Feeds

back to article Hear that? It's the sound of BadBIOS wannabe chatting over air gaps

Computer scientists have brewed up prototype malware that's capable of communicating across air gaps using inaudible sounds. The mesh network capable of covertly communicating without wireless or wired connections was developed by Michael Hanspach and Michael Goetz. It borrows its founding principles from established systems for …

COMMENTS

This topic is closed for new posts.

Page:

Bandwidth?

So now our PCs are going to be talking to each other by acoustic coupler. Really?

That's some pretty sophisticated malware that can break the laws of physics.

1
5

Re: Bandwidth?

I understand that a clean PC won't be able to get a virus by acoustic network. It's obvious that the computers can talk to each other using speakers/microphones.

I must be misunderstanding your "laws of physics" point - can you elaborate?

3
0

Re: Bandwidth?

Maybe laws of physics was an inappropriate shorthand - but where are these PCs going to be that they can communicate at any sensible speed over all the background noise (audible or not)?

Let's assume the hardware (speakers and mics) can handle audio at 100kHz. Bear in mind that they probably aren't designed for >15kHz.

How long to transfer 1Mb?

0
2

Re: Bandwidth?

The question is "how much damage can you imagine from even small pieces of data?" - think passwords, private keys, rotor speeds for centrifuge arrays...

5
0

Re: Bandwidth?

It's in the article. 2 characters per second. So 1Mbyte would be 500,000 seconds, or a hair over 5 days.

Subsea acoustic couplers hit nearer 6k/s, so there's a lot of room for improvement and if the researchers passed the data through desk/floor/desk they could have a much better, though more environment-dependent, coupling. So there's scope to drop this transfer time or increase it's range.

And a PIN number is 4 numbers, between 0000 and 9999 so could fit into 2 bytes with plenty room to spare.

2
0
Gold badge

Re: Bandwidth?

It's not just bandwidth - it's also about

1 - remaining audibly undetected.

2 - being able to RELIABLY receive that data (remember, adding an ACK in this process will cut your available bandwidth again).

3 - being able to discriminate the relevant sounds from all the environmental noise.

4 - do this in code that remains undetected in size and resource drain

5 - being able to infect another machine from cold with this.

Sorry, I'm not buying it. I didn't the first time, and I don't buy this one either. Not even in a (vewwy, vewwy quiet) lab.

5
1

Re: Bandwidth?

$kill_all_monsters=1

only needed 1 bit of data to kick off that process.

0
0
Silver badge

Bullshit.

Don't tell me. Demonstrate.

0
10

Re: Bullshit.

They did:

http://www.jocm.us/uploadfile/2013/1125/20131125103803901.pdf

All nicely hands-on:

For the experimental setup we are using five laptops

(model: Lenovo T400) as the mesh network participants.

As operating system for each node, we installed Debian

7.1 (Wheezy) on each laptop. All experiments were

performed at FKIE, building 3, and without any

acoustical preparations made.

...

From the recorded frequency range it can be

discovered that we are able to process frequencies in the

low ultrasonic range around 20,000 Hz. Previously

performed tests with a Lenovo T410 Laptop featuring the

Conexant 20585 audio codec (with 192 kHz DAC / 96

kHz ADC) [12] have shown very similar results. The

results lead us to the conclusion that ultrasonic or near

ultrasonic communication with computing systems of the

Lenovo T400 series is possible.

7
0
Silver badge

Re: Bullshit.

I've just played 20khz sine at full volume into my laptop speakers - right next to the microphone and the microphone picked up nothing. A condenser microphone picked up the birds the other side of the double glazing but not the speakers. Plugged in the headphones which are rated to 20khz and next to the condenser microphone the birds still out did it, breathing in the same room swamped the lot.

2
0
Bronze badge

Re: Bullshit.

How was the communication software installed on the systems? On its face some type of physical access would be needed on at least some of the communicating machines.

This idea seems to have marginal utility in that once the appropriate software is installed on both the isolated network and a nearby internet connected one, there would be potential for inbound control and outbound data transfer. The obvious countermeasure, in addition to removing or disabling audio input on the airgapped machnes would be to remove internet connected machines from the immediate area. I seem to recall that high audio frequencies don't turn corners very well and probably don't go through closed doors without serious attenuation.

This seems an interesting oddity but probably not very useful in practice.

0
0
Silver badge

Re: Bullshit.

Plugged in the headphones which are rated to 20khz and next to the condenser microphone the birds still out did it, breathing in the same room swamped the lot.

Digital modes like ALE and WSPR work well below the noise threshold that one can hear tuning a radio into one of those transmissions, so it's feasible that a signal can be heard by machine and not be easily detectable by a human.

It's also quite possible that the 20kHz rating is not completely genuine, either for the headphones or the microphone.

