back to article Hear that? It's the sound of BadBIOS wannabe chatting over air gaps

Computer scientists have brewed up prototype malware that's capable of communicating across air gaps using inaudible sounds. The mesh network capable of covertly communicating without wireless or wired connections was developed by Michael Hanspach and Michael Goetz. It borrows its founding principles from established systems …

COMMENTS

This topic is closed for new posts.
  1. Mudslinger

    Bandwidth?

    So now our PCs are going to be talking to each other by acoustic coupler. Really?

    That's some pretty sophisticated malware that can break the laws of physics.

    1. swissrobin

      Re: Bandwidth?

      I understand that a clean PC won't be able to get a virus by acoustic network. It's obvious that the computers can talk to each other using speakers/microphones.

      I must be misunderstanding your "laws of physics" point - can you elaborate?

      1. Mudslinger

        Re: Bandwidth?

        Maybe laws of physics was an inappropriate shorthand - but where are these PCs going to be that they can communicate at any sensible speed over all the background noise (audible or not)?

        Let's assume the hardware (speakers and mics) can handle audio at 100kHz. Bear in mind that they probably aren't designed for >15kHz.

        How long to transfer 1Mb?

        1. Anonymous Coward
          Anonymous Coward

          Re: Bandwidth?

          The question is "how much damage can you imagine from even small pieces of data?" - think passwords, private keys, rotor speeds for centrifuge arrays...

        2. Adam Foxton

          Re: Bandwidth?

          It's in the article. 2 characters per second. So 1Mbyte would be 500,000 seconds, or a hair over 5 days.

          Subsea acoustic couplers hit nearer 6k/s, so there's a lot of room for improvement and if the researchers passed the data through desk/floor/desk they could have a much better, though more environment-dependent, coupling. So there's scope to drop this transfer time or increase it's range.

          And a PIN number is 4 numbers, between 0000 and 9999 so could fit into 2 bytes with plenty room to spare.

          1. Fred Flintstone Gold badge

            Re: Bandwidth?

            It's not just bandwidth - it's also about

            1 - remaining audibly undetected.

            2 - being able to RELIABLY receive that data (remember, adding an ACK in this process will cut your available bandwidth again).

            3 - being able to discriminate the relevant sounds from all the environmental noise.

            4 - do this in code that remains undetected in size and resource drain

            5 - being able to infect another machine from cold with this.

            Sorry, I'm not buying it. I didn't the first time, and I don't buy this one either. Not even in a (vewwy, vewwy quiet) lab.

        3. Shaha Alam

          Re: Bandwidth?

          $kill_all_monsters=1

          only needed 1 bit of data to kick off that process.

  2. jake Silver badge

    Bullshit.

    Don't tell me. Demonstrate.

    1. Anonymous Coward
      Anonymous Coward

      Re: Bullshit.

      They did:

      http://www.jocm.us/uploadfile/2013/1125/20131125103803901.pdf

      All nicely hands-on:

      For the experimental setup we are using five laptops

      (model: Lenovo T400) as the mesh network participants.

      As operating system for each node, we installed Debian

      7.1 (Wheezy) on each laptop. All experiments were

      performed at FKIE, building 3, and without any

      acoustical preparations made.

      ...

      From the recorded frequency range it can be

      discovered that we are able to process frequencies in the

      low ultrasonic range around 20,000 Hz. Previously

      performed tests with a Lenovo T410 Laptop featuring the

      Conexant 20585 audio codec (with 192 kHz DAC / 96

      kHz ADC) [12] have shown very similar results. The

      results lead us to the conclusion that ultrasonic or near

      ultrasonic communication with computing systems of the

      Lenovo T400 series is possible.

      1. Tom 7 Silver badge

        Re: Bullshit.

        I've just played 20khz sine at full volume into my laptop speakers - right next to the microphone and the microphone picked up nothing. A condenser microphone picked up the birds the other side of the double glazing but not the speakers. Plugged in the headphones which are rated to 20khz and next to the condenser microphone the birds still out did it, breathing in the same room swamped the lot.

        1. Anonymous Coward
          Anonymous Coward

          Re: Bullshit.

          Plugged in the headphones which are rated to 20khz and next to the condenser microphone the birds still out did it, breathing in the same room swamped the lot.

          Digital modes like ALE and WSPR work well below the noise threshold that one can hear tuning a radio into one of those transmissions, so it's feasible that a signal can be heard by machine and not be easily detectable by a human.

          It's also quite possible that the 20kHz rating is not completely genuine, either for the headphones or the microphone.

