completely isolated computing systems and networks (e.g. the internet) to each other.
First there’s the distance barrier, with a limit of 65 feet, the attack needs to be in proximity to your computer; however, Hanspach and Goetz illustrated how a resolute attacker could forge a acoustical mesh network of devices that boost the signal as it starts to attenuate (decrease).
The second problem is throughput. Currently the researchers demonstrated that you can only transmit data at about 20 bps.
Twenty bits per second is mind fumblingly slow but considering it takes 8 bits to produces a single character, an attacker could still transmit basic data such as a password or credit card number in a reasonable amount of time.
Since the exploit relies on acoustics wouldn’t it get kind of hard to successfully execute the threat in a noisy server room?
That’s a good question but I don’t think it’s relevant Hanspach and Goetz note the aural signals are operating in the ultrasonic realm (20 kHz) so it’s not audible and therefore I would imagine it’s impervious to audio signals below the 20 kHz mark.
Also, you might be thinking that ordinary computers have a pretty hard time dealing with high fidelity frequencies so couldn’t you preclude this vulnerability by snipping the speaker wires? And my answer to that is yes; but how many ordinary users do you see doing that? Most people don’t know how to open their laptops much less identify the electrical components leading to their speakers and mic.
The Bottom Line
The point is this: just because your computers are unplugged from the internet and don’t even have the Wi-Fi hardware physically installed, it’s still not immune to malware. Fortunately you can avert the problem by disabling your audio input and output devices; however, it’s still a real issue that we’ll most likely have to contend with in the future.
What do you guys think about all this? Should we be paranoid? You can read the full 10 page paper on the Journal of Communications.