Researchers Build Covert Acoustical Mesh Networks In Air

An anonymous reader writes "Researchers at Fraunhofer FKIE, Germany have presented a paper on covert acoustical communications between laptop computers. In their paper 'On Covert Acoustical Mesh Networks in Air', they describe how acoustical communication can be used to secretly bridge air gaps between computers and connect computers and networks that are thought to be completely isolated from each other. By using ad-hoc routing protocols, they are able to build up a complete mesh network of infected computers that leaks data over multiple hops. A multi-hop acoustical keylogger is also presented where keystrokes are forwarded to an attacker over multiple hops between different office rooms. The fundamental part of the communication system is a piece of software that has originally been developed for acoustic underwater communications. The researchers also provide different countermeasures against malicious participation in a covert acoustical network. The limitations of air gaps have been discussed recently in the context of a highly advanced malware, although reports on this so-called badBIOS malware could not yet be confirmed."

Apple already sells this

[ArcadeMan]

It's called AirPort.

Re:Apple already sells this

[ArcadeMan]

Vibrations of air, like the woosh that just went over your head?

Re:

[Anonymous Coward]

Everyone knows IBM created air.

Apple just made it cool to breathe.

Re:

[davester666]

No. Adobe makes it suck.

Re:

[TechyImmigrant]

Two words: Walsh codes

Re:

[TechyImmigrant]

Enough energy per bit to do what needs doing.

Re:

[Minwee]

Good idea. You could turn up the noise level to defeat just about anything, and then call it The Cone Of Silence [youtube.com].

Who could possibly object to that?

Re:

[TechyImmigrant]

You don't have to turn up the noise level. Just run quieter symbols for longer and add bucketloads of FEC.

 

Lock down I/O

[l2718]

An "air gap" means making sue a computer cannot exchange information with other computers. LAN is one way to do so, but other sensors on the computer can be used for input, and other devices for output. Is it really a surprise that the microphone on a computer can be used as an input device?

Re:

[K. S. Kyosuke]

I guess it's time for us to upgrade to vacuum-gapped computers.

Re:Lock down I/O

[marcello_dl]

You mean downgrade? what about the old desktop box with no mic, an easily detachable and crappy speaker for beep, no wireless stuff integrated into the CPU as an anti theft device, no official wireless modem, and always-on fans at a fixed speed (to stop in his track the resourceful black hat that one day will try malicious communication over fan freq.).

Re:

[sjames]

Make sure there's plenty of air in that gap though so one machine can't communicate by busying and idling it's CPUs to alter air temp.

Then lock down your "not security critical" read only monitors for power consumption etc. Also your security cameras lest someone have fun with the location lights.

Re:

[Somebody Is Using My]

I see your vacuum-gapped computer and raise you a webcam + CAPSLock LED.

Re:

[bhassel]

I wonder what sort of bitrate you could get by modulating energy consumption...

Re:

[freeze128]

I trump your webcam with a SPACE Disco.

Checkmate!

Re:

[VVelox]

Nah. The surprising bit is the lack of bandpass filters.

Re:

[viperidaenz]

You're surprised someone cheapened out making consumer products?
If 5c can be saved per unit by taking out some capacitors and inductors, they'll do it.

Re:

[fustakrakich]

Somebody locked down Slashdot archives [slashdot.org], but I broke through with my acoustic modem [slashdot.org]. The connection was kinda slow, hence the difference in time stamps

Space Gap

[Cold hard reality]

Soon we'll have marketers pitching space-gapped machines, so even the acoustics are blocked.

Re:

[OhSoLaMeow]

Soon we'll have marketers pitching space-gapped machines, so even the acoustics are blocked.

Then one computer will display moving lips and another computer will read said lips.

I'm sorry Dave, I'm afraid I can't do that.

band pass filters

[VVelox]

I am really surprised so much in the way of audio electronics in computers lacks a bandpass filter to prevent interference from stuff outside of the audible spectrum.