      2. tom dial Silver badge

        Re: Bullshit.

        How was the communication software installed on the systems? On its face some type of physical access would be needed on at least some of the communicating machines.

        This idea seems to have marginal utility in that once the appropriate software is installed on both the isolated network and a nearby internet connected one, there would be potential for inbound control and outbound data transfer. The obvious countermeasure, in addition to removing or disabling audio input on the airgapped machnes would be to remove internet connected machines from the immediate area. I seem to recall that high audio frequencies don't turn corners very well and probably don't go through closed doors without serious attenuation.

        This seems an interesting oddity but probably not very useful in practice.

  3. MacroRodent Silver badge
    Boffin

    Acoustic malware

    Having co-operating computers (where "co-operating" can mean infected with compatible malware) communicate acoustically is not surprising at all. After all, old acoustic coupling modems used to do this.

    But I just do not believe malware could infect a computer that way.

    Of course in theory the sound device driver is so buggy it overwrites buffers while receiving data from the D/A converter connected to the microphone, but such a driver would quickly crash the computer even without hearing any malignant sounds! It would also be impossible for the malignant sound to be controlled so precisely that the resulting digitized data would form a working program.

    1. Jim 59

      Re: Acoustic malware

      The air-gap thing is fascinating but requires both systems to be already compromised, in which case the black hat can already transmit data over the wire. Did I miss something ?

    2. Tom 13

      Re: I just do not believe malware could infect a computer that way.

      Yep.

      Especially since none of my desktops have microphones.

      How come I can never find the link to the obligatory Bloom County cartoon for these things. You know, the one that ends with the teacher proclaiming "But Oliver, gerbils don't like peanut butter." and Oliver thinking to himself "Another beautiful theory slain by an ugly fact." I think he'd just worked out a formula for nearly limitless, pollution free energy production.

    3. H.Winter
      Facepalm

      Re: Acoustic malware

      "It would also be impossible for the malignant sound to be controlled so precisely that the resulting digitized data would form a working program."

      Ha, reminds me of a tv show where the criminal had etched markings into some bones, then when the bones were photographed and loaded onto the computer, they got a virus.

      Aha, found it: http://www.liveleak.com/view?i=e27_1327440153

  4. Wupspups
    Facepalm

    Easy to stop

    Remove the microphone and/or speakers.

    1. Stoneshop Silver badge
      FAIL

      Not that easy to stop

      I don't see the average user opening his/her laptop to try find the connectors for the builtin speakers and mic, which they might also want to use for their indented porpoises; even more so if it's an Apple.

      1. AndyS

        Re: Not that easy to stop

        But an attack of this sort wouldn't be aimed at the average user - hence all the talk of military, power stations etc in the article. It would be aimed at highly secured, air-gapped systems.

        The administrators of those systems would have no trouble at all disabling the microphone/speakers, so I'm not sure why the obvious conclusion isn't just to remove them. Are they likely to be regularly used in these sorts of environments?

      2. tom dial Silver badge

        Re: Not that easy to stop

        I wonder if a small strip of duct tape over the microphone opening would do the trick.

    2. Anonymous Coward
      Anonymous Coward

      Re: Easy to stop

      Ha, the next version will use your 3d printer to create the microphone and speakers it needs.

  5. Anonymous Coward
    Anonymous Coward

    Meh...

    Non event. Clever but easily circumvented by unplugging or disabling the microphone, muting the sound or turning it off.....

    1. Stoneshop Silver badge
      FAIL

      Re: Meh...

      I don't see unplugging the speakers and mics happening with laptops, let alone tablets, and if you disable them in software, then the malware can just as easily re-enable them.

      1. Putters

        Re: Meh...

        Given the nature of the systems that they were talking about - and the likelihood that they would be some kind of warning system, turning off the Bing on the Box That Goes Bing just might not be the greatest idea ...

    2. Anonymous Coward
      Anonymous Coward

      Re: Meh...

      That's being wise after the fact - I wouldn't dismiss the Black Death as a non-event because it's easily circumvented by improved sanitation, nutrition, and medical practice. The question is whether people running air-gapped systems thought to do this for the preceding N years. And as for simply muting the sound - since it's ultrasonic and produced by low-level software you wouldn't trust anything less than snipping the wire to the speaker (unless it's a surface-mounted device in a laptop. Then I guess you carefully drive pins into it until it seems to have stopped making useful noises and hope you don't knacker anything fragile behind it)

      1. Anonymous Coward
        Anonymous Coward

        Re: Meh...

