In what appears to be a science fiction attack, but is, in fact, a possibility, air-gapped computers can communicate with each other and pull out data using speakers or headphones over ultrasonic waves.
By combining previous research on communications through ultrasonic waves, researchers from the Cyber-Security Research Center at the Ben-Gurion University of the Negev in Israel, used a technique that can turn a device’s speakers into a microphone in an effort to create a data exfiltration channel.
“We show how two (or more) air- gapped computers in the same room, equipped with passive speakers, headphones, or earphones can covertly exchange data via ultrasonic waves,” said researchers Mordechai Guri, Yosef Solwicz, Andrey Daidakulov and Yuval Elovici. “Microphones are not required. Our method is based on the capability of a malware to exploit a specific audio chip feature in order to reverse the connected speakers from output devices into input devices – unobtrusively rendering them microphones.”
In addition, “We show that although the reversed speakers/headphones/earphones were not originally designed to perform as microphones, they still respond well to the near-ultrasonic range (18kHz to 24kHz),” researchers said.
This new attack method started years ago when researchers showed how audio modulation and demodulation can exchange data between computers over the air via the ultrasonic frequency range. The method requires the devices communicating with each other are equipped with microphones and speakers.
However, it’s possible to turn speakers, headphones or earphones into microphones using only software, which Ben-Gurion University researchers demonstrated back in 2016 in an attack they called SPEAKE(a)R.
Now, the researchers combined the two methods to show a piece of malware installed on an air-gapped system fitted with speakers, headphones or earphones can transmit bits of data to one or more nearby devices running malware designed to capture the data via an audio output system turned into a microphone.
These types of attacks, which they call MOSQUITO, can end up launched in scenarios involving desktop computers that don’t have a microphone, or when the microphone on a laptop or desktop system has been disabled or taped.
The data exchange can take place over inaudible sound waves at frequencies of 18kHz or higher, which can be captured by regular headphones or speakers. The data can be modulated through audio frequency-shift keying (AFSK), which uses one frequency to transmit “0” bits and a different frequency to transmit “1” bits.
Tests conducted by researchers showed a transfer rate ranging between 1200 bits/sec and 1800 bits/sec can occur for up to 8 meters (26 feet) for audible frequencies transmitted and captured using loudspeakers. The transfer rate drops to between 300 bits/sec and 600 bits/sec for inaudible frequencies.
Experiments conducted using headphones and earphones as recipients showed they are not much different than speakers, with transfer rates ranging between 300 bits/sec and 600 bits/sec over distances of 1m (3ft), 5m (16ft) and 8m (26ft). However, performance is significantly degraded when headphones are used both by the sender and the recipient — it only works over a distance up to 3m (10ft) at a maximum of 250 bits/sec.
One note is these are upper theoretical transmission rates. In practice, the transfer rate is influenced by environmental noise, the position of the transmitter and receiver, and bit error rates.
“Our experiments show that at a distance of three meters between two speakers, a transmission rate of 166 bit/sec results in a one percent bit error rate, during the exfiltration of a 1Kbit binary file,” the researchers said in their paper.
“However, at distances of 4-9 meters, the one percent bit error rate is only achieved at transmission rates of 10 bit/sec,” they said. “Our waveform analysis shows that the signal quality is degraded at distances greater than four meters mainly due to the environmental noise, which results in a lower SNR.”