0
0
Bronze badge
Boffin

Acoustic malware

Having co-operating computers (where "co-operating" can mean infected with compatible malware) communicate acoustically is not surprising at all. After all, old acoustic coupling modems used to do this.

But I just do not believe malware could infect a computer that way.

Of course in theory the sound device driver is so buggy it overwrites buffers while receiving data from the D/A converter connected to the microphone, but such a driver would quickly crash the computer even without hearing any malignant sounds! It would also be impossible for the malignant sound to be controlled so precisely that the resulting digitized data would form a working program.

5
0
Silver badge

Re: Acoustic malware

The air-gap thing is fascinating but requires both systems to be already compromised, in which case the black hat can already transmit data over the wire. Did I miss something ?

1
0
Silver badge

Re: I just do not believe malware could infect a computer that way.

Yep.

Especially since none of my desktops have microphones.

How come I can never find the link to the obligatory Bloom County cartoon for these things. You know, the one that ends with the teacher proclaiming "But Oliver, gerbils don't like peanut butter." and Oliver thinking to himself "Another beautiful theory slain by an ugly fact." I think he'd just worked out a formula for nearly limitless, pollution free energy production.

0
0
Facepalm

Re: Acoustic malware

"It would also be impossible for the malignant sound to be controlled so precisely that the resulting digitized data would form a working program."

Ha, reminds me of a tv show where the criminal had etched markings into some bones, then when the bones were photographed and loaded onto the computer, they got a virus.

Aha, found it: http://www.liveleak.com/view?i=e27_1327440153

0
0
Facepalm

Easy to stop

Remove the microphone and/or speakers.

0
0
Silver badge
FAIL

Not that easy to stop

I don't see the average user opening his/her laptop to try find the connectors for the builtin speakers and mic, which they might also want to use for their indented porpoises; even more so if it's an Apple.

0
1
Bronze badge

Re: Not that easy to stop

But an attack of this sort wouldn't be aimed at the average user - hence all the talk of military, power stations etc in the article. It would be aimed at highly secured, air-gapped systems.

The administrators of those systems would have no trouble at all disabling the microphone/speakers, so I'm not sure why the obvious conclusion isn't just to remove them. Are they likely to be regularly used in these sorts of environments?

0
0
Anonymous Coward

Re: Easy to stop

Ha, the next version will use your 3d printer to create the microphone and speakers it needs.

8
0
Bronze badge

Re: Not that easy to stop

I wonder if a small strip of duct tape over the microphone opening would do the trick.

0
0
Silver badge

Meh...

Non event. Clever but easily circumvented by unplugging or disabling the microphone, muting the sound or turning it off.....

0
0
Silver badge
FAIL

Re: Meh...

I don't see unplugging the speakers and mics happening with laptops, let alone tablets, and if you disable them in software, then the malware can just as easily re-enable them.

1
1

Re: Meh...

That's being wise after the fact - I wouldn't dismiss the Black Death as a non-event because it's easily circumvented by improved sanitation, nutrition, and medical practice. The question is whether people running air-gapped systems thought to do this for the preceding N years. And as for simply muting the sound - since it's ultrasonic and produced by low-level software you wouldn't trust anything less than snipping the wire to the speaker (unless it's a surface-mounted device in a laptop. Then I guess you carefully drive pins into it until it seems to have stopped making useful noises and hope you don't knacker anything fragile behind it)

2
0

Re: Meh...

Given the nature of the systems that they were talking about - and the likelihood that they would be some kind of warning system, turning off the Bing on the Box That Goes Bing just might not be the greatest idea ...

0
0
Silver badge

Re: Meh...

"Then I guess you carefully drive pins into it until it seems to have stopped making useful noises and hope you don't knacker anything fragile behind it)"

If you've gone to the trouble of air gapping your systems, then getting a tech to desolder a PCB mount speaker is not going to be a big hairy deal, IMHO.

And most PCB mount speakers are in small cans with an opening at the top, and simply sticking a bit of electrical tape across the aperture would get you 10-20 dB of attenuation at a guess, and something like a foam sticky probably around 30 dB or more. I'd like to see them demonstrate a PC to PC audio link with 20 dB silencing on the target system.

0
0
Anonymous Coward

Obvious

1. Get a sample of the infection

2. buy a dog with upright ears (beware see note on Border Collie)

3. train it to detect the high frequency chatter

4. rent it out as an antivirus hound.

5. Profit

Note 1

Border Collies - sufficiently intelligent you might end up working for them, that's a summer I'll never get back.

10
0
Silver badge

I don't see how it could work. And no, a PDF doesn't cut it, I want a real-life demo.

I've played with acoustic coupling of various types over the years, along with analogue data recordings, and all of them, bar none, were so flakey I would cheer with joy if it actually worked at all.

And these guys expect me to believe they have it working over 20 metres? Yeah right. I want a real-life demo.

