Forgot your password?
typodupeerror
Security

The Computer Security Threat From Ultrasonic Networks 121

Posted by timothy
from the why-your-bats-are-going-crazy dept.
KentuckyFC (1144503) writes Security researchers in Germany have demonstrated an entirely new way to attack computer networks and steal information without anybody knowing. The new medium of attack is ultrasonic sound. It relies on software that uses the built-in speakers on a laptop to broadcast at ultrasonic frequencies while nearby laptops listen out for the transmissions and pass them on, a set up known as a mesh network. The team has tested this kind of attack on a set of Lenovo T400 laptops infected with key-logging software. They say it is possible to transmit ultrasonic signals covertly at data rates of 20 bits per second at distances of up to 20 metres in an office environment. Interestingly, the team created the covert system by adapting a protocol designed for underwater acoustic communication. They've also tested various strategies for defeating this kind of attack. An obvious option is to disable all speakers and microphones but this also prevents ordinary activities such as VOIP communication. Instead, they suggest filtering the audio signals to prevent ultrasonic transmissions or converting them into an audible frequency. This may be newer than most attack vectors, but it's not the first time that ultrasonic transmission has been demonstrated as a vulnerability; in November of last year we mentioned malware operating along the same lines, as investigated byPwn2Own creator Dragos Ruiu.
This discussion has been archived. No new comments can be posted.

The Computer Security Threat From Ultrasonic Networks

Comments Filter:
  • The easiest way to eliminate this threat is to lock down hardware sampling rates such that ultrasonic frequencies cannot be reliably reproduced (e.g. in the BIOS), and allow the user to flip the switch for higher rate support. At least, that's the first idea that came to mind. I'm sure it's not perfect, but it's better than "kill all audio!"
    • The easiest way to eliminate this threat is to lock down hardware sampling rates such that ultrasonic frequencies cannot be reliably reproduced (e.g. in the BIOS), and allow the user to flip the switch for higher rate support. At least, that's the first idea that came to mind. I'm sure it's not perfect, but it's better than "kill all audio!"

      Obviously anything that is vulnerable to software tampering is less secure than some elegant hardware based solution; but surely one could apply ACLs to the audio device, to at least ensure that only suitably blessed applications can interact with it? Doesn't stop a root/kernel level exploit, or a blessed application being subverted; but right now, the default is that any program that can run can make noises, which is certainly easier to slip malice through.

      • by ColdWetDog (752185) on Thursday June 12, 2014 @10:29AM (#47221953) Homepage

        Ah, but you're missing an entire other defensive mechanism. One that, I will point out, did not escape the genius of Apple. Recall the recent angst about Apple's acquisition of Beats Audio [slashdot.org]. The two theories judged most likely centered around either gratuitously spending money to annoy the Slashdot hive mind or strategically buying up an inconsequential streaming audio business. Of course, careful consideration (yes, I understand that contradiction here) would lead one to realize that neither is very likely, so I offer a more technically sound rationale:

        If you've ever listened to a set of Beats headphones, the second thing you notice (the first is that they are ugly and cheap) is that it is engineered to be unable to pass frequencies higher than 4000 Hz. You're not going to hear a set of cymbals or a piccolo to save your life.

        So, these nefarious persons can attempt to stuff whatever data they'd like into the higher registers - it will do them no good at all. You don't need complex software rules, you don't need specially constructed DACs. You just need bass. Furthermore, if all you are going to do is to listen to DC to 4 kHz noise, you don't need a particularly robust audio platform to do it (like an iPhone). And, as an added bonus, this limited bandwidth will save on your precious monthly allotment of data.

        Apple has you covered, folks.

        • he two theories judged most likely centered around either gratuitously spending money to annoy the Slashdot hive mind

          Yes, it's amazing what money tech companies will spend to piss off the average slashdotter. We truly are special.
    • by Anonymous Coward

      Even better would be to install an analog filter on the speakers that limited frequencies to below 20kHz or so. Component cost less than ten cents.

      • by Anonymous Coward

        20 bits per second.

        I type 80wpm. 5 characters per word. 400 chars per minute, or 6.7 chars per second, or about 53 bits per second.

