Of course slapping a 15kHz analogue filter on all audio ports would also work.
Grumpy old man who cant hear beyond that now =>
Computer speakers and headphones make passable microphones and can be used to receive data via ultrasound and send signals back, making the practice of air gapping sensitive computer systems less secure. In an academic paper published on Friday through preprint service ArXiv, researchers from Israel's Ben-Gurion University of …
"Of course slapping a 15kHz analogue filter on all audio ports would also work."
Actually no. You could still use lower frequencies. Thanks to spread spectrum technologies you can make that less silent than the fans. All you would hear is a very soft noise from your speakers. You couldn't even be sure if that actually came from the speakers or some fan running at low speed.
What you can do is of course to install an amplifyer between the sound chip and your speakers/headphones so information can only travel one way and turn off your microphones when you don't need them.
Before I even clicked the article I knew exactly where this "research" was from. Do tell? How do you get the malware on the air gapped pc in the first place? The point of air gapping a pc is that it never touches the internet, ever. I can't wait till the next exciting episode where they use the mouse laser to send morse code or detect passwords by key sounds.
The other thing is, most air-gapped PCs don't have speakers attached either, at least in my experience.
They are there to control some industrial equipment, so they don't generally need speakers (and a majority of late have also been fanless, which knocks out the 2nd attack form)...
But, yes, the question is, how do you infect the air-gapped PC in the first place? If you have properly air-gapped it, it can't be infected...
"How do you get the malware on the air gapped pc in the first place?"
Quite. And if they've managed that its game over anyway. Also if its a laptop you have full control of you might just as well use the built in microphone to receive data instead of fannying about with the speakers. Thats assuming for some reason the malware can't switch on the built in wifi!
This research is interesting from a technical point of view but virtually irrelevant from a security one.
"How do you get the malware on the air gapped pc in the first place? The point of air gapping a pc is that it never touches the internet, ever"
The problem with that is it only takes one person to make a mistake, and the Malware is in the system. Stuxnet got into a secure Nuclear facility. From what I understand, all it took was for a Siemens engineer to open an infected document on his laptop at home, then plug the laptop into the secure network. Even just plugging a USB into an infected computer, then into an airgapped computer is entirely possible.
The reflections off my eyeballs - where I'm looking. Or the bodies in front of the screen moving about a room - infrared included.
While this seems silly given current consumer technology it certainly seems possible and possibly being actively developed.
Some years ago, there was an article – I don't recall where – about recovering data off screens by looking at the illumination of window blinds or curtains from a distance.
This may be easier with low resolution screens, as detection of individual pixels will be easier at the slower pixel rate.
Audiophile speakers and professional studio quality microphones, just may be able to communicate in the 18khz to 24khz range. The roll off on professional kit in this range is, I guess between ±3dB and ±6dB, it's been years since I worked in a studio.
Your average consumer microphone and PC/laptop speakers I believe would need to communicate with each other at a volume and frequency range a human... even an old one like me, could hear.
The theoretical problem the 'researchers' posed is nonsense. At the distance one has to be for a decent transfer speed, one may as well being sitting at the keyboard. They also miss the point of air-gapping: the computer is isolated from the most dangerous external threats. For an air-gapped computer to be compromised one would need physical access which limits the number of people dramatically to maybe a handful. Exploits with an effective range of a few meters that can easily be blocked (play music in the room) are not worth worrying about.
"The people who build them and ship them have physical access so that's one hell of a big handful."
So what do you do, compromise all of them in hope that you'll eventually find one online that shares a room with an air-gapped one you're interested in? However, just to be on the safe side, if you're installing an air-gapped machine make sure it's a different make to any others in the room.
With just in time manufacturing you could get quite specific. And if you stuffed something in the BIOS then infecting everything is no big deal. Compromise the machines you are potentially interested in at source. You just need a listening device not another machine in the same room and you can build that into the wall.
Just because in your mind the case does not exist, does not mean the case does not exist.
In many industries, PCs are tools, with an expected life in decades. Medical equipment, CNC machines, whatever. Air gapping there is all about simply not connecting them to the internet / a network (BSG75 style) - we're not talking national security.
The threat is therefore not theoretical. Infection vector is an issue, of course, but even those old machines need updating sometimes, with a (potentially infected) USB stick say.
Fast forward a few steps and find deep learning embedded into malware - searching for the best form of comms... This research is actually useful, because it forces those who need to think about these things for their situations to think further about every part of the machine (not just the ethernet jack).
There is a Reddit site that has been up for several years since "BadBios" was first proposed.
Some users of the site claim to have fallen victim to strange and unusual ongoing attacks.
It is not for me to say if the commentards are victims from actual malware attacks or victims of a form of mental stress brought on by the never ending "whack-a-mole" that is computer security or adverse reaction to revelations of government surveillance. They are victims nonetheless.
