On Acoustic Covert Channels Between Air-Gapped Systems

In this work, we study the ability for malware to leak sensitive information from an air-gapped high-security system to systems on a low-security network, using ultrasonic and audible audio covert channels in two different environments: an open-concept office and a closed-door office. Our results show that malware installed on unmodified commodity hardware can leak data from an air-gapped system using the ultrasonic frequency range from 20 kHz to 20.5 kHz at a rate of 140 bps and at a rate of 6.7 kbps using the audible spectrum from 500 Hz to 18 kHz. Additionally, we show that data can be communicated using ultrasonic communication at distances up to 11 m with bit rates over 230 bps and a bit error rate of 2 %. Given our results, our attacks are able to leak captured keystrokes in real-time using ultrasonic signals and, using audible signals when nobody is present in the environment - the overnight attack, both keystrokes and recorded audio.

[1]  Cristina V. Lopes,et al.  Acoustic Modems for Ubiquitous Computing , 2003, IEEE Pervasive Comput..

[2]  John G. Proakis,et al.  Digital Communications , 1983 .

[3]  Cristina V. Lopes,et al.  Aerial communications using piano, clarinet, and bells , 2002, 2002 IEEE Workshop on Multimedia Signal Processing..

[4]  Ulf Landström Noise and fatigue in working environments , 1990 .

[5]  John B. Goodenough,et al.  Evaluating and Mitigating Software Supply Chain Security Risks , 2010 .

[6]  Erland Jonsson,et al.  A Map of Security Risks Associated wuth Using COTS , 1998, Computer.

[7]  Kim-Kwang Raymond Choo,et al.  Bridging the Air Gap: Inaudible Data Exfiltration by Insiders , 2014, AMCIS.

[8]  Cristina Videira Lopes,et al.  Aerial acoustic communications , 2001, Proceedings of the 2001 IEEE Workshop on the Applications of Signal Processing to Audio and Acoustics (Cat. No.01TH8575).

[9]  D. Sanger Obama Order Sped Up Wave of Cyberattacks Against Iran , 2012 .

[10]  I. Reed,et al.  Polynomial Codes Over Certain Finite Fields , 1960 .

[11]  Peter Szor,et al.  The Art of Computer Virus Research and Defense , 2005 .

[12]  Michael Hanspach,et al.  On Covert Acoustical Mesh Networks in Air , 2014, J. Commun..

[13]  Lawrence E. Kinsler,et al.  Fundamentals of acoustics , 1950 .

[14]  Richard Sharp,et al.  Context-Aware Computing with Sound , 2003, UbiComp.

[15]  William Stallings,et al.  Network Security Essentials: Applications and Standards , 1999 .

[16]  William Stallings Network security essentials: applications and standards / William Stallings , 2007 .

[17]  Cristina V. Lopes,et al.  Alternatives to speech in low bit rate communication systems , 2010, ArXiv.

[18]  Ronald J. Baken,et al.  Clinical measurement of speech and voice , 1987 .

[19]  David W. Tempest,et al.  The Noise Handbook , 1985 .

[20]  Richard Sharp,et al.  Audio networking: the forgotten wireless technology , 2005, IEEE Pervasive Computing.

[21]  Richard V. Cox,et al.  A very low bit rate speech coder based on a recognition/synthesis paradigm , 2001, IEEE Trans. Speech Audio Process..

[22]  Ramarathnam Venkatesan,et al.  Dhwani: secure peer-to-peer acoustic NFC , 2013, SIGCOMM.

[23]  Michael Hanspach,et al.  Recent Developments in Covert Acoustical Communications , 2014, Sicherheit.

[24]  Walter Bender,et al.  Things that talk: Using sound for device-to-device and device-to-human communication , 2000, IBM Syst. J..