Researchers Build Covert Acoustical Mesh Networks In Air 107
An anonymous reader writes "Researchers at Fraunhofer FKIE, Germany have presented a paper on covert acoustical communications between laptop computers. In their paper 'On Covert Acoustical Mesh Networks in Air', they describe how acoustical communication can be used to secretly bridge air gaps between computers and connect computers and networks that are thought to be completely isolated from each other. By using ad-hoc routing protocols, they are able to build up a complete mesh network of infected computers that leaks data over multiple hops. A multi-hop acoustical keylogger is also presented where keystrokes are forwarded to an attacker over multiple hops between different office rooms. The fundamental part of the communication system is a piece of software that has originally been developed for acoustic underwater communications. The researchers also provide different countermeasures against malicious participation in a covert acoustical network. The limitations of air gaps have been discussed recently in the context of a highly advanced malware, although reports on this so-called badBIOS malware could not yet be confirmed."
Air Gaps are Evil (Score:4, Interesting)
Air gaps are a liability. They do not work as advertised. Covert audio channels have nothing to do with it.
When you put a computer in a faraday cage with an air gap, you still need to computer to have some input and output in order to be useful.
So the air gap requires that a human periodically walks into the room and interacts with the machine. At this point, the options for undermining the security of the system have gone up exponentially.
The reality of air gaps is that key signing ceremonies take place with several people packed in the room, while CDs are passed back and forth and put in the machine holding the CSRs, the software and signed certs.
If you instead had a wire to the machine in the room, you could monitor the transactions over the wire. You could ensure a non turing complete language is used in the wire protocol. You can deny humans access. You can apply defense in depth to a wire. No so much to a room full of humans.
Air gaps are evil.