Hear that? It's the sound of BadBIOS wannabe chatting over air gaps Computer scientists have brewed up prototype malware that's capable of communicating across air gaps using inaudible sounds. The mesh network capable of covertly communicating without wireless or wired connections was developed by Michael Hanspach and Michael Goetz. It borrows its founding principles from established systems …
Maybe laws of physics was an inappropriate shorthand - but where are these PCs going to be that they can communicate at any sensible speed over all the background noise (audible or not)?
Let's assume the hardware (speakers and mics) can handle audio at 100kHz. Bear in mind that they probably aren't designed for >15kHz.
How long to transfer 1Mb?
It's in the article. 2 characters per second. So 1Mbyte would be 500,000 seconds, or a hair over 5 days.
Subsea acoustic couplers hit nearer 6k/s, so there's a lot of room for improvement and if the researchers passed the data through desk/floor/desk they could have a much better, though more environment-dependent, coupling. So there's scope to drop this transfer time or increase it's range.
And a PIN number is 4 numbers, between 0000 and 9999 so could fit into 2 bytes with plenty room to spare.
It's not just bandwidth - it's also about
1 - remaining audibly undetected.
2 - being able to RELIABLY receive that data (remember, adding an ACK in this process will cut your available bandwidth again).
3 - being able to discriminate the relevant sounds from all the environmental noise.
4 - do this in code that remains undetected in size and resource drain
5 - being able to infect another machine from cold with this.
Sorry, I'm not buying it. I didn't the first time, and I don't buy this one either. Not even in a (vewwy, vewwy quiet) lab.
They did:
http://www.jocm.us/uploadfile/2013/1125/20131125103803901.pdf
All nicely hands-on:
For the experimental setup we are using five laptops
(model: Lenovo T400) as the mesh network participants.
As operating system for each node, we installed Debian
7.1 (Wheezy) on each laptop. All experiments were
performed at FKIE, building 3, and without any
acoustical preparations made.
...
From the recorded frequency range it can be
discovered that we are able to process frequencies in the
low ultrasonic range around 20,000 Hz. Previously
performed tests with a Lenovo T410 Laptop featuring the
Conexant 20585 audio codec (with 192 kHz DAC / 96
kHz ADC) [12] have shown very similar results. The
results lead us to the conclusion that ultrasonic or near
ultrasonic communication with computing systems of the
Lenovo T400 series is possible.
I've just played 20khz sine at full volume into my laptop speakers - right next to the microphone and the microphone picked up nothing. A condenser microphone picked up the birds the other side of the double glazing but not the speakers. Plugged in the headphones which are rated to 20khz and next to the condenser microphone the birds still out did it, breathing in the same room swamped the lot.
Plugged in the headphones which are rated to 20khz and next to the condenser microphone the birds still out did it, breathing in the same room swamped the lot.
Digital modes like ALE and WSPR work well below the noise threshold that one can hear tuning a radio into one of those transmissions, so it's feasible that a signal can be heard by machine and not be easily detectable by a human.
It's also quite possible that the 20kHz rating is not completely genuine, either for the headphones or the microphone.
How was the communication software installed on the systems? On its face some type of physical access would be needed on at least some of the communicating machines.
This idea seems to have marginal utility in that once the appropriate software is installed on both the isolated network and a nearby internet connected one, there would be potential for inbound control and outbound data transfer. The obvious countermeasure, in addition to removing or disabling audio input on the airgapped machnes would be to remove internet connected machines from the immediate area. I seem to recall that high audio frequencies don't turn corners very well and probably don't go through closed doors without serious attenuation.
This seems an interesting oddity but probably not very useful in practice.
Having co-operating computers (where "co-operating" can mean infected with compatible malware) communicate acoustically is not surprising at all. After all, old acoustic coupling modems used to do this.
But I just do not believe malware could infect a computer that way.