        "Then I guess you carefully drive pins into it until it seems to have stopped making useful noises and hope you don't knacker anything fragile behind it)"

        If you've gone to the trouble of air gapping your systems, then getting a tech to desolder a PCB mount speaker is not going to be a big hairy deal, IMHO.

        And most PCB mount speakers are in small cans with an opening at the top, and simply sticking a bit of electrical tape across the aperture would get you 10-20 dB of attenuation at a guess, and something like a foam sticky probably around 30 dB or more. I'd like to see them demonstrate a PC to PC audio link with 20 dB silencing on the target system.

  6. Anonymous Coward
    Anonymous Coward

    Obvious

    1. Get a sample of the infection

    2. buy a dog with upright ears (beware see note on Border Collie)

    3. train it to detect the high frequency chatter

    4. rent it out as an antivirus hound.

    5. Profit

    Note 1

    Border Collies - sufficiently intelligent you might end up working for them, that's a summer I'll never get back.

  7. John Tserkezis

    I don't see how it could work. And no, a PDF doesn't cut it, I want a real-life demo.

    I've played with acoustic coupling of various types over the years, along with analogue data recordings, and all of them, bar none, were so flakey I would cheer with joy if it actually worked at all.

    And these guys expect me to believe they have it working over 20 metres? Yeah right. I want a real-life demo.

    1. Anonymous Coward
      Anonymous Coward

      "I've played with acoustic coupling of various types over the years, along with analogue data recordings, and all of them, bar none, were so flakey I would cheer with joy if it actually worked at all."

      You don't remember those crappy audio couplers used to link computers over landlines back in the days before time, then?

      1. Darryl

        Those crappy audio couplers used to link computers over landlines were also loud, much lower frequency, and speaking directly to each other over a telephone line. A lot harder to do in ultra high frequencies (so people can't hear) across a room full of noises.

    2. Adam Foxton

      Example?

      http://www.sonardyne.com/products/subsea-wireless-communications.html

      It's subsea but orders of magnitude faster and with kilometer ranges. It also deals with all the noise and interference you get subset- and with a few-km range that's a LOT of noise.

      Getting it working in air is impressive but I wouldn't imagine ground-breaking. Just good old-fashioned engineering-around-a-problem.

      1. Anonymous Coward
        Anonymous Coward

        Re: Example?

        It's subsea but orders of magnitude faster and with kilometer ranges. It also deals with all the noise and interference you get subset- and with a few-km range that's a LOT of noise.

        And just how much code and processing is required to make that work? Remember - we're trying to do this unnoticed..

  8. Jason Togneri

    Missing the point of the article

    DO any of the Reg commentards actually ever read the articles they've vomiting over?

    It said nothing about infecting machines via sound. It did, however, mention using them as an ad-hoc network - if you manage to infect a closed and secure network via a non-networked medium (USB, for example), you would still need to get that USB stick and its data into an outward-facing machine so that it could be sent on its way home. Let's say that the user is sufficiently well trained that he doesn't use the same USB stick between his work and home computers, but that his home computer is already infected. The two machines are never on the same LAN and they don't share USB. The virus can still transmit its data package nonetheless, so long as both machines are infected with compatible viruses and within 'hearing' distance of each other - thus opening up a new vector for data transmission. Sure, it's early days, but now you need to only infect two machines seperately and just have them within the same physical space, rather than infecting them *AND* making sure they're both on the same network or sharing USB or whatever, and so on. There is a lot of potential there.

    1. Anonymous Coward
      Anonymous Coward

      Re: Missing the point of the article

      "There is a lot of potential there."

      No there is some very small potential. if you're a paranoid Iranian IT tech, then you've perhaps got cause to worry, but for the rest of the world I doubt it. For starters the physical security of the air-gapped systems needs to be breached to get the devices in proximity. If air gap security is done properly then external electronic devices don't get carried on site. So that's mobiles (which could be used in lieu of an infected laptop), laptops, MP3 players, tablets, smart watches, Googoggles, arguably even stuff like portable satnavs.

      I would have expected that sensitive sites already ban their staff from bringing portable electronic equipment on site - not purely because they don't trust the staff (that being a separate issue), but simply to avoid mistakes and unknown-to-the-vector attacks.

  9. TJ1
    Alert

    Even easier to stop...

    ... plug in headphones!

    It's an intriguing attack scenario though.

    Instinctive reaction to the "infection over ultra-sonic" is "Impossible, system needs infecting by some other method before communication can begin".