Siri, can my air-gapped PC be compromised by a speaker?
Tomorrow's weather in Turkmenistan is cloudy.
What the, Siri, can my air-gapped PC be compromised by a speaker?
The best drink to accompany a steak is a red wine.
Errrrrr, Siri, CAN my air-gapped PC be compromised by a speaker?
Would you like to hear about my notch?
They didn't forget anything, and you seem to have totally missed the point. The trick is that they are doing it with things not normally used to communicate over a distance, and also being used in ways they were not designed for. It's a bit more involved than "you can communicate through the air with sound."
It's like using a microwave oven to transmit data to a baby monitor (which natively uses a different frequency of EM). Would that invent microwave communication? Not at all, but it certainly would do it in a new way with things never intended to perform that task. Get it now?
Actually, the use of speakers/headphones as microphones is old news, not new at all.
I did myself thirty years ago.
Yeah, the fidelity was so bad that the use of the word 'fidelity' is a bit of a crime against the English language but that's not the point - this is not a new way to do anything.
Okay, let's envision the scenario :
Sensitive computers, accessing and containing essential company information, used by the few individuals accredited by the company to have access to and manage that information. And you want me to think that those people are going to have the speakers working on those sensitive machines ? Because obviously what they want to do is listen to music all day long. Or some other nonsense explanation.
Look, either we're talking about a mom & pop operation at which point nobody gives a rat's ass what info is on the computer, or we're talking about a company that has dozens of employees in open-space offices all tasked with seperate things. You know what happens in open-space offices ? People do not allow their computer to make sounds. They mute them because there's already enough noise what with the phone calls, the colleagues dropping by to talk and/or barging in because operational issue, not to mention the meeting down the hall with fifteen participants, all standing in the middle of a hallway.
In that kind of environment, if you want some music it is to drown out all the rest of the noise and you're going to do it with a portable music player and earphones, none of which will be attached to the "sensitive" computer.
Kind of reminds me of the spying photocopier drone story, where a drone was theoretically capable of gathering data from a photocopier - at the condition that there was no obstacle between the drone and the photocopier, that everybody at that level was drunk/stoned enough to be oblivious to the drone and that the wind was not strong enough to blow said drone away however briefly.
Sure, in your theoretical dream world, a sensitive computer could be hacked via its speakers. Just like one day you might finally get laid. Theoretically.
"...the spying photocopier drone story..."
I'm scared of the big On-Site Paper Shredding Truck that comes to shred our sensitive documents.
The big noisy machine vacuums up all the paper from the Secure Bins [speculation follows] and rapidly scans or photographs both sides of each and every page on the way by (rapidly filling up a 1TB drive),[speculation ends], and then shreds the papers to confetti.
And they get paid for it.
It's funny how people think that speakers are used to listen to music only.... audio is far more than iTunes, Spotify or stolen MP3s from PirateBay. Maybe a sensitive machine is used for sensitive communications? Or to display sensitive audio/video files?
OK. I don't see many airgapped machines, even when you'd want one. When I do see one, it's never in a convenient open place where you would be able to have lots of other machines around to act as bugs. But most importantly, it doesn't have any useful purpose for which you would need audio input or output. If you do have any, it's using any internal speaker the machine has, which, as the article states, is actively powered. The reason for this: the machine doesn't have any audio to play. You can't put music on it because it's airgapped. So how about we just put in the CD that our perspective user was going to listen to, but instead of an audio CD we just put in a blank one and burn some data onto that. It'll be a lot faster. If you have an airgapped machine and you're listening to music with it, you're not using it correctly. If you have another reason for audio, please enlighten me.
But in that case, wouldn't they come through a speaker, rather than headphones? If you're not looking at the screen, you probably aren't tethered to the machine by a wire, either. Some desktops have a basic built-in speaker, which is powered so not a vector, and that would be fine for the alert chimes. If it didn't, most IT offices I've seen have a collection of cheap speakers that are also usually powered, which are attached to computers that don't have a built-in speaker but need audio output. That also requires you to care about the chimes, which can be useful every once in a while, but not all the time.
Next they will tell us that a device placed near a network cable will detect electromagnetic impulses through the cable and can expose the data,
Just as it has been shown that by scraping off the outer coating, fibre optic cable can be spied upon without breaking into the fibre itself.
Definition: an air-gap is 'between the ears', it reflects nativity in thinking anything electronic is safe in any way at all.
...that has been air gapped, why not just plant a listening device on it, or in the same room? Seems far easier. And since no one saw you, and you defeated all the intruder alarms, why not just sit there and listen because you're probably invisible?
"P.S. as kids a mate and me used to use speakers as microphones in an intercom we built."
As kids me and a mate had a Philips Electronic Engineer kit to do exactly that, and quite a few other things too.
