Computers

Scientists jump the "air gap" with hidden acoustic networks

Computer scientists have successfully transmitted data between laptop computers using only their built-in microphones and speakers (Image: Shutterstock)
Computer scientists have successfully transmitted data between laptop computers using only their built-in microphones and speakers (Image: Shutterstock)

It could be assumed that the most effective way to safeguard your computer against the threat of cyber attacks would be to disconnect it from all networks: wireless, LAN, network cards or the internet. However, research from the Fraunhofer Institute for Communication, Information Processing and Ergonomics (FKIE) has demonstrated a malware prototype with the ability to jump the "air gap" – meaning even that once surefire security measure might not be enough to ensure the protection of your computer.

Computer scientists Michael Hanspach and Michael Goetz conducted an experiment involving five computers which connected to one another using their built-in microphones and speakers to form an inaudible acoustic network. The data was able to be transferred from one computer to another until it reached one with a regular internet connection that was able to take the signal "outside."

The scientists selected a near ultrasonic frequency range which saw data communicated between the computers within a range of 19.7 m (64.6 ft), all without a connection to a central access point or router. Hanspach says the same technique might also be used to transfer data between smartphones or tablets.

According to the research paper, networks relying on acoustical communication are seldom used because of the much higher bit rates and ranges offered by radio transmission. However, as the electromagnetic waves used in radio communication are highly absorbed by sea water, acoustical networks have proven useful for underwater data transmission.

With this knowledge, Hanspach and Goetz adapted a system previously developed by the Research Department for Underwater Acoustics and Marine Geophysics in Germany to form the acoustical network, enabling the data transmission between laptops using only inaudible sounds. Despite the breakthrough, the technology has considerable drawbacks – namely a transmission rate of 20 bits per second.

In the past, we have seen similar technology using inaudible sound frequencies to create an alternative to NFC and to transfer inaudible QR codes. However, the network proposed by the German scientists is the first to establish a data transmission between computers purely through acoustical communication.

The scientists also explored various countermeasures against the dangers of acoustical covert networks. The first (and most obvious) option is to switch off audio input and output devices. Failing this, the implementation of audio filtering offers an alternative approach whereby the specific frequencies used by the acoustic network could be filtered out with a bandpass filter (a device that passes frequencies within a certain range, and rejects those outside).

The scientists are skeptical that their research demonstrates an effective way of spreading malware at present. However, they are mindful of the potential dangers "audio botnets" may present in as little as five years, citing critical infrastructure as something that may one day be susceptible.

The team's research is published in the online edition of the Journal of Communications.

Source: Fraunhofer

  • Facebook
  • Twitter
  • Flipboard
  • LinkedIn
11 comments
Slowburn
If there is a way for the computers to communicate some jackwad will use it to do damage.
Onihikage
*sigh* Yet another tech news site publishing an article on this stupid crap. The researchers made an acoustic network, then demonstrated that it could transmit and receive malware. Of f██ing course an acoustic network is vulnerable to malware - ALL networks are. That's why we have antivirus software and firewalls!
felix
But the malware has to already be installed on both the sender and the receiver, so its not like your computer can be infected while not connected the the internet.
ivan4
So here we have what is essentially an acoustic modem. I remember using those as a simple network for two computers in the 80s.
The other thing to consider is the fact that most industrial computers do not have microphones attached nor sound cards installed. Which begs the question, how will this work to spread malware over the air gap in industry?
As it stands this is just children without experience in industry playing with laptop computers.
Catweazle
So what's new?
Way back in the early 1980s I had Sinclair Spectrums communicating in Morse code via their speakers and cassette ports.
Sharky67
Please stop repeating this story with a slant toward "The End Is Nigh". As remarkable as the tech is, it is far cry from the suggestion an impending day of Malware dominance is closer than we think. It should also be noted it's almost untruthful to plant the notion that powered-off PC's everywhere could potentially be exposed.
Fact: This was an orchestrated test based on a theory, a theory that was only discovered by sheer fluke over 6mths ago. That discovery took place in a protected and controlled environment. This latest "proof" was also gained from a controlled environment.
Fact: A powered-off PC cannot receive anything ..... unless it's already infected and has been commandeered to do so.
Fact: The original discovery of this phenomena was believed to be related to a malware transmission via a USB stick. One does not simply tel-net into Mordor, nor does one simply gain control of a powered-off PC. It takes a fair bit of tech in both cases. And even then once the PC is infected it can only jump the "air-gap" provided there's something close enough. Hardly capable of taking down the masses.
Fact: There are much more prevalent malware and trojan threats delivered in much more efficient ways, might I suggest delivery via this method is far too time consuming to code and execute.
Please return to your regular quality of journalism and refrain from fanning the flames of paranoia. This story is a pre-designed framework of hypothesis and theory, who's lab-test results appear to be taking on the form of the next great viral internet sensation.
nutcase
"When I click my fingers you will wake up feeling refreshed and happy" Computers hypnotizing computers. Who would've thought?
MQ
AS with those preaching moderation on the scary front.
Just because a computer may have an active microphone and speakers, does not mean that these can be used for any kind of network communication. The software (and possibly hardware for a more efficient system) must be installed in order for the inputs at the microphone to allow the computer to perform any other action than to relay, or record the audio. As some commenters above mention, sure this network software could be installed as a form of malware and so could any virus, trojan or other bot. More likely is, that if this is seen as a replacement for low baud rate local area blue-tooth type connectivity, it may be a feature in future systems, or you may download it as an app for current devices.
Of course it could be misused, just as a bluetooth or wi-fi enabled device can be used as a bridge between unconnected computers and computers with an internet gateway, given the correct connectivity setings and software. (note or even create an ad-hoc network without internet connectivity)
There are wifi sniffers which can break through (some) wifi security measures, so should we all fear using wifi.
If someone with true intent wants to hack your system, they will do it. Internet security starts with not allowing others access to passwords and encryption keys, be smart and stay safe...
(As an aside: Probably the easiest way (def. not legal) to hack a system starts with installing clandestine audio and video recording devices in the vicinity of PC/laptop/etc, hell just comprehensively bug their premises, wouldn't that freak you out. Observe their habits and security measures first hand, then crack their system.)
Technology changes we all must adapt.
Thierry Phillips
One thing most are ignoring is the level of voice control currently implemented, which is apt to expend greatly (probably exponentially). I think the future threat is much more substantial than most are willing to recognize, also given the defacto standard for IoT devices already is 64-bit if not multi-core. Ivan4's point about industrial deployment is becoming moot as so much is embedded, it becomes a substantial chore to disable very useful hardware components due to their vulnerability. It will probably be necessary going on, unless effective security gets embedded as well, and I don't see that much happening yet, so it's at least in the next replace/reequip cycle.
Kris Lee
That you do not understand the implications of this demonstration, does not make it less significant.
It shows that it is very hard to isolate one computer from the network