
Scientist-developed malware covertly jumps air gaps using inaudible sound - venomsnake
http://arstechnica.com/security/2013/12/scientist-developed-malware-covertly-jumps-air-gaps-using-inaudible-sound/
======
teraflop
Note that using ultrasound as a _communication_ mechanism, which is what's
being described here, is very different from using it as an _infection
vector_.

~~~
orblivion
In other words, the "target" computer has to be actively listening?

~~~
Zarathust
Not only that, but the listening application must have some kind of
exploitable vulnerability.

~~~
slowmover
For the purposes of this article, it is assumed the air-gapped computer is
already running the malware, having been infected by some other means (ex.
thumbdrive). The ultrasound communications provide a continuous (albeit slow)
link between two infected computers.

It would be quite impressive, though, if a vulnerability in an audio driver
allowed an uninfected computer to be infected simply by "hearing" the exploit
sound!

------
devindotcom
I love this sci-fi by way of anachronism stuff.

The transfer rate of ~20 bytes per second is tiny, but of course that tiny
amount could be the difference between two machines appearing to communicate
and not appearing to. If your network traffic is confirmed to be zero, that's
a state of confidence that's easy to take advantage of, and a deeply-rooted
bit of malware like this could strike in extremely subtle and devious ways.

~~~
TrainedMonkey
20 bits = 2 and a half bytes, and you are right that is enough.

What surprises me is how people regarding this as "novel" not too long ago
quite a few people used a "modem". That was a mythical device that used phone
networks to transmit information. Regular phones would pick up that as sound.

Sure there are few technical hurdles - covert communication and stringent
error correction are most visible, but concepts are remarkably similar.

~~~
NovaS1X
It's surprising how many people either forget about modems or never had
internet in the days of modems. I've had numerous nerdy conversations and
theory crafting scenarios where someone will bring up the crazy idea of using
sound to transmit data. I'm just like "Yeah, we've done that already. Remember
dialup?".

~~~
gohrt
_Acoustic_ modems were obsolete by 1980.

Smartmodems of the 1980s didn't use sound to transmit data, they modulated an
electrical signal directly on the line. They were silent (except during call
set up, but that was just a "Monster Rancher" to confirm set up was proceeding
in the normal way)

Telephone handsets used data to transmit sound.

~~~
DanBC
ATm3 would leave the speaker on for the duration of the call.

------
hfsktr
"Using nothing more than the built-in microphones and speakers of standard
computers..."

Are mics common on desktops? I would like to think I'm not that out of touch.
I get that in laptops they are common.

Still pretty cool. There could be an application for this that isn't
malicious.

~~~
handsomeransoms
A little while back, somebody a cool demo of ultrasonic networking (using
HTML5 Web Audio!)

[http://smus.com/ultrasonic-networking/](http://smus.com/ultrasonic-
networking/)

~~~
jared314
[https://news.ycombinator.com/item?id=6181627](https://news.ycombinator.com/item?id=6181627)
(3 months ago)

------
ENGNR
It's scary just how much SCADA software (electricity, water, fuel, prisons,
etc) is absolutely ridden with vulnerabilities, protected ONLY by that air
gap. Typically this internal network will be accessed by terminals sitting
immediately adjacent to terminals on the more general network (so a user can
quickly switch between them over the air gap).

They'd both need to be infected it's true, but that is quite achievable with
USB social engineering or if an attacker can gain physical access to any of
the terminals on the network. If that were the case then an attacker could get
any information out that they wanted (flight data, prison routines, defence
asset refueling movements, even just information enumeration and
vulnerabilities in the network).

The terminal probably wouldn't have a microphone it's true (typically very old
hardware that everyone is too scared to upgrade), but if it did it would also
give remote trigger access to abuse that infrastructure.

It's actually good information for security architects. If you can't get
approval to start using software updates, make sure your damn microphones are
turned off.

~~~
4ad
> SCADA [...] is absolutely ridden with vulnerabilities, protected ONLY by
> that air gap.

That's some wishful thinking.

------
mbq
I bet that someone capable of infecting enough offline computers to form this
sonic bridge most likely already has enough options to transfer data and
commands in a way simpler and more reliable way.

------
keithpeter
OK, so on a (hypothetical) air-gapped laptop you just blu-tak the microphone
port and stick a jack in the headphone output. Then for complete tin-foil
control, you just open up the case and disconnect the speaker cables.

