Physically isolating critical systems from networks and systems that are unsecured has long been used as a simple way to protect the former from unwanted intrusions and malware. But, with the advent of Stuxnet, the “air gap” measure has proven to be inadequate when motivated attackers are involved.
Quite recently, security researcher Dragos Raiu has unnerved and intrigued the security community with claims that he has been analyzing a piece of malware that “jumps” from one computer to another in its proximity, without the two being connected in any way to each other, to a network, or the Internet.
He posited – but hasn’t yet conclusively proven – that this “badBIOS” reaches across air gaps by taking advantage of computers’ speakers and microphones, and the high-frequency transmissions that can be passed between them.
A few weeks later, a new issue of the Journal of Communications was released, and in it a paper written by two German researchers who have managed to create a malware prototype that uses a “covert channel of communication”, i.e. the very speakers and microphones that Raiu believes crucial to badBIOS’ dissemination.
They tick the four boxes that the researchers consider crucial to “covert” communication: they are usable as either a sending or a receiving device, are accessible to the sending or receiving process, are not yet established as a communication device (i.e. not subject to the system and network policies), and are able to support stealthy communication (and thusly prevent immediate detection).
“With a covert acoustical mesh network, we can offer a whole range of covert services to the participating computing systems, including internet access via an IP proxy,” they explained. “In the considered scenario, we are able to show that even high-assurance computing systems can be exploited to participate in a covert acoustical mesh network and secretly leak critical data to the outside world.”
They did so by implementing an adaption of an emulation system for underwater acoustical networks from the Research Department for Underwater Acoustics and Marine Geophysics in Germany, by using two laptops, and a series of devices they “chained” together to transport the signal over a greater distance.
The only problem is that this channel has a very limited transmission rate, which makes it only good for relaying small-sized files – containing, for example, keystroke data or similar sensitive information – to the attacker’s computer nearby or via a local proxy server to a remote email server located anywhere in the world.
The researchers – Michael Hanspach and Michael Goetz of the Fraunhofer Institute for Communication, Information Processing, and Ergonomics – have also come up with countermeasures against this type of information leak, but to know more about it all (and in greater detail), I advise reading their paper.