Re:

[n1ywb]

What interference? Why would any engineer add cost and complexity to a design by adding (previously considered) unecessary filtering circuitry? We talking analog filters or digital filters? Passive or active? Skirt shapes? It's not as simple as "add filters. problem solved." Really, if you are security paranoid and you don't need them, remove the speakers and mic. Now the problem really is solved. You can alway plug in a headset.

Re:

[Anonymous Coward]

You're both uninformed. Computers don't lack filters. There are analog low pass filters on all audio inputs, because they're necessary (see the Nyquist/Shannon sampling theorem). The thing is, the cutoff frequencies are necessarily above the audible range, because there are no perfect "brick-wall" filters. For systems with sampling rates higher than 44.1kHz, the cutoff frequencies are far above the audible range. Otherwise what would be the point of providing the high sampling rate? Yes, it's audiophile hoc

Re:

[MightyYar]

Filters usually have some consequence. Something approaching an ideal low-pass filter can be applied to a recorded signal, since you can assume a zero level before and after the recording. But a real-time filter has to make compromises and will result in some kind of distortion (ringing artifacts mostly). You can improve things by adding a delay, but if this delay is too long then you run into latency problems for real-time applications like chat. I'm sure you could produce something of acceptable quality,

Re:

[AK Marc]

The only computers I've ever owned with a built-in mic were laptops. Is this really a problem for secure computers? Do business-grade desktops all ship with microphones now?

Re:

[jafac]

I guess that, IN THEORY, any speaker can be a microphone. If only there is a circuit that can read voltage levels induced on the speaker-coil by air vibrations on the membrane. (in hardware terms, you can just connect a speaker as a microphone - but in computer-terms, there probably is not the audio-input digitizer on that physical channel, on most audio boards).

Air Gaps are Evil

[TechyImmigrant]

Air gaps are a liability. They do not work as advertised. Covert audio channels have nothing to do with it.

When you put a computer in a faraday cage with an air gap, you still need to computer to have some input and output in order to be useful.
So the air gap requires that a human periodically walks into the room and interacts with the machine. At this point, the options for undermining the security of the system have gone up exponentially.

The reality of air gaps is that key signing ceremonies take place with several people packed in the room, while CDs are passed back and forth and put in the machine holding the CSRs, the software and signed certs.

If you instead had a wire to the machine in the room, you could monitor the transactions over the wire. You could ensure a non turing complete language is used in the wire protocol. You can deny humans access. You can apply defense in depth to a wire. No so much to a room full of humans.

Air gaps are evil.

Re:

[TheCarp]

The reality of air gaps is that key signing ceremonies take place with several people packed in the room, while CDs are passed back and forth and put in the machine holding the CSRs, the software and signed certs.

So because people often conduct their air gapped business in a flawed manner, air gaps are useless? Sorry, I don't follow.

Wouldn't it be better to....embrace the power of AND?

Have an air gap AND pre-compute QR codes or some other encoding that doesn't require the loading of potentially insecure med

Re:

[AK Marc]

You can have secure or usable, not both. And when you get so secure as to be unusable, the users will undermine security for usability. Air gaps are almost always done in a way that doesn't improve security.

QR Code viruses

[Tenebrousedge]

The smallest viruses are well within the storage capacity of a QR code, and an exploit could be a mere handful of bytes; what makes you think that they are somehow inherently secure?

Re:

[TheCarp]

Except that the QR codes are a replacement for using other, even more vulnerable media, which can hold gigabytes of extra payload.

You have to exchange key data somehow. It doesn't matter what encoding you use as long as everyone can read it and preferably without doing anything potentially unsafe, like mounting unknown filesystems on the most protected node.

Pretty sure I would take a QR code as an acceptable trade off between manually typing in key data for signing and mounting your usb drive (or mine on yo

Re:Air Gaps are Evil

[mlts]

The perfect is the enemy of the good.

Air gaps may not be perfect. If one gets physical access, then things are hosed. However it does do a good job at removing an entire type of attack, i.e. from remote. An attacker would have to have a "boots on the ground" presence in order to get software on the machine to use audio as a media layer with another machine to decode it.