0
8
Anonymous Coward

"I've played with acoustic coupling of various types over the years, along with analogue data recordings, and all of them, bar none, were so flakey I would cheer with joy if it actually worked at all."

You don't remember those crappy audio couplers used to link computers over landlines back in the days before time, then?

0
1

Example?

http://www.sonardyne.com/products/subsea-wireless-communications.html

It's subsea but orders of magnitude faster and with kilometer ranges. It also deals with all the noise and interference you get subset- and with a few-km range that's a LOT of noise.

Getting it working in air is impressive but I wouldn't imagine ground-breaking. Just good old-fashioned engineering-around-a-problem.

1
0
Anonymous Coward

Re: Example?

It's subsea but orders of magnitude faster and with kilometer ranges. It also deals with all the noise and interference you get subset- and with a few-km range that's a LOT of noise.

And just how much code and processing is required to make that work? Remember - we're trying to do this unnoticed..

0
0
Silver badge

Those crappy audio couplers used to link computers over landlines were also loud, much lower frequency, and speaking directly to each other over a telephone line. A lot harder to do in ultra high frequencies (so people can't hear) across a room full of noises.

0
0

Missing the point of the article

DO any of the Reg commentards actually ever read the articles they've vomiting over?

It said nothing about infecting machines via sound. It did, however, mention using them as an ad-hoc network - if you manage to infect a closed and secure network via a non-networked medium (USB, for example), you would still need to get that USB stick and its data into an outward-facing machine so that it could be sent on its way home. Let's say that the user is sufficiently well trained that he doesn't use the same USB stick between his work and home computers, but that his home computer is already infected. The two machines are never on the same LAN and they don't share USB. The virus can still transmit its data package nonetheless, so long as both machines are infected with compatible viruses and within 'hearing' distance of each other - thus opening up a new vector for data transmission. Sure, it's early days, but now you need to only infect two machines seperately and just have them within the same physical space, rather than infecting them *AND* making sure they're both on the same network or sharing USB or whatever, and so on. There is a lot of potential there.

6
1
Silver badge

Re: Missing the point of the article

"There is a lot of potential there."

No there is some very small potential. if you're a paranoid Iranian IT tech, then you've perhaps got cause to worry, but for the rest of the world I doubt it. For starters the physical security of the air-gapped systems needs to be breached to get the devices in proximity. If air gap security is done properly then external electronic devices don't get carried on site. So that's mobiles (which could be used in lieu of an infected laptop), laptops, MP3 players, tablets, smart watches, Googoggles, arguably even stuff like portable satnavs.

I would have expected that sensitive sites already ban their staff from bringing portable electronic equipment on site - not purely because they don't trust the staff (that being a separate issue), but simply to avoid mistakes and unknown-to-the-vector attacks.

1
0
TJ1
Alert

Even easier to stop...

... plug in headphones!

It's an intriguing attack scenario though.

Instinctive reaction to the "infection over ultra-sonic" is "Impossible, system needs infecting by some other method before communication can begin".

But, in light of some of the recent public revelations from the Snowden documents, I don't think we need to be wearing tin-foil hats to imagine it possible that one or more of the (few) modular BIOS/Firmware makers could have been internally compromised in order to insert a small additional acoustic coupling module into their standard images.

Alternatively, the BIOS/Firmware USB modules may have one or more buffer overflow flaws that allows an inserted-at-boot-time USB flash device that has malicious reprogrammed firmware to insert a payload into the BIOS/Firmware module chain.

It would be easier to believe Dragos Ruiu's claims of infection if he published the make/model of the PCs he claims have been infected, and released copies (or SHA checksums) of the BIOS/EFI images so that others can compare against other identical hardware. All I can find are now-extinct fie-locker style links, and reports that the images he did release were edited by some mysterious entity whilst on the public servers to remove the root-kit evidence, which doesn't give much confidence in the claims being verifiable.

2
1

Re: Even easier to stop...

Headphone jacks don't always have a physical interlock - as I've found to my peril a couple of times, when I've fired up some sweet sweet sounds on my noise-cancelling headphones to retreat into undisturbed productivity, only to have agitated coworkers inform me (by throwing things) that the main speakers were also running. And it really was a software issue - mute/unmute fixed it: my wild-ass guess is that rather than have a physical switch on the jack the sound system uses the impedence/current on it as the control, so saving a cent or two.

(this is among many good reasons not to watch porn at work)

2
0
Silver badge

Re: Even easier to stop...