    But, in light of some of the recent public revelations from the Snowden documents, I don't think we need to be wearing tin-foil hats to imagine it possible that one or more of the (few) modular BIOS/Firmware makers could have been internally compromised in order to insert a small additional acoustic coupling module into their standard images.

    Alternatively, the BIOS/Firmware USB modules may have one or more buffer overflow flaws that allows an inserted-at-boot-time USB flash device that has malicious reprogrammed firmware to insert a payload into the BIOS/Firmware module chain.

    It would be easier to believe Dragos Ruiu's claims of infection if he published the make/model of the PCs he claims have been infected, and released copies (or SHA checksums) of the BIOS/EFI images so that others can compare against other identical hardware. All I can find are now-extinct fie-locker style links, and reports that the images he did release were edited by some mysterious entity whilst on the public servers to remove the root-kit evidence, which doesn't give much confidence in the claims being verifiable.

    1. Anonymous Coward
      Anonymous Coward

      Re: Even easier to stop...

      Headphone jacks don't always have a physical interlock - as I've found to my peril a couple of times, when I've fired up some sweet sweet sounds on my noise-cancelling headphones to retreat into undisturbed productivity, only to have agitated coworkers inform me (by throwing things) that the main speakers were also running. And it really was a software issue - mute/unmute fixed it: my wild-ass guess is that rather than have a physical switch on the jack the sound system uses the impedence/current on it as the control, so saving a cent or two.

      (this is among many good reasons not to watch porn at work)

    2. Dave 126 Silver badge

      Re: Even easier to stop...

      >It would be easier to believe Dragos Ruiu's claims of infection if he published the make/model of the PCs he claims have been infected,

      "The researcher reports that the BIOS malware on a Dell Alienware, Thinkpads and Sony laptops is encountered. MacBooks could also have become infected as possible, but that's not confirmed yet. The malware uses DHCP options encrypted to communicate. Attackers On the basis of the tweets shows that the investigation of the malware is still in full swing. Security.NL Ruiu has asked for more information. We will let you know. Soon as more details are known"

      - https://www.security.nl/posting/366329/Onderzoeker+ontdekt+mysterieuze+BIOS-malware

      I'm not supporting his claims, just reposting some info about the machines he's used.

  10. RyokuMas Silver badge
    IT Angle

    Still don't get all the fuss on this.

    Okay, so it's proved possible to transmit data via sound inaudible to the human ear. But as a virus-carrying medium...? Really???

    What so many seem to have not taken into account in this is that even if one computer was broadcasting these sounds and there were other computers "in range" with microphones equipped and switched on, they would still need software to decode the sound! Okay, so it may be, just may be possible to directly write data into a target machine by causing vibrations that trigger induction and introduce the data, but the odds on getting anything remotely resembling executable code this way that will run regardless of the target machine's make, model, component set, location, etc., etc...?

    Good to prove the concept, but the idea that this could be used to spread viruses is absurd, and pure click-bait.

    1. Dave 126 Silver badge

      Re: Still don't get all the fuss on this.

      > But as a virus-carrying medium...? Really???

      >the idea that this could be used to spread viruses is absurd, and pure click-bait.

      The article doesn't say that! Read it again.

      It is not a virus-carrying medium.

      All the researchers are showing is a method that a previously infected machine can use to communicate with other infected machines, so that small data such as passwords etc can be 'sent home' after the original attack vector is no longer available to it.

    2. Anonymous Coward
      Anonymous Coward

      Re: Still don't get all the fuss on this.

      It'd have to be listening, in the same way that you have to read the article.

      They didn't say you could infect a machine with it, just that you could transfer data/commands across an acoustic network between two infected machines.

  11. Anonymous Coward
    Megaphone

    Curious

    Onboard speakers are often a Piezo element, which can also work as a microphone (assuming circuitry).

    They may be not have good human audio frequency response but for this use, that would be a bonus.

    It might be interesting to see the frequency tailored to those piezo elements used in specific brands/models or to the resonant frequency of the case/cavity. There is also the assumption of duplex, simplex would work if lower the throughput.

    What next, looking closely at those extra bright, blue leds flashing through the office at night?

  12. Arthur the cat Silver badge
    Alien

    Gaps

    Looks like people who want seriously secure systems are going to have to replace air gaps with vacuum gaps. I can just see the job adverts: wanted, sysadmins. Must be familiar with Linux and Orlan Ms.

    1. Anonymous Coward
      Anonymous Coward

      Re: Gaps

      Vacuum, Faraday Cage, light tight, magnetically shielded, vibration resistant.

      Sysadmin wanted - must be physically undetectable.

