New malware transmits through speakers and microphones

[rhoenix]

I'm still not sure what to make of this, but I'll pass it along regardless.

A few weeks ago, security researcher Dragos Ruiu publicly claimed that computers in his lab were being infected by some sort of stealthy over-the-air transmission method that relied on ordinary speakers and microphones to transmit the malware payload from system to system. Ruiu nicknamed this bug “badBIOS,” and research into its existence (or lack thereof) continues. Multiple security researchers have lined up on both sides of the issue.

Now, however, there’s proof that at least one key aspect of badBIOS’ supposed design isn’t science fiction. Researchers have published a paper on how malware can be designed to cross the air gap by transmitting information through speakers and recording it via microphone. An air gap is a measure that boosts the security of a system by essentially isolating it from other, less secure networks. Rather than relying on TCP-IP, the research team used a network stack originally developed for underwater communication.

The signal was propogated through the use of a software-defined modem based on the GNU Radio project. They also tested with a mini-modem, but found the software-defined modem had better range characteristics. Line-of-site transfer speeds stretched up to 19.7m, and researchers were able to ping the signal back and forth across systems, as shown below.



Granted, the data transfer speed is low (20 bits per second) and it could take up to 18 seconds to transmit data between four PCs. That’s not exactly gaming performance, but the ability to bridge an air gap could be a potent infection vector. In recent years we’ve seen some incredibly powerful, government-developed malware successfully deployed in places where security was tight — Stuxnet’s successful infection of Iranian centrifuges is just one example.

According to the scientists that tested it, the attack vector can be guarded against by implementing a bandpass filter that blocked sounds below a certain threshold. Alternately, it seems one could simply configure computers only to use headphones (without microphones attached) or by removing speakers altogether. It should be noted that while the malware is dangerous, it requires additional software (like a keylogger) to truly function well. The ability to communicate without an attached payload is of limited use, and high bit error rates and slow transmission speeds hamper any aggressive attempts to attack air-gapped computers.

The advantage of this kind of network, however, is that it transmits so little information, it’s virtually impossible to spot. A few odd sounds coming from a computer speaker at random times of day could easily be interpreted as interference from lab equipment or even from within the PC. PC speakers are frequently unshielded and can buzz or click if cell phones are activated nearby. It wouldn’t be hard to dismiss a problem as “background noise,” especially if the transmission periods could be timed to coincide with a CPU spin-up or increased fan activity. Users might decide that the noise is generated by interference when the power supply kicks into high gear, for example. Luckily, this type of malware isn’t widespread, and if you’re really worried about falling victim to it, you can simply remove your computer’s speakers or microphone.

[rhoenix]

Another article on the subject:

Computer scientists have developed a malware prototype that uses inaudible audio signals to communicate, a capability that allows the malware to covertly transmit keystrokes and other sensitive data even when infected machines have no network connection.

The proof-of-concept software—or malicious trojans that adopt the same high-frequency communication methods—could prove especially adept in penetrating highly sensitive environments that routinely place an "air gap" between computers and the outside world. Using nothing more than the built-in microphones and speakers of standard computers, the researchers were able to transmit passwords and other small amounts of data from distances of almost 65 feet. The software can transfer data at much greater distances by employing an acoustical mesh network made up of attacker-controlled devices that repeat the audio signals.

The researchers, from Germany's Fraunhofer Institute for Communication, Information Processing, and Ergonomics, recently disclosed their findings in a paper published in the Journal of Communications. It came a few weeks after a security researcher said his computers were infected with a mysterious piece of malware that used high-frequency transmissions to jump air gaps. The new research neither confirms nor disproves Dragos Ruiu's claims of the so-called badBIOS infections, but it does show that high-frequency networking is easily within the grasp of today's malware.

"In our article, we describe how the complete concept of air gaps can be considered obsolete as commonly available laptops can communicate over their internal speakers and microphones and even form a covert acoustical mesh network," one of the authors, Michael Hanspach, wrote in an e-mail. "Over this covert network, information can travel over multiple hops of infected nodes, connecting completely isolated computing systems and networks (e.g. the internet) to each other. We also propose some countermeasures against participation in a covert network."

The researchers developed several ways to use inaudible sounds to transmit data between two Lenovo T400 laptops using only their built-in microphones and speakers. The most effective technique relied on software originally developed to acoustically transmit data under water. Created by the Research Department for Underwater Acoustics and Geophysics in Germany, the so-called adaptive communication system (ACS) modem was able to transmit data between laptops as much as 19.7 meters (64.6 feet) apart. By chaining additional devices that pick up the signal and repeat it to other nearby devices, the mesh network can overcome much greater distances.

The ACS modem provided better reliability than other techniques that were also able to use only the laptops' speakers and microphones to communicate. Still, it came with one significant drawback—a transmission rate of about 20 bits per second, a tiny fraction of standard network connections. The paltry bandwidth forecloses the ability of transmitting video or any other kinds of data with large file sizes. The researchers said attackers could overcome that shortcoming by equipping the trojan with functions that transmit only certain types of data, such as login credentials captured from a keylogger or a memory dumper.

"This small bandwidth might actually be enough to transfer critical information (such as keystrokes)," Hanspach wrote. "You don't even have to think about all keystrokes. If you have a keylogger that is able to recognize authentication materials, it may only occasionally forward these detected passwords over the network, leading to a very stealthy state of the network. And you could forward any small-sized information such as private encryption keys or maybe malicious commands to an infected piece of construction."

Remember Flame?

The hurdles of implementing covert acoustical networking are high enough that few malware developers are likely to add it to their offerings anytime soon. Still, the requirements are modest when measured against the capabilities of Stuxnet, Flame, and other state-sponsored malware discovered in the past 18 months. And that means that engineers in military organizations, nuclear power plants, and other truly high-security environments should no longer assume that computers isolated from an Ethernet or Wi-Fi connection are off limits.

The research paper suggests several countermeasures that potential targets can adopt. One approach is simply switching off audio input and output devices, although few hardware designs available today make this most obvious countermeasure easy. A second approach is to employ audio filtering that blocks high-frequency ranges used to covertly transmit data. Devices running Linux can do this by using the advanced Linux Sound Architecture in combination with the Linux Audio Developer's Simple Plugin API. Similar approaches are probably available for Windows and Mac OS X computers as well. The researchers also proposed the use of an audio intrusion detection guard, a device that would "forward audio input and output signals to their destination and simultaneously store them inside the guard's internal state, where they are subject to further analyses."