MOSQUITO: Covert Ultrasonic Transmissions Between Two Air-Gapped Computers Using Speaker-to-Speaker Communication

In this paper we show how two or more air-gapped computers in the same room, equipped with passive speakers, headphones, or earphones can covertly exchange data via ultrasonic waves. Microphones are not required. Our method is based on the capability of a malware to exploit a specific audio chip feature in order to reverse the connected speakers from output devices into input devices - unobtrusively rendering them microphones. We discuss the attack model and provide technical background and implementation details. We show that although the reversed speakers/headphones/earphones were not originally designed to perform as microphones, they still respond well to the near-ultrasonic range (18kHz to 24kHz). We evaluate the communication channel with different equipment, and at various distances and transmission speeds, and also discuss some practical considerations. Our results show that the speaker-to-speaker communication can be used to covertly transmit data between two air-gapped computers positioned a maximum of nine meters away from one another.

[1]  Mordechai Guri,et al.  Bridging the Air Gap between Isolated Networks and Mobile Phones in a Practical Cyber-Attack , 2017, ACM Trans. Intell. Syst. Technol..

[2]  InduShobha N. Chengalur-Smith,et al.  An overview of social engineering malware: Trends, tactics, and implications , 2010 .

[3]  Glen Ballou,et al.  Handbook for Sound Engineers , 2002 .

[4]  Mordechai Guri,et al.  AirHopper: Bridging the air-gap between isolated networks and mobile phones using radio frequencies , 2014, 2014 9th International Conference on Malicious and Unwanted Software: The Americas (MALWARE).

[5]  Iain McCowan,et al.  Microphone Arrays : A Tutorial , 2001 .

[6]  Richard Sharp,et al.  Audio networking: the forgotten wireless technology , 2005, IEEE Pervasive Computing.

[7]  Mordechai Guri,et al.  SPEAKE(a)R: Turn Speakers to Microphones for Fun and Profit , 2016, WOOT.

[8]  Mordechai Guri,et al.  USBee: Air-gap covert-channel via electromagnetic emission from USB , 2016, 2016 14th Annual Conference on Privacy, Security and Trust (PST).

[9]  Carlisle M. Adams,et al.  On Acoustic Covert Channels Between Air-Gapped Systems , 2014, FPS.

[10]  Markus G. Kuhn,et al.  Soft Tempest: Hidden Data Transmission Using Electromagnetic Emanations , 1998, Information Hiding.

[11]  William Stallings,et al.  Data and Computer Communications , 1985 .

[12]  Mordechai Guri,et al.  ODINI: Escaping Sensitive Data From Faraday-Caged, Air-Gapped Computers via Magnetic Fields , 2018, IEEE Transactions on Information Forensics and Security.

[13]  Michael Hanspach,et al.  On Covert Acoustical Mesh Networks in Air , 2014, J. Commun..

[14]  Sara Matzner,et al.  Analysis and Detection of Malicious Insiders , 2005 .

[15]  Mordechai Guri,et al.  aIR-Jumper: Covert Air-Gap Exfiltration/Infiltration via Security Cameras & Infrared (IR) , 2017, Comput. Secur..

[16]  Ji Won Yoon,et al.  Various Threat Models to Circumvent Air-Gapped Systems for Preventing Network Attack , 2015, WISA.

[17]  Stefan Katzenbeisser,et al.  Covert channels using mobile device's magnetic field sensors , 2016, 2016 21st Asia and South Pacific Design Automation Conference (ASP-DAC).

[18]  Luke Deshotels,et al.  Inaudible Sound as a Covert Channel in Mobile Devices , 2014, WOOT.

[19]  Mordechai Guri,et al.  xLED: Covert Data Exfiltration from Air-Gapped Networks via Router LEDs , 2017, ArXiv.

[20]  Mordechai Guri,et al.  Acoustic Data Exfiltration from Speakerless Air-Gapped Computers via Covert Hard-Drive Noise ('DiskFiltration') , 2017, ESORICS.

[21]  David A. Umphress,et al.  Information leakage from optical emanations , 2002, TSEC.

[22]  Mordechai Guri,et al.  GSMem: Data Exfiltration from Air-Gapped Computers over GSM Frequencies , 2015, USENIX Security Symposium.

[23]  B. K. Gazey,et al.  APPLIED UNDERWATER ACOUSTICS. , 1966 .

[24]  Frank Fahy,et al.  Foundations of engineering acoustics , 2000 .

[25]  Mordechai Guri,et al.  LED-it-GO: Leaking (A Lot of) Data from Air-Gapped Computers via the (Small) Hard Drive LED , 2017, DIMVA.

[26]  Mordechai Guri,et al.  Fansmitter: Acoustic Data Exfiltration from (Speakerless) Air-Gapped Computers , 2016, ArXiv.

[27]  Beatrice Tomasi,et al.  JANUS: the genesis, propagation and use of an underwater standard , 2010 .

[28]  Christopher Krügel,et al.  On the Privacy and Security of the Ultrasound Ecosystem , 2017, Proc. Priv. Enhancing Technol..

[29]  Mordechai Guri,et al.  BitWhisper: Covert Signaling Channel between Air-Gapped Computers Using Thermal Manipulations , 2015, 2015 IEEE 28th Computer Security Foundations Symposium.

[30]  Raphael Rom,et al.  Multiple Access Protocols: Performance and Analysis , 1990, SIGMETRICS Perform. Evaluation Rev..

[31]  Mordechai Guri,et al.  An optical covert-channel to leak data through an air-gap , 2016, 2016 14th Annual Conference on Privacy, Security and Trust (PST).

[32]  Mordechai Guri,et al.  Bridgeware , 2018, Commun. ACM.