Back in the days when AC126 and AC128 didn't primarily signify two anonymous Register Commentards.
Airgapping? Why don't I the sound of that as a countermeasure to this threat allegation? Try this compact portable hard-to-detect device as a trustworthy countermeasure instead:
Or maybe just use DevoPS. It cures everything, just like electricity cured everything for the Victorian merchants of snake oil.
In my experience 'air-gapped' also means in a secure room with no other computers. Often with thick and very solid walls and no windows.
But then I may have strange experiences, such as being told in 1985 that computer-to-computer communications using ultrasound and single speaker/microphones was not sufficiently difficult to chose as an HND IT project at Leicester Poly. And yet people publish this tripe now for degrees! And they say that degrees are not being dumbed down!
Think there is an error in the article; no way you are getting electric field coupling through a Faraday cage. Magnetic? Yes. With effort and short range. Im too lazy to check the research myself, but there you go.
Grumbles something about magnetic coupling from fluorescent light ballasts into instrumentation inside Faraday cage... Screwed up measurements... Perfectly working product stuck in test past deadline fixing what wasn't broke... Feelings of rage... WTF do we have these stupid screw looking bulbs anyways?
I can see that you could have a secure room with two PCs, one connected to the development system and the other connected to the live system. This would allow you to cross check code, log files and the like without having more than an eyeball connecting the two systems. You could test to replicate a fault. You could also have a management centre where secure networks at different levels of security all have a terminal in the same room. Air gapped, but joined in meatspace.
I can even see that you might be using a standard build of PC to reduce unknowns, and that the secure systems might need audio capability.
However infecting both PCs with cooperating malware might be a bit of a stretch. Not impossible for an insider to conceal the code on development so that it is eventually shipped as live but very unlikely with code reviews. The software would also have to be permanently active to be able to work on the rare occasions that the secure room was in use. Even then you still have to exfiltrate the data from the less secure system. This also assumes that the bad actor doesn’t have access to the secure terminal.
So this falls firmly into "am I paranoid enough" territory.
One more thing to consider when trying to prevent the "one in a million" chance.
Could make a good film script, perhaps.
The major stumbling blocks are you need to infect the air-gapped system first, it needs to be close enough to transmit to an un-airgapped and also infected device AND both need to have speakers. The utility is extremely limited.
If you are involved in state secrets, now might be the time to take a screwdriver to those audio jacks, it's not like you need them for anything anyway.
Just doing some research to demonstrate that a disaffected BOFH could modulate their flatulence, Le Pétomane style, to transmit Strap 4 information they can see on fetid air-gapped PC to a listening device in the room. The practical application is limited only by the robustness of their trousers and availability of beans in the GCHQ canteen.
We did this in the late 1980's and 1990's in various Eastern Bloc countries by putting some of the first audio compressor code into the BIOS of the old Adlib and earliest Soundblaster cards on intercepted 80286/80386 PC's made in the Eastern Bloc countries. The extra high capacity RAM (at the time!) we put in was battery backed and separated from the main PC power supply and would capture various Soviet Ministry conversations and other targeted office audio, and then use high frequency soundwaves for transfer to high-end (at the time) volatile micro-storage systems clandestinely attached to unknowingly bugged functionaries who would come near or into the offices (covered up by typical office noises) on their day to day duties. The sonic data would be captured at 8-bit to 12-bit audio at 4000 to 8000 samples per second (i.e. a really low data rate) which we would need to cleanup with high end analog processing (and some digital processing) circuits to get useable voice or teletype data which was meaningfully interpretable and actionable.
We even bugged the janitor gear with data storage gear which was used as a clandestine Dead Drop for the audio files which were typically less than one megabyte to 10 megabytes in size (that larger number was a HUGE amount of RAM in those days!) When the janitors were in the various offices under watchful eyes of their security minders, the vacuums would typically cover up the data screech tones which were just within human hearing range used as an over-the-air acoustic modem transfer that sometimes happened as fast as within 5 minutes at 9600 to 19.2k baud bit rates. We could pick up teletype/dot matrix printer output (our primary target) and short bots of audio data from over a 300 offices in various ministries in multiple Soviet countries using this technique. It was the first use of Speech-to-Text Keyword recognition ever! and this was between 1986 to 1993! INGENIOUS. N'est ce pas?
This is OLD NEWS! Decades Old!
Can anyone think of any reason to have speakers plugged into a system that's airgapped? Because I can't. This isn't really a viable a means of defeating airgap because most airgapped systems are either not going to have speakers or are going to be in server rooms where any kind of audio communication is going to be drowned out by the noise from fans and ACs.
The way things are programmed these days (promiscuous execution of anything not tied down), you could probably infiltrate malware into a PC by merely reading out its source code using your mouth.