------
adsr
I wonder how practical this would be in reality, the frequency response of a
typical built-in PC speaker and microphone should be severely limited. And in
addition to this there would probably also be quite a big problem with
background noise, which would get worse as the distance between the machines
gets larger. I guess you could use error correction and handshakes to
retransmit corrupted data, but that would limit the transmission speed even
further.

------
bane
So how would this tolerate an environment with lots of white-noise generators?

~~~
mbell
Most 'white noise generators' aren't producing white noise. White noise has
equal power in each linear band, e.g. 100Hz to 120Hz would have the same
spectral power as 19,000Hz to 19,020Hz. Humans hear in a logarithmic fashion
so real white noise is actually incredibly annoying to listen to. To the ear
it has a lot of high frequency content in it, it sounds like a high frequency
fuzz.

Most 'white noise generators' are really outputting some sort of spectrally
shaped pseudo-random noise, e.g. sound masking systems in offices closely
follow the response curve of the human voice and output basically nothing
under 200Hz nor over 7kHz. Even if playing pure 'pink noise', which is
logarithmically flat and thus much more reasonable to listen to, there would
be very little power in the band the authors of the paper are using (17kHz to
20kHz). I would also doubt that many white noise generator products are
capable of producing usable output at those frequencies in the first place.
Most laptop speakers probably can as a result of their size and design. 'White
noise generators' should be targeting low end extension over high frequency
output and I doubt many have multiple drivers per channel to accomplish both
goals. Given all this, I highly doubt off the shelf 'white noise generator'
products would have much effect on this communication method.

There are ultrasonic 'blasters' for lack of a better term that may work. I
know some convenience stores mount them outside the store in order to deter
younger folks loitering outside. As you age the limits of your high frequency
hearing is reduced in a fairly predictable way; e.g. at age 15 you may be able
to hear up to 22kHz, at 35 you may only be able to hear up to 18kHz. If you
want to drive away younger people, blast out noise in the 19kHz to 22kHz
range, it's really annoying to listen to and older folks won't even notice it.
A similar thing may work to deter this communication channel, as long as you
don't have too many young people around, or older folks with exceptional
hearing range for their age.

~~~
bane
Thanks for the great comment!

Anybody interested in the noise colors might take an interest in

[http://playnoise.com/](http://playnoise.com/) (hint, hit more and enable
stereo, I find that much more interesting for some reason).

Also
[http://en.wikipedia.org/wiki/Colors_of_noise](http://en.wikipedia.org/wiki/Colors_of_noise)

~~~
mbell
> (hint, hit more and enable stereo, I find that much more interesting for
> some reason)

I haven't played with this site in particular but they are probably using
incoherent sources for each channel. i.e. using two separate random noise
generators that aren't working off the same seed value. Even though the
spectral content of each channel may be the same, it's not the same at any
instant which causes your brain to get a bit 'lost', it doesn't sound like a
point source anymore but instead just a 'room filling' sound that you can't
pin point. The same principal (in a more targeted manner) is used in mixing
stereo music to create a 'sound stage', usually only the voice mix is actually
identical in both channels even though you can hear the guitar in each channel
independently.

------
JackFr
Keep your headphones plugged in.

BAM!

Solved!

~~~
privong
This just shows my ignorance with regard to this topic, but is the speaker
cutoff from plugging in headphones always a hardware switch? I.e., can
software override it and direct sound to the speakers even if one has
headphones plugged in?

Of course, if one were playing music or something, it would be obvious that
the switch had been circumvented.

~~~
JackFr
I honestly have no idea. My response was meant to be tongue-in-cheek, but
whoever downvoted me seems to have missed my subtle sense of humor.

~~~
scott_s
They may have gotten it, but thought it was not funny.

------
antocv
What else would you exfiltrate/steal besides passphrases and private keys?
Serial numbers/IPs/hostnames of any discovered devices on the air-gapped
network?

Send to the airgapped computer(s) software updates and new commands to run? 20
bytes per second is enough for that, or is it bits? A shellcode is about
40bytes or less.

I guess if you want to guard against this the reasonable thing to do would be
to physically take out the mic and speakers of any to-be-secure-computers. Or
have one computer listen in on these high frequencies on the perimeter or
whatever. Would be interesting to discover chats.

~~~
pavel_lishin
You could also broadcast noise in those frequencies at a loud enough volume to
block any signal.

~~~
Flakes000
True. I tried that last month, it works.