Yes, it can be a threat, but it doesn't completely negate the benefits of air-gapping, and it is still prudent to keep the key signing boxes well off any network.

As always, if someone has access, no matter how sophisticated the defense, it likely can be bypassed somehow.

Mod parent up.

[khasim]

However it does do a good job at removing an entire type of attack, i.e. from remote.

Exactly. And Bruce Schneier has an excellent article on that concept. He calls it "attack trees".

https://www.schneier.com/paper-attacktrees-ddj-ft.html [schneier.com]

I think that the biggest problem here is that there isn't a recognized definition of "security" as it applies to computers.

Security is not about becoming invulnerable. That is impossible. Mostly because there is no "secure". There is only "more secure" or "less secure" than y

Re:

[DavidTC]

Do you even have the slightest idea how key signing works?

People sign keys on their own computer. Because you signs someone's _public_ key (Which of course you is freely available over the internet, although obviously you should confirm it is their key before signing it.) with your _private_ key.

There's no reason for _anyone_ to access anyone else's computer while signing keys.

But none of that has anything to do with air-gapped computers, which have exactly no role to play in this. Why? Because people do

Re:

[TechyImmigrant]

>Do you even have the slightest idea how key signing works?
I have deployed a real CA. The sort with an armed guard on the door. I also wrote the software.
The fact I wrote the software (to verify the spec could work - I also wrote the cert profile spec and the security protocol that uses it) is what got me the deploying job.
So yes.

I'm talking about establishing a root cert for a CA in an X.509 based PKI. Not GPG or any other sort.

>Those people are key signing parties? _Those_ people are not air-gapped,

Re:

[DavidTC]

Erm, okay, you're talking about something completely different...

...but still not making much sense to me.

The problem is that 'If you instead had a wire to the machine in the room, you could monitor the transactions over the wire. You could ensure a non turing complete language is used in the wire protocol. You can deny humans access. You can apply defense in depth to a wire. No so much to a room full of humans.' you can do _on an air-gapped machine_.

What you have just proposed doing is to put the UI of

Re:

[TechyImmigrant]

That could be made to work fine. Understand what you're protecting. In this case root keys in a HSM in a server in a secured room.

E.G. For a CA, the only things you need to ask of the server is "Sign this and return the cert". So have a wire protocol that only lets you ask that and limits side channel attacks, E.G. by quantizing ask and response timing.

The thing you're protecting is the thing that should be behind the limited interface. The UI can swim with the sharks. You need a different set of rules for

Some Technical Details.

[Jah-Wren Ryel]

They used Lenovo T400 laptops which are circa 2008 models, no extra audio hardware. They could do 20bits/sec over nearly meters 20 meters if they had line-of-site between the laptops.

Re:

[gl4ss]

was the earlier story about a researcher bitching about his laptop being hacked through this an advert for these guys?

well.. he claimed to have bios infection which did the airgap jump..

just that you can encode and decode information to and from audio isn't that much of a news.

Re:

[akozakie]

As far as I recall he claimed no such thing. He claimed that the malware updated through the air gap. Quite a different thing than hacking - you already have an audio-networking-capable software on both communicating boxes.

This would mean that malware using this technique is already in the wild. Quite an ad for someone offering any protection from this, but if confirmed - very interesting.

Re:

[bill_mcgonigle]

Quite an ad for someone offering any protection from this, but if confirmed - very interesting.

And now you know why infosec hackers play thrash metal all the time.

Re:

[Anonymous Coward]

well.. he claimed to have bios infection which did the airgap jump..

No, actually he did not. It was a variety of supposedly tech-savvy journalists with poor reading comprehension skills who made that claim.
What the original guy claimed (yes, I read his actual blog) was that once infected, the malware was using acoustical networking to maintain the infection while he was attempting to clean the system. He never made any claims that the acoustic networking was the original infection vector.

Re:

[AK Marc]

So they demonstrated bridging the "air gap" with a computer that can't be bought without a wireless card in it (at least through the channels I tried). How about a desktop. Most desktops don't come with microphones, and I don't see why you'd add one to a secure machine.