Of course in theory the sound device driver is so buggy it overwrites buffers while receiving data from the D/A converter connected to the microphone, but such a driver would quickly crash the computer even without hearing any malignant sounds! It would also be impossible for the malignant sound to be controlled so precisely that the resulting digitized data would form a working program.
Yep.
Especially since none of my desktops have microphones.
How come I can never find the link to the obligatory Bloom County cartoon for these things. You know, the one that ends with the teacher proclaiming "But Oliver, gerbils don't like peanut butter." and Oliver thinking to himself "Another beautiful theory slain by an ugly fact." I think he'd just worked out a formula for nearly limitless, pollution free energy production.
"It would also be impossible for the malignant sound to be controlled so precisely that the resulting digitized data would form a working program."
Ha, reminds me of a tv show where the criminal had etched markings into some bones, then when the bones were photographed and loaded onto the computer, they got a virus.
Aha, found it: http://www.liveleak.com/view?i=e27_1327440153
But an attack of this sort wouldn't be aimed at the average user - hence all the talk of military, power stations etc in the article. It would be aimed at highly secured, air-gapped systems.
The administrators of those systems would have no trouble at all disabling the microphone/speakers, so I'm not sure why the obvious conclusion isn't just to remove them. Are they likely to be regularly used in these sorts of environments?
That's being wise after the fact - I wouldn't dismiss the Black Death as a non-event because it's easily circumvented by improved sanitation, nutrition, and medical practice. The question is whether people running air-gapped systems thought to do this for the preceding N years. And as for simply muting the sound - since it's ultrasonic and produced by low-level software you wouldn't trust anything less than snipping the wire to the speaker (unless it's a surface-mounted device in a laptop. Then I guess you carefully drive pins into it until it seems to have stopped making useful noises and hope you don't knacker anything fragile behind it)
"Then I guess you carefully drive pins into it until it seems to have stopped making useful noises and hope you don't knacker anything fragile behind it)"
If you've gone to the trouble of air gapping your systems, then getting a tech to desolder a PCB mount speaker is not going to be a big hairy deal, IMHO.
And most PCB mount speakers are in small cans with an opening at the top, and simply sticking a bit of electrical tape across the aperture would get you 10-20 dB of attenuation at a guess, and something like a foam sticky probably around 30 dB or more. I'd like to see them demonstrate a PC to PC audio link with 20 dB silencing on the target system.
1. Get a sample of the infection
2. buy a dog with upright ears (beware see note on Border Collie)
3. train it to detect the high frequency chatter
4. rent it out as an antivirus hound.
5. Profit
Note 1
Border Collies - sufficiently intelligent you might end up working for them, that's a summer I'll never get back.
I don't see how it could work. And no, a PDF doesn't cut it, I want a real-life demo.
I've played with acoustic coupling of various types over the years, along with analogue data recordings, and all of them, bar none, were so flakey I would cheer with joy if it actually worked at all.
And these guys expect me to believe they have it working over 20 metres? Yeah right. I want a real-life demo.
"I've played with acoustic coupling of various types over the years, along with analogue data recordings, and all of them, bar none, were so flakey I would cheer with joy if it actually worked at all."
You don't remember those crappy audio couplers used to link computers over landlines back in the days before time, then?
http://www.sonardyne.com/products/subsea-wireless-communications.html
It's subsea but orders of magnitude faster and with kilometer ranges. It also deals with all the noise and interference you get subset- and with a few-km range that's a LOT of noise.
Getting it working in air is impressive but I wouldn't imagine ground-breaking. Just good old-fashioned engineering-around-a-problem.
It's subsea but orders of magnitude faster and with kilometer ranges. It also deals with all the noise and interference you get subset- and with a few-km range that's a LOT of noise.
And just how much code and processing is required to make that work? Remember - we're trying to do this unnoticed..
DO any of the Reg commentards actually ever read the articles they've vomiting over?
