Ultrasonic cyber-attack can “steal information” even from high-security systems, researchers warn

An audio communication system designed for ultrasonic underwater communications can be used to steal data – even from disconnected PCs in secure environments, by relaying it to the outside world from PC to PC through computer speakers, researchers claim.

The technique could defeat the security measures used by military establishments and stock markets – and was described as ”
Researchers showed how computer speakers could transmit data at around 20 bits per second over ranges of up to 60 feet, according to The Telegraph, and “secretly leak critical data to the outside world”.
Using ordinary computer hardware, infected with malware, computers can be “chained” so that data could plausibly be stolen from a disconnected – or “air gapped” – PC, and sent via a relay to the outside world, all via PC speakers.
Sensitive data can be stolen undetectably, using audio signals transmitted from PC to PC at frequencies up to 35,000Hz – well outside the range of human hearing. The researchers did not investigate whether the technique could be used to infect machines. Their technique is discussed at length here.
“The proof-of-concept software, detailed in the Journal of Communications, suggests that a lack of an Internet connection isn’t enough to insulate sensitive internal computer systems from the outside world,” CNET said in its report.
Previously, an “air gap” – computers disconnected entirely from internal and external networks – was considered a highly secure way to protect data. This research may “break the security” of such systems, the researchers warn. “Air gaps” – where a computer is not connected to any network, internal or external, wired or wireless, are used in high-security environments, such as military systems or financial institutions such as stock market, to protect data.
The researchers demonstrated how the attack could transmit data from one infected PC through a series of relay “drones”, to an attacker PC which then sends the information out via the internet. The researchers demonstrated this with keylogger software – which logged what was typed on a disconnected PC, then transmitted it, inaudibly to other PCs.
The researchers say that such attacks bypass current security measures to transmit covert and stealthy information from PC to PC, even on networks with strict security policies. Using five Lenovo T400 PCs, and their built in speakers and audio cards, the researchers were able to transmit data from a disconnected PC to the outside world.

“If we want to exploit a rigorously hardened and tested type of computing system, or networks, we have to break new ground,” the researchers wrote in the Journal of Communications. “Covert channels are communication channels utilizing means for communications that have not been designed for this purpose.  With a covert channel, we can circumvent system and network security policies.”

The Telegraph points out that malware that bridges “air gaps” has been used before – Flame, which the Washington Post claimed may have been developed by the NSA and CIA, used Bluetooth to download contact information from nearby devices. Flame was largely detected on machines in Iran.

The idea that malware could communicate in this way is not far-fetched in itself – earlier this year, We Live Security reported on research from the University of Alabama at Birmingham, where sound was used as a “trigger” for malware.

Researchers found signals could be sent from a distance of 55 feet using “low-end PC speakers with minimal amplification and low-volume”, the researchers said.

“We showed that these sensory channels can be used to send short messages that may eventually be used to trigger a mass-signal attack,” said Nitesh Saxena, Ph.D., of UAB. “While traditional networking communication used to send such triggers can be detected relatively easily, there does not seem to be a good way to detect such covert channels currently.”

The researchers presented a paper titled “Sensing-Enabled Channels for Hard-to-Detect Command and Control of Mobile Devices,” at the 8th Association for Computing Machinery Symposium on Information, Computer and Communications Security (ASIACCS) in Hangzhou, China.