Re:

[pmontra]

But many people add mics to their desktops to use Skype and the like. Most desktops are not bought by people who know anything about security and even when there is an IT department, they still make conference calls with their computers and need a mic.

Anyway, maybe Vinge's Blight [wikipedia.org] will take over the world with an audio malware ;-)

Re: Some Technical Details.

[ceoyoyo]

Skype works extremely poorly on an air gapped machine.

Re:

[pmontra]

Mmm, you're right and I didn't pay attention. Sorry.

Re:

[DavidTC]

Now I'm imagining someone trying transmit a Skype conversation over the air-gap via audio. Or just the audio, at least.

It seems extremely silly, but then I started thinking about a hypothetical audio bug that literally just relayed the audio _as_ encoded audio...but in a way that was easier to hear through walls and windows and stuff. Like pumping it at higher volume, but at frequencies we couldn't hear. Or doing it much slower (Presumably with some sort of voice activation so it would only record 8 hours

Re:

[ceoyoyo]

Higher frequencies don't work very well through obstructions (these guys specify line-of-sight). Low frequencies though, go through walls better. Presumably you could record and compress audio, then retransmit it using lower frequency sound. The problem is, creating low frequency sound waves requires large speakers, and we hear fairly well down to quite low frequencies.

Modulating the frequency of a conventional light source is pretty difficult. You could use an LED and slightly manipulate the colour mix

Re:

[fast turtle]

hell I didn't have to buy a fucking mic to use skype/google-talk/whatever as my god damn webcam includes one. Plug it in to video chat and I've got a live mic. Hell the damn thing is good enough for Dragon Speaking 10 to use it instead of a headset. Makes me wonder why this hasn't happened before (remember the movie Silent Running - Sci-fi http://en.wikipedia.org/wiki/Silent_Running [wikipedia.org]) where the droids/bots were taught to play poker (cheated using sounds). That's from 72 and was probably produced in 70 (40+ y

So I have to disable my audo hardware now?

[bobbied]

Oh great... Can't you hackers just leave well enough alone?

I've had to disconnect my network cable, remove the wireless card, and disable all the USB ports to make my machine secure and now I have to disable the audio hardware too? Man, this is getting out of hand..

Seriously though... This is new how? We have been sending data using audio cards between computers for decades. I remember cranking up the cassette tape drive to load programs into my TRS-80 in high school and hooking up to an acoustic modem to get on dial up AOL. Recently I've used my computer to talk to another computer halfway around the world though an RF link provided by my ham radio. Hams routinely transfer "data" over packet, PSK and other modes over audio links using their audio cards in their computers.

Oh, wait, so the ad-hock links are the new thing? Um, not so fast there either. Mesh networks have been around long enough to fall in and out of favor once or twice. Ham radio operators might know about HSMM Mesh http://www.broadband-hamnet.org/ [broadband-hamnet.org] has been doing mesh networks for nearly a decade, and the protocol it uses internally wasn't the first. So this is not new..

I conclude that NOTHING here is new, except perhaps combining an audio network link with a mesh networking protocol.... But I don't see that as ground breaking..

The only thing this will really do is make it necessary to disable/remove audio hardware from secure computers, just because somebody might try to use it for something stupid. Thanks guys (and gals if there are any working on this) for making my life harder...

Re:

[Theaetetus]

This is new how? We have been sending data using audio cards between computers for decades. I remember cranking up the cassette tape drive to load programs into my TRS-80 in high school and hooking up to an acoustic modem to get on dial up AOL. Recently I've used my computer to talk to another computer halfway around the world though an RF link provided by my ham radio. Hams routinely transfer "data" over packet, PSK and other modes over audio links using their audio cards in their computers.

Oh, wait, so the ad-hock links are the new thing? Um, not so fast there either. Mesh networks have been around long enough to fall in and out of favor once or twice. Ham radio operators might know about HSMM Mesh http://www.broadband-hamnet.org/ [broadband-hamnet.org] has been doing mesh networks for nearly a decade, and the protocol it uses internally wasn't the first. So this is not new..