It said nothing about infecting machines via sound. It did, however, mention using them as an ad-hoc network - if you manage to infect a closed and secure network via a non-networked medium (USB, for example), you would still need to get that USB stick and its data into an outward-facing machine so that it could be sent on its way home. Let's say that the user is sufficiently well trained that he doesn't use the same USB stick between his work and home computers, but that his home computer is already infected. The two machines are never on the same LAN and they don't share USB. The virus can still transmit its data package nonetheless, so long as both machines are infected with compatible viruses and within 'hearing' distance of each other - thus opening up a new vector for data transmission. Sure, it's early days, but now you need to only infect two machines seperately and just have them within the same physical space, rather than infecting them *AND* making sure they're both on the same network or sharing USB or whatever, and so on. There is a lot of potential there.
"There is a lot of potential there."
No there is some very small potential. if you're a paranoid Iranian IT tech, then you've perhaps got cause to worry, but for the rest of the world I doubt it. For starters the physical security of the air-gapped systems needs to be breached to get the devices in proximity. If air gap security is done properly then external electronic devices don't get carried on site. So that's mobiles (which could be used in lieu of an infected laptop), laptops, MP3 players, tablets, smart watches, Googoggles, arguably even stuff like portable satnavs.
I would have expected that sensitive sites already ban their staff from bringing portable electronic equipment on site - not purely because they don't trust the staff (that being a separate issue), but simply to avoid mistakes and unknown-to-the-vector attacks.
... plug in headphones!
It's an intriguing attack scenario though.
Instinctive reaction to the "infection over ultra-sonic" is "Impossible, system needs infecting by some other method before communication can begin".
But, in light of some of the recent public revelations from the Snowden documents, I don't think we need to be wearing tin-foil hats to imagine it possible that one or more of the (few) modular BIOS/Firmware makers could have been internally compromised in order to insert a small additional acoustic coupling module into their standard images.
Alternatively, the BIOS/Firmware USB modules may have one or more buffer overflow flaws that allows an inserted-at-boot-time USB flash device that has malicious reprogrammed firmware to insert a payload into the BIOS/Firmware module chain.
It would be easier to believe Dragos Ruiu's claims of infection if he published the make/model of the PCs he claims have been infected, and released copies (or SHA checksums) of the BIOS/EFI images so that others can compare against other identical hardware. All I can find are now-extinct fie-locker style links, and reports that the images he did release were edited by some mysterious entity whilst on the public servers to remove the root-kit evidence, which doesn't give much confidence in the claims being verifiable.
Headphone jacks don't always have a physical interlock - as I've found to my peril a couple of times, when I've fired up some sweet sweet sounds on my noise-cancelling headphones to retreat into undisturbed productivity, only to have agitated coworkers inform me (by throwing things) that the main speakers were also running. And it really was a software issue - mute/unmute fixed it: my wild-ass guess is that rather than have a physical switch on the jack the sound system uses the impedence/current on it as the control, so saving a cent or two.
(this is among many good reasons not to watch porn at work)
>It would be easier to believe Dragos Ruiu's claims of infection if he published the make/model of the PCs he claims have been infected,
"The researcher reports that the BIOS malware on a Dell Alienware, Thinkpads and Sony laptops is encountered. MacBooks could also have become infected as possible, but that's not confirmed yet. The malware uses DHCP options encrypted to communicate. Attackers On the basis of the tweets shows that the investigation of the malware is still in full swing. Security.NL Ruiu has asked for more information. We will let you know. Soon as more details are known"
- https://www.security.nl/posting/366329/Onderzoeker+ontdekt+mysterieuze+BIOS-malware
I'm not supporting his claims, just reposting some info about the machines he's used.
Okay, so it's proved possible to transmit data via sound inaudible to the human ear. But as a virus-carrying medium...? Really???