>It would be easier to believe Dragos Ruiu's claims of infection if he published the make/model of the PCs he claims have been infected,

"The researcher reports that the BIOS malware on a Dell Alienware, Thinkpads and Sony laptops is encountered. MacBooks could also have become infected as possible, but that's not confirmed yet. The malware uses DHCP options encrypted to communicate. Attackers On the basis of the tweets shows that the investigation of the malware is still in full swing. Security.NL Ruiu has asked for more information. We will let you know. Soon as more details are known"

- https://www.security.nl/posting/366329/Onderzoeker+ontdekt+mysterieuze+BIOS-malware

I'm not supporting his claims, just reposting some info about the machines he's used.

0
0
Bronze badge
IT Angle

Still don't get all the fuss on this.

Okay, so it's proved possible to transmit data via sound inaudible to the human ear. But as a virus-carrying medium...? Really???

What so many seem to have not taken into account in this is that even if one computer was broadcasting these sounds and there were other computers "in range" with microphones equipped and switched on, they would still need software to decode the sound! Okay, so it may be, just may be possible to directly write data into a target machine by causing vibrations that trigger induction and introduce the data, but the odds on getting anything remotely resembling executable code this way that will run regardless of the target machine's make, model, component set, location, etc., etc...?

Good to prove the concept, but the idea that this could be used to spread viruses is absurd, and pure click-bait.

0
1
Silver badge

Re: Still don't get all the fuss on this.

> But as a virus-carrying medium...? Really???

>the idea that this could be used to spread viruses is absurd, and pure click-bait.

The article doesn't say that! Read it again.

It is not a virus-carrying medium.

All the researchers are showing is a method that a previously infected machine can use to communicate with other infected machines, so that small data such as passwords etc can be 'sent home' after the original attack vector is no longer available to it.

2
0
Anonymous Coward

Re: Still don't get all the fuss on this.

It'd have to be listening, in the same way that you have to read the article.

They didn't say you could infect a machine with it, just that you could transfer data/commands across an acoustic network between two infected machines.

1
0
Megaphone

Curious

Onboard speakers are often a Piezo element, which can also work as a microphone (assuming circuitry).

They may be not have good human audio frequency response but for this use, that would be a bonus.

It might be interesting to see the frequency tailored to those piezo elements used in specific brands/models or to the resonant frequency of the case/cavity. There is also the assumption of duplex, simplex would work if lower the throughput.

What next, looking closely at those extra bright, blue leds flashing through the office at night?

0
1
Alien

Gaps

Looks like people who want seriously secure systems are going to have to replace air gaps with vacuum gaps. I can just see the job adverts: wanted, sysadmins. Must be familiar with Linux and Orlan Ms.

1
0
Anonymous Coward

Re: Gaps

Vacuum, Faraday Cage, light tight, magnetically shielded, vibration resistant.

Sysadmin wanted - must be physically undetectable.

Actually that has just given me an idea for a government contract, could be a nice earner.

“Doing my job!” “of course I'm doing my job, if you could see me at work I'd obviously be failing!”

3
0

Re: Gaps

in the most secure environments, it might be time to just get rid of the computers and replace with humans whispering secrets to each other.

psss psss The Chinese have moved into position. shhh.

psss psss The Chin azimove to solution. shhh.

psss psss Sitchin whose muse the station. shhh.

1
0
Silver badge

Re: Gaps

Vacuum gaps?

Wanted, sysadmins. Must be able to hold breath for long periods of time

0
0
Silver badge
Coat

Re: Gaps

in the most secure environments, it might be time to just get rid of the computers and replace with humans whispering secrets to each other.

You mean the old "Send re-inforcements we're going to advance!" which gets back to HQ as "Send 3 and 4 pence, we're going to a dance!"?

As for vacuum gaps? That'd just suck.

1
0

Problem

The problem, as I see it, is that even IF the air gaped systems are compromised, no data can get out, as they are air gaped.

BUT if you also compromise, say the Mobile of one administrator, you might use that to recover data/control the compromised computers.

20 bps for 4 hours is not a big amount.. but still arround 36KiB.. you can get info about the files, pwds etc you want, and over a month or so get critical data.

0
0
Bronze badge

No industry experience

While the concept is interesting it is obvious that the researchers have no industrial experience at all.

You do not use laptops to control industrial machinery and in almost all cases there are no microphones plugged in - there is the odd exception where you are doing sound analysis but that has other constraints regarding OS and software used.

Since this is touted as something that can cross the air gap in industrial situations the researchers need to work in the industrial situations before going off half cocked like script kiddies. Industry uses laptops only in the front office NOT out on the shop floor where the actual work is done.

When they have found a way of turning things like power supply transformers into acoustic transducers for both transmission and reception of ultra sound they might have something to shout about, until then it is an interesting toy.

2
0

soft modem

very clever. Of course I thought of this years ago but I wasn't going to use it for evil. I'm just too nice.

0
0
Bronze badge
Windows

These scientists need to do more reasearch into 7Hz communications.

(With the features outlined in Borland Turbo C++ manual)

0
0

Page:

This topic is closed for new posts.