I conclude that NOTHING here is new, except perhaps combining an audio network link with a mesh networking protocol.... But I don't see that as ground breaking..

Maybe you missed the "covert" part. If your computer was hissing and whining away like a 56kbps modem to talk to the computer in the room next door, you'd probably notice.

... Although, maybe not, since it's the third word in the /. headline and second word in the article headline, and yet you still missed even this rudimentary visual communication.

Re:

[bobbied]

You haven't been in my lab, it's pretty loud in there... Earplugs are standard and in fact are issued for free just inside the door. So, I might or might not hear a PSK conversation over the din. However, in such an environment would not be very hospitable to acoustic communications in the first place. But I don't think that trying to be covert is going to do anything but lower your though put to near useless.

Like in RF communications, AF links will need to have a minimum S/N ratio and bandwidth. If y

Re:

[Theaetetus]

You haven't been in my lab, it's pretty loud in there... Earplugs are standard and in fact are issued for free just inside the door. So, I might or might not hear a PSK conversation over the din. However, in such an environment would not be very hospitable to acoustic communications in the first place. But I don't think that trying to be covert is going to do anything but lower your though put to near useless... I say this is either easily heard, not that useful, prone to interference or low bandwidth.

And since we're talking about transferring small pieces of data, such as user names, passwords, account numbers, etc., you're talking about maybe 10-12 bytes at a time, tops. It could take a minute and you'd never hear it.

Re:

[Gim Tom]

You covered most of what I was going to say except that in my younger days I could almost always hear the flyback whine from any CRT raster scan device be it TV or monitor. I think those generally operated in about the same frequency range as this technique does so many younger people should be able to HEAR the stealth transmissions just fine. On another note our Ham Radio club used HSMM routers during field day this year to connect the operating positions around the large field with the logging computer

Re:

[dpidcoe]

You covered most of what I was going to say except that in my younger days I could almost always hear the flyback whine from any CRT raster scan device be it TV or monitor. I think those generally operated in about the same frequency range as this technique does so many younger people should be able to HEAR the stealth transmissions just fine.

They may hear it, but will they notice it? Intermittent and faint high pitched frequencies are common around electronics, I don't think I'd flag that sound as out of the ordinary under normal circumstances.

Re:

[fufufang]

You could wear headphone, you know...

Re:

[bill_mcgonigle]

Thanks guys (and gals if there are any working on this) for making my life harder...

If it's nothing new, why does it make your life harder? Ah-ha!

Sound off

[Impy the Impiuos Imp]

OH. MY. GOD. Air gaps.

I thought my tinfoil hat was sufficient, but you're telling me I now have to worry about sounds going in my ears that modify my behavior!?!?!

This is really, really simple to understand

[Jody Bruchon]

Without the software required to use the hardware for communication, the communication doesn't work. If your air-gapped computer has not been infected prior to air-gapping, this simply can't work. I can smell conspiracy theorists a mile away with "but what about malicious BIOSes or pre-infected hardware designs or..." and the solution for all of those remains the same: if it's that big of a concern, remove it from the computer. Rip open the laptop and disconnect or desolder the speakers and microphone, and while you're in there you can heat-gun off the magnetics for the network card and all the external USB port connectors. If you're gonna do paranoid, you might as well do it right.

Re:

[mlts]

I wonder if this would be a niche market for a company. Create an x86 motherboard that is epoxied tight, and the only thing coming out would be a serial port, a power port, a MicroSD card slot for the OS, and a SD card to handle data.

Maybe another version might have a USB connector for the keyboard and mouse (with the BIOS limiting the devices connected to those ports to just HIDs), and a VGA connector for the monitor.

Stick all this in a tamper-resistant aluminum case, and it might sell as a poor man's HSM

Re:

[Jody Bruchon]

Won't do much good with no antenna. Find the trace for it and cut it.

Re:

[Jamie Ian Macgregor]

you're trying to tell us that an intel chip contains a 3g modem that works through the Faraday cage also knows as your computer case? good luck getting a signal from in there

Re:

[VortexCortex]

I think I'll call it: System on a Chip. Or, just get an old beige box x86 with no USB -- Has serial ports, no sound card, etc.