      Actually that has just given me an idea for a government contract, could be a nice earner.

      “Doing my job!” “of course I'm doing my job, if you could see me at work I'd obviously be failing!”

      1. Shaha Alam

        Re: Gaps

        in the most secure environments, it might be time to just get rid of the computers and replace with humans whispering secrets to each other.

        psss psss The Chinese have moved into position. shhh.

        psss psss The Chin azimove to solution. shhh.

        psss psss Sitchin whose muse the station. shhh.

        1. Anonymous Coward
          Coat

          Re: Gaps

          in the most secure environments, it might be time to just get rid of the computers and replace with humans whispering secrets to each other.

          You mean the old "Send re-inforcements we're going to advance!" which gets back to HQ as "Send 3 and 4 pence, we're going to a dance!"?

          As for vacuum gaps? That'd just suck.

    2. Darryl

      Re: Gaps

      Vacuum gaps?

      Wanted, sysadmins. Must be able to hold breath for long periods of time

  13. Aitor 1 Silver badge

    Problem

    The problem, as I see it, is that even IF the air gaped systems are compromised, no data can get out, as they are air gaped.

    BUT if you also compromise, say the Mobile of one administrator, you might use that to recover data/control the compromised computers.

    20 bps for 4 hours is not a big amount.. but still arround 36KiB.. you can get info about the files, pwds etc you want, and over a month or so get critical data.

  14. Anonymous Coward
    Anonymous Coward

    No industry experience

    While the concept is interesting it is obvious that the researchers have no industrial experience at all.

    You do not use laptops to control industrial machinery and in almost all cases there are no microphones plugged in - there is the odd exception where you are doing sound analysis but that has other constraints regarding OS and software used.

    Since this is touted as something that can cross the air gap in industrial situations the researchers need to work in the industrial situations before going off half cocked like script kiddies. Industry uses laptops only in the front office NOT out on the shop floor where the actual work is done.

    When they have found a way of turning things like power supply transformers into acoustic transducers for both transmission and reception of ultra sound they might have something to shout about, until then it is an interesting toy.

  15. Truth4u

    soft modem

    very clever. Of course I thought of this years ago but I wasn't going to use it for evil. I'm just too nice.

  16. Spoonsinger
    Windows

    These scientists need to do more reasearch into 7Hz communications.

    (With the features outlined in Borland Turbo C++ manual)

  17. DrXym Silver badge

    Seems like an interesting but limited threat

    Most office computers don't even come with speakers, let alone a microphone.

    So even if two infected machines could talk over an airgap it wouldn't do much in that scenario. Chances are they wouldn't bother trying since most machines would be networked together in the first place.

  18. Destroy All Monsters Silver badge

    Easy to defend against

    1) Dont USB plug the machine on the other side of the airgap in the first place

    2) Helen Keller mode switch

    3) White noise fun in the machine room

  19. btrower

    Tragically funny

    All of us receive security updates constantly. Why? Because yet another attack vector was exploited and our security people deal with security one patch at a time.

    By their nature, security breaches happen along pathways that are 'improbable'. The fact that so many commentards cannot see why this is actually important to security makes me wonder.

    Do the math. The ones who know what they are talking about have pricked up their ears because this is yet one more pathway that *has not been shut down* that needs to be shut down. The ones saying that this cannot be a problem and therefore we should not research and seal the breach will spend the rest of their days constantly being surprised by the ordinary.

  20. Irongut

    Dubbed SuperVirus,

    the mythical rootkit can supposedly leap tall buildings in a single bound, screw your wife, and even survive nukeing from orbit.

    Back here in the real world I say show me the proof. A virus with seemingly super hero powers that only one so called security researcher has ever seen? Pull the other one, it has bells on.

  21. VeganVegan

    Powerline communication?

    Unless an isolated (air gapped, light and EM tight) room has its own fuel dump & generator, there is that electrical cable leading out of it.

    Ethernet over powerline?

    1. Destroy All Monsters Silver badge

      Re: Powerline communication?

      I don't want to hear anymore of this, Mr. Mulder!

  22. Tromos
    Joke

    It might only be 20bps...

    ...but at least there's no throttling and usage caps.

  23. Anonymous Coward
    Anonymous Coward

    You could listen for it.....

    ... with a portable Bat Detector device that converts the high frequencies to audible ones?

    http://en.wikipedia.org/wiki/Bat_detector

    That's one way to monitor for anything suspicious :)

This topic is closed for new posts.

Biting the hand that feeds IT © 1998–2019