        Therefore I type almost three times faster than this channel's data rate.

        • 20 bits per second.

          I type 80wpm. 5 characters per word. 400 chars per minute, or 6.7 chars per second, or about 53 bits per second.

          Therefore I type almost three times faster than this channel's data rate.

          Log keystrokes.
          Optionally, filter (look for the @ symbol for email addresses, a known bank in a browser window's title, symbols / cAPs near eachother for passwords, whatever).
          Compress.
          Send.

          Unless you type > 20 bps after compression (and filtering), the entire time your computer is on, it will keep up.
          Even if you do outpace it by a factor of infinity, it will still be transmitting at 20 bps, so it'll still be getting your shit. As hits something interesting (login credentials, your Harry Potter fanfic, w

      • Simple analog filters (that you coudl build with 10 cents worth of components) have a slow rolloff. You can't just say "pass everything up to 20KHz, reject everything above that" or even "pass everything up to 15KHZ reject everything over 25KHz" and design a simple analog circuit to do it.

        This is one of the big reasons we use high sample rates and filter digitally nowadays. You can get arbiterally close to an ideal "brick wall" filter digitally (though you do pay a price in time delay and computing power) w

    • by Rosco P. Coltrane (209368) on Thursday June 12, 2014 @09:20AM (#47221389)

      The easiest way to eliminate this threat is to lock down hardware sampling rates such that ultrasonic frequencies cannot be reliably reproduced

      Nope. The easiest way to eliminate this threat is to keep a pet bat next to your computer to scramble any ultrasonic transmission.

    • OR...issue whistles to everyone in your office, to be used at random intervals.

    • by evilviper (135110)

      The easiest way to eliminate this threat is to lock down hardware sampling rates such that ultrasonic frequencies cannot be reliably reproduced

      That's very short-sighted. The ultrasonics are only a matter of making the communications stealthier. Systems unable to produce ultrasonics could still communicate with each other, using audible ranges.

      Doing so, undetected, just requires a little intelligence. It could wait until late at night, when all the systems have been idle for some time. The malware could

      • by Archfeld (6757) *

        I swear on some late night upgrades I've heard the machines talking to me, but NOW I know it was true...

    • by klui (457783)

      An easier way is just cheap speakers doing what they do best.

    • Hardware sampling rate is actually a kind of roundabout way to do it. More easily, one can place an analog high-pass filter set at 20KHZ or so before the speakers in the sound driver hardware etc. These are very cheap for low-power applications like laptops.
  • You patch this hole in your defenses.

    Another exploit undermines a heretofore unknown weakness.

    Exploitation that doesn't kill you makes you stronger.

  • by thospel (99467) on Thursday June 12, 2014 @08:56AM (#47221227)

    WTF ? That's a covert communication channel, not an attack.
    At least the original source gets that right. But what idiot writes the slashdot version of the article?

    • But what idiot writes the slashdot version of the article?

      Probably the same one who wrote a similar article about a year back.

      • by Anonymous Coward

        To be more specific it is this story [slashdot.org] - same exact paper from November of last year.

    • This. It is NOT an attack. And let's face it, very very few people have an air gap on their computers. Since that's the case, it's so much easier to just use the existing wired network or wireless network to ferret data out. 20 bits per second is hardly practical anyway, even for small amounts of data (which, today, would be classified as megabytes.)

      • by rhsanborn (773855)
        This is a good way to hide your snooping in sensitive environments that are running adaptive intrusion detection systems. It's also a way to get secure computers that aren't connected to the network, to talk to less secure computers that are. Think military. Jim falls prey to a USB based piece of malware and puts it on a DoD machine that is on their internal, secure network. It talks to an Internet-connected computer to move data from one to the other. The USB vector is exactly how the US/Israel got malware
      • by RevWaldo (1186281)
        I was wondering how this speed compared to a telegraph operator sending Morse Code. Googling about, words per minute, based on the standard five characters per word plus spaces and punctuation, works out to about bps * 1.2.

        http://superuser.com/questions... [superuser.com]

        So 20 bps is about 24 words per minute. Compare this to a skilled telegraph operator, who can manage 40 wpm.

        http://en.wikipedia.org/wiki/M... [wikipedia.org]

        So yeah, it's slow, BUT for keylogging it couldn't keep up only if users typed constantly, which they don
      • by gstoddart (321705)

        20 bits per second is hardly practical anyway, even for small amounts of data

        Depends on the data, doesn't it?