This very comment itself will probably lock-up a fraction of the world's IT devices. Ready?
10 GOTO 10
All those people who think an air-gapped machine would only be found in this environment for those rasons.
I've been into plenty of places with air-gapped machines in environments so loud the speakers were turned up full whack so that the occasional 'bing' might be heard over all the noise on the factory floor.
They were cheap, nasty laptops with passive speakers and everything from DOS to WinXP as recently as only four years ago - and they almost certainly still run DOS/XP.
Why were they running DOS/XP? Because the CAD/control software used to control the machines on the factory floor was that old and that bespoke and wouldn't run on anything later than that.
Why were they air-gapped because the Sysadmins and Network Managers refused to allow them anywhere near the network.
Why weren't they replaced? Because the downtime required to test new solutions on the floor would have put them out of business.
Why would anyone want to engage in corporate espionage there? because these are the leaders in their fields, with blueprints worth millions on those very laptops.
How would you do it? By paying someone who already works there and has every reason to spend time near the machine enough money to tempt them to do exactly that for you.
This is, of course, the real world I'm talking about here, not some theoretical reality in which the oldest machine in use was bought last week and runs Win 10-point-two-seconds-ago and the only place people use tech is where some of the cosseted commentards here think it ought to be used because they wouldn't use it anywhere else themselves or work for a business that manufactures physical objects rather than software solutions to problems nobody actually has but might make a great IPO if they can get some VCs to invest first.
That doesn't really make a case for this article. The computers you mention might be vulnerable to the attack, but the ability for that to work is somewhat questionable, given that said machines would be in a noisy manufacturing area, where interference would be severe. That also presumes that there is another networked machine in close proximity to receive and transmit the data.
However, the more important point is that you don't need this exotic exploit to steal the data from these machines. You need physical access to get the malware onto the machines. Unless they have a really nice tiny code file that you can type in quickly without attracting attention, you need a disk to put the malware on the machine. Anyone with access and a disk could just copy the sensitive data onto that disk and walk off with it. If you want malware that is capable of staying for a while and sending new data, you are already putting things at risk, but certain types of radio emission would be superior. If those XP laptops have WiFi or bluetooth chips (I know, turned off, doesn't matter), malware using those will be easier to write and more resilient in the longterm. Still, if you have physical access, but just right now and you won't have it again, it might be better to try to access the storage of these valuable documents outside the manufacturing facility. I assume these files are stored on design machines that are newer or at least have a backup. If not, the company is asking for disaster. If so, I might be better served going after that.
Heh, you're assuming that the companies in question were run in a manner that left me thinking anything other than "HOW are you even still in business let alone leaders in your field?"
What I also wonder is what they're gonna do when machines capable of running the necessary OS are no longer available. Try even emulating the VL-Bus of a 486 some time and see how far you get - it'll happen to DOS and even XP eventually. Then they'll be screwed because there was no investment in new software solutions; the hardware was too old, no-one (not even the original manufacturer of that hardware) had the protocols anywhere sensible, if at all - there's no way they're getting away without retooling the plant.
Is the approach optimal? I don't know - I'm sure there are cases and situations nobody here has encountered that might make it so. Might someone have time to plug a USB key into a laptop briefly, upload an exploit but not be able to risk being there long enough to download all the data as well? Yes. Might they then use a mobile phone/tablet/whatever to exploit it via the speakers? They might. They might not even be interested in stealing information but simply subtly sabotaging the system (or things it's attached to) in some way so as to give someone else a competitive edge or to simply hinder the progress of the victim/target. There are various possible scenarios. Are some/all of them edge cases? Maybe/Yes, but that's not the point - if you're the one who stands to benefit in some way from it then how edge a case is doesn't concern you; it's your case and you're dealing with it in whatever way works.
My point here wasn't really about the ins and outs of the exploit but about the comments that "this is nonsense because the only place you'll see an air-gapped machine is <wherever> and the only reason for air-gapping it is <whatever> so it would never happen". They can only come from those with no/limited real world experience. We've all been guilty of it early on in our careers; when I was at university, we were given a task to code a solution to import data from one database and populate a new one with it, accounting for and handling corrupt/incomplete data and my response was irritation at being given such an unrealistic task, that I'd refuse to work with any organisation that couldn't keep on top of its data and keep it straight in the first place and anybody with their head screwed on would do the same as me, so the task was a complete waste of time - it would never happen. Then I went to to work irl and found out how real people work there, what they really do and why.
So, maybe you're right about there being better ways to steal data but maybe not everyone wants to use the exploit to steal data any more than Stuxnet was designed to or, if they do, maybe there are some real world cases in which this is the least worst (possibly even only) way to do it. That was really my point, not how good a solution it might be compared to alternative approaches.
Biting the hand that feeds IT © 1998–2019