Look, the problem is that provably secure operating systems and software are possible to create, but prohibitively expensive to create and maintain. Before some nutter harps on about a "halting problem": No, stop it. Computers have FINITE state. I have written drivers (and small embedded OSs) that are mathematically provably secure. Every combination of inputs (expected or other

Re:

[bill_mcgonigle]

As to the matter of routing out Ken Thompson Microcode Hacks -- Well, there's answers to that too which are just as expensive.

Doing provably secure is one thing, but just having open, auditable code would be a great leap forward. We can be sure that the AMI BIOS contains bugs and reasonably sure that the NSA has copies of that source in their lab.

Then, maybe somebody can work on taking the open code and working through it one function at a time to secure it.

Re:

[bill_mcgonigle]

a MicroSD card slot for the OS

Why would you trust the MicroSD controller to not inject a known attack when presented with a special sequence of input that can be hidden in a filesystem structure?

Re:

[bill_mcgonigle]

If you're gonna do paranoid, you might as well do it right.

What's the point? We all know that Intel puts special logic in that changes the operation of the CPU given certain parameters. That's why Intel RdRand isn't directly accessible but has to be accessed through the hashing logic unit. That way They just have to sneak in a small bit of malware that will hose up your RNG and then your keys can be trivially cracked into the future.

Then we have the news [mit.edu] that GCC has been compromised for years, and all

Re:

[freeze128]

This might be a little less invasive:

http://www.thingiverse.com/thing:126097

Anyone remember bus radio?

[TheCarp]

Not only is it not new, I remember almost 10 years ago now, somebody had demonstrated that he could slam the bus in such a way as to generate radio signals that he could pick up on a nearby reciever.

There was even a slashdot story about it back then, but damned if I can find anything on it now. Pretty sure it was only a one way channel but, depending on the circumstances, that could be enough.

Re:

[Anne Thwacks]

That was standard practice on the PDP8 in the 1970s. There were even compilers to produce music that way. There was always a radio ontop the computer so you could tell if it got in a loop (constant frequency). Some people even knew which loop by the tone! (Cue Newton-Raphson agorithm approaching solution with a recognisable whine!)

Re:

[bill_mcgonigle]

Neat. That's awfully useful for the Tempest van parked down the street, but for in-house peer to peer leakage you'd need an radio receiver on the other machine.

Don't get me wrong, I can't wait to have SDR's on every device I buy, but this one is a risk worth appreciating.

Soon(tm)

[lapm]

If malware dint use it before, its sure going to use it soon enough after this paper.

BadBIOS?

[Peter Simpson]

Interesting timing, considering the recent exposure (and debunking?) of BadBIOS "acoustical networking".

"utilizing the near ultrasonic frequency range"

[twmcneil]

So, dogs will bark constantly when these devises are attempting to communicate? Bring Rover in to work with you. Problem solved.

Finally a rational explantion

[deviated_prevert]

Why my network crashed when I farted!

not going to be very fast

[johnrpenner]

back in the day — with TRS80 300 baud cassette loading — we thought 300 bps was pretty SSSSLLLOOOWWW..

they managed the blazing speed 20bps (bits per second) at 3 meters using 18khz carrier frequency — and that had a faint clicking sound.

20 bps is slower than most people type — you're not going to be transmitting any high-res jpeg images this way..

good enough to capture and transmit a password though, or to do command-control type actions.

heh heh — transmitting a spy app between

Been there, done that

[Webmoth]

"Covert acoustical mesh networks"?!? Housewives invented this thousands of years ago, only back then they called it "gossip."

Re:

[Anonymous Coward]

How much are you getting paid for this offtopic claptrap on every post? At least the "Cruz Control" guy who spews stuff how NASA should be privatized, has tried to make posts fairly relevant to the topic hand before going into how deeply in debt we are in with China.

There was a tenant from the old Soviets. Tell a lie often enough, and people will start believing it. Guess this is working.