        If I've installed something which is designed to capture passwords, your 20 bits/sec means I can transmit your password in just a few seconds.

        So if all it does it say "got it, user X has this password" ... that can be pretty valuable and is likely do-able in under 30 seconds.

        This may not be an attack, but it is an attack vector.

        • by freeze128 (544774)
          That scenario would require that there be some sort of keylogger already present and running on the compromised machine. If that's the case, then why bother with all this cloak and dagger shit? Hell, there are plenty of other routes that the data could take:

          Store the data in a file on a local drive (hard drive or even USB flash drive)
          Transmit it over Ethernet.
          Transmit it over Wi-Fi.
          Transmit it over bluetooth.
          Transmit it over IRDA.

          Or, my favorite, just have the machine use text to voice to shout out the us
          • by gstoddart (321705)

            That scenario would require that there be some sort of keylogger already present and running on the compromised machine. If that's the case, then why bother with all this cloak and dagger shit?

            Well, given the prevalence of things like spear phishing and the like, maybe it's not all that tough.

            And the point of the cloak and dagger is, if they don't know you're listening, and you're using a channel they're not scanning for ... you can keep doing it with impunity.

            So, say I worked for an agency which relied on

    • by Anonymous Coward

      IKR... I read the article summary and was double face palming.

      You can't install malware via the microphone inputs lol. You can only receive inputs from a preconfigured machine and the attacks still have to happen in other ways.

      • YOU cant install malware this way, but people who have machines which are already 99% malware can (but probably never will).

        You are correct - this is utter and complete nonsense. No uninfected computer is going to consider what comes into the mic channel as potentially sensible to execute, or, indeed do anything other than save it as audio data.

        If your computer is in the habit of executing WAV of MP3 files, or saving audio as .exe files, you are already more than truely and completely stuffed.

    • The amount of serious discussions of how to mitigate this "attack" above this comment saddens me. If you have rouge software on your computer, severing one of the least efficient communication channels I've heard of is not going to be helpful.
  • While impractical at scale, this is a very clever way to defeat things like DoD secured air-gap networks, and 20bps is easily capable of say, keylogging :)
  • Not that new (Score:5, Informative)

    by T.E.D. (34228) on Thursday June 12, 2014 @09:06AM (#47221293)

    I worked on a COMSEC job back in the '90s, and both our device and our building (particularly the windows) had countermeasures for this kind of attack.

    Perhaps this is a new thing for garage hackers, but intelligence agencies have known about it for decades.

    • by Ryanrule (1657199)

      Yeah you could read old punch cipher locks if you listed closely.

    • Re:Not that new (Score:4, Insightful)

      by slew (2918) on Thursday June 12, 2014 @01:59PM (#47223809)

      FWIW, Back in the 90's people were also worried about tempest-like stuff (e.g., EM emissions), but simply disabling the speakers isn't enough to inhibit the sonic transmission path. Electronics can "hum" at ultra-sonic frequencies (and fans can transmit audible frequencies), so by running of a suitable thermal virus actions, it is possible to leak information from a previously compromised machine that was not network connected.

      However, disabling the microphone would certain make it harder to control such a compromised, air-gapped machine...

      • by T.E.D. (34228)

        Back in the 90's people were also worried about tempest-like stuff (e.g., EM emissions),

        TEMPEST [wikipedia.org] was one of a set of code-words that were themselves unclassified, but their exact meaning was classified. This allowed people like myself to put them on their resume without the resume becoming classified.

        It looks like folks (or at least Wikipedia editors) may have pieced together a meaning for this particular one.

      • by laitcg (729768)
        Back in the 80's, basically, we used O'scopes to record what people typed on their keyboard from way outside the building and wrote up reports on the info that were always classified. You always want a COMSEC mission report to be Un-Classified. There are so many ways to gain intel when the target is not TEMPEST hardened. Most security minded computer operators and/or security personnel have basic COMSEC imbedded in their mentality. The thing is to pass that on...
  • Does this mean I can get a lirc driver that works with an old Zenith clicker remote?
    • I doubt there is a ready-made LIRC driver, but in theory it might be possible to get it working with a computer. Try recording some button presses with a sound recording program using the mic input and see if anything shows up in the waveform. Then write some software which bridges the sound driver to the remote controller API.
  • by mrspoonsi (2955715) on Thursday June 12, 2014 @09:09AM (#47221313)
    For this to work, the computers must already be 'owned', the fact the computers can communicate 20 meters with another infected machine is the least of the worries if you ask me.
    • by evilviper (135110)

      For this to work, the computers must already be 'owned',

      Computer viruses spread long before there was networking... One infected file on a CD, DVD, USB Flash drive, etc. Or it could be even more covert, like a USB mouse/keyboard modified with data storage.

      the fact the computers can communicate 20 meters with another infected machine is the least of the worries if you ask me.

      It's still significant. It may offer the only method of getting information in/out of an otherwise isolated network.

      While fully auto

      • Normally Desktops do not have inbuilt speakers, so they can be ruled out, that leaves laptops, which do have wifi. An owned laptop could self enable the wifi, create its self as a hot spot and allow other computers elsewhere in the building to connect to it (through walls and what not).
  • The folks who designed my desktop computer were really thinking ahead on this one: it was built without a speaker. Besides enhancing security, an auxiliary benefit of their clever "no-speaker defense" is that saved the manufacturer cost and space.

    • by drinkypoo (153816)

      The folks who designed my desktop computer were really thinking ahead on this one: it was built without a speaker. Besides enhancing security, an auxiliary benefit of their clever "no-speaker defense" is that saved the manufacturer cost and space.

      Virtually no PC desktops have internal speakers connected to the sound card, and even fewer of them have a microphone. Many PCs no longer even have a speaker connector for POST code beeps, and depend solely on a flush-mount piezo buzzer. But virtually all laptops today have both speakers and mic...

      • Actually...for ultrasonics piezoelectric speakers are far better than conventional cone drivers...just not the 2 cent variety you're referring to here.
  • Fix (Score:4, Insightful)

    by Bazman (4849) on Thursday June 12, 2014 @09:25AM (#47221421) Journal

    Headphones. Or dummy jack-plugs.

  • Given that the machines have to have the acoustic networking software installed on them (requiring already having root access), this is at worst a covert communications channel that could be used to bypass network security controls in order to exfiltrate information from an otherwise secure network. It has no impact on whether machines can be hacked to begin with.
  • So one infected computer talks to another via this method and the other computer is infected with code that interprets it. How about just use the malicious code on the 2nd computer to do whatever you were going to do with it? For network transmission, obviously just use encryption or a web server in the middle or something.
    • Seems silly, yeah. Though there are certain very peculiar setups where this might be desirable, for example: computer 1 has network access, computer 2 does not, but gets the occasional USB thumbdrive from computer 1. If you can manage to infect computer 1, transmit it to computer 2, then you can gain get keylogging data from computer 2 in real-time (as opposed to waiting until someone plugs in a thumbdrive to computer 2 and then back into computer 1, where you can send over the network again).

      Of course,
      • That make sense but here's what the failed to consider. People with higher IQs and better functioning nervous systems can hear 45KHz + frequencies. I'm one of them. So your IT dept would probably catch it pretty darn quick.
        • Although I find the claim that you can hear 45KHz+ frequencies dubious, even assuming you can hear that, it doesn't necessarily mean the technique is useless; there's a difference between hearing a frequency and filtering it from noise. I'm guessing you don't have a very good nervous bandpass filter at that frequency, for instance -- so hiding a signal in nearby noise could be possible for a such a system.