What so many seem to have not taken into account in this is that even if one computer was broadcasting these sounds and there were other computers "in range" with microphones equipped and switched on, they would still need software to decode the sound! Okay, so it may be, just may be possible to directly write data into a target machine by causing vibrations that trigger induction and introduce the data, but the odds on getting anything remotely resembling executable code this way that will run regardless of the target machine's make, model, component set, location, etc., etc...?
Good to prove the concept, but the idea that this could be used to spread viruses is absurd, and pure click-bait.
> But as a virus-carrying medium...? Really???
>the idea that this could be used to spread viruses is absurd, and pure click-bait.
The article doesn't say that! Read it again.
It is not a virus-carrying medium.
All the researchers are showing is a method that a previously infected machine can use to communicate with other infected machines, so that small data such as passwords etc can be 'sent home' after the original attack vector is no longer available to it.
Onboard speakers are often a Piezo element, which can also work as a microphone (assuming circuitry).
They may be not have good human audio frequency response but for this use, that would be a bonus.
It might be interesting to see the frequency tailored to those piezo elements used in specific brands/models or to the resonant frequency of the case/cavity. There is also the assumption of duplex, simplex would work if lower the throughput.
What next, looking closely at those extra bright, blue leds flashing through the office at night?
Vacuum, Faraday Cage, light tight, magnetically shielded, vibration resistant.
Sysadmin wanted - must be physically undetectable.
Actually that has just given me an idea for a government contract, could be a nice earner.
“Doing my job!” “of course I'm doing my job, if you could see me at work I'd obviously be failing!”
in the most secure environments, it might be time to just get rid of the computers and replace with humans whispering secrets to each other.
psss psss The Chinese have moved into position. shhh.
psss psss The Chin azimove to solution. shhh.
psss psss Sitchin whose muse the station. shhh.
in the most secure environments, it might be time to just get rid of the computers and replace with humans whispering secrets to each other.
You mean the old "Send re-inforcements we're going to advance!" which gets back to HQ as "Send 3 and 4 pence, we're going to a dance!"?
As for vacuum gaps? That'd just suck.
The problem, as I see it, is that even IF the air gaped systems are compromised, no data can get out, as they are air gaped.
BUT if you also compromise, say the Mobile of one administrator, you might use that to recover data/control the compromised computers.
20 bps for 4 hours is not a big amount.. but still arround 36KiB.. you can get info about the files, pwds etc you want, and over a month or so get critical data.
While the concept is interesting it is obvious that the researchers have no industrial experience at all.
You do not use laptops to control industrial machinery and in almost all cases there are no microphones plugged in - there is the odd exception where you are doing sound analysis but that has other constraints regarding OS and software used.
Since this is touted as something that can cross the air gap in industrial situations the researchers need to work in the industrial situations before going off half cocked like script kiddies. Industry uses laptops only in the front office NOT out on the shop floor where the actual work is done.
When they have found a way of turning things like power supply transformers into acoustic transducers for both transmission and reception of ultra sound they might have something to shout about, until then it is an interesting toy.
Most office computers don't even come with speakers, let alone a microphone.
So even if two infected machines could talk over an airgap it wouldn't do much in that scenario. Chances are they wouldn't bother trying since most machines would be networked together in the first place.
All of us receive security updates constantly. Why? Because yet another attack vector was exploited and our security people deal with security one patch at a time.
By their nature, security breaches happen along pathways that are 'improbable'. The fact that so many commentards cannot see why this is actually important to security makes me wonder.
Do the math. The ones who know what they are talking about have pricked up their ears because this is yet one more pathway that *has not been shut down* that needs to be shut down. The ones saying that this cannot be a problem and therefore we should not research and seal the breach will spend the rest of their days constantly being surprised by the ordinary.
the mythical rootkit can supposedly leap tall buildings in a single bound, screw your wife, and even survive nukeing from orbit.
Back here in the real world I say show me the proof. A virus with seemingly super hero powers that only one so called security researcher has ever seen? Pull the other one, it has bells on.
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2024