          There are plenty of noise sources around us -- fluorescent lamp ballasts are in the 10s of KHz, CRT
          • You're way off. I can hear CRT monitors and large TVs humming away at ultrasonic frequencies but it's a steady tone. Things changing tones like Nvidia 6xx series GPU cores are so unbelievably annoying and hard to ignore because they constantly change frequencies. So the same goes for sneaky speakers.
      • Better yet, you can remotely execute pre-installed code. Think less of information gathering and more of weaponizing.

        If I may be really long winded, let's imagine a system where there is a secure machine that is air gapped by say 30" from a non secured machine. The secure machine has privilleged access to $Doomsday_weapon_001, let's say a missle or better yet the control surface of a critical peice of infrastructure. Once infection has occured, and a payload delivered the two machines can lay in wait. A

  • ... Its a covert transmission channel, not an attack...

    A camera pointed at a computer monitor slowly shifts its average hue (a la 'f.lux') is another such example.

  • When I'm near the computer I hear these voices that no one else can hear.

    It tells me things that no one else knows. Things that I'm not supposed to hear.

    Sometime it tells me to do things. It told me not to tell you what they are.

    Computers only talk to very special people. You wouldn't understand.

    It told me to shut up now. Bye.

  • by LordLimecat (1103839) on Thursday June 12, 2014 @09:54AM (#47221655)

    Dragos Ruiu's findings from last year were never able to be reproduced by an outsider, and were highly suspect. Sometimes you can be a brilliant security guy, and also a delusional paranoid-- and I think the general consensus was that in that scenario, Dragos was being delusionally paranoid.

    The idea that various laptop speakers (all of varying and generally poor quality) will be able to reliably form a wireless network is really far-fetched, no matter how you cut it. Every laptop's mic is different, the speakers are all in different locations, some mics are gonna be off, the acoustics of the room are unknown....

    Theres just no way for this to reliably work.

    • Re: (Score:3, Insightful)

      by Anonymous Coward

      > Every laptop's mic is different, the speakers are all in different locations, some mics are gonna be off, the acoustics of the room are unknown....

      Says the guy demonstrating his utter lack of knowledge about DSP. All of those things can be compensated for with the right software, The price is simply reduced throughput. But when you've got days or weeks to run because no one even knows to look for you, even just 1bps can be sufficient.

      Dragos being right or wrong says absolutely nothing about the via

  • by by (1706743) (1706744) on Thursday June 12, 2014 @10:08AM (#47221779)
    You know, because the sound card probably isn't working right anyway (and forget about the mic).

    (Joking, joking...built-in and USB soundcards work just fine on all my Linux computers.)
  • by RevWaldo (1186281) on Thursday June 12, 2014 @10:26AM (#47221935)
    What is it? What is it, girl? Someone running a covert mesh network? Where's it coming from?

    .
  • I thought most soundcards had a capacitor on the inputs that already filters out the higher frequencies. I read this when reading about using sound cards directly as software defined radios for receiving VLF signals. To receive higer frequencies some people have shorted the input capacitor out.

    • A quick googling found

      http://www.clarisonus.com/Rese... [clarisonus.com]

      It seems to vary but even if the filtering is present there is likely to be a range just above 20KHz where human hearing is poor but the filters in the soundcard are still passing enough signal to be useful.

  • Wow! So, after 4 days, 17 hours, 46 minutes and 40 seconds, you could transfer a whopping... 1 whole MEGABYTE.
  • A simple defence would be to have ultrasonic noise generators emitting enough interference to effectively jam any transmissions. It should be no more audible than the transmissions.

    Of course, the average user wouldn't need or probably want this (unless they're security paranoid/enthusiasts), but it might be useful in environments where information security is essential. Maybe even 'hardened' secure devices could have built in noise generators that can't be software disabled as an extra defence feature.
  • As one person commented when the last version of this went around, the sound card hardware or driver would have to have something like a TCP/IP stack built in to the microphone input. In other words, the only way a computer would be vulnerable is if it already has an ultrasonic communication feature installed. The only way I can see this happening is possibly at the behest of a certain agency which has a history of covertly installing security vulnerabilities, but they would probably just put it in the WiF

"We learn from history that we learn nothing from history." -- George Bernard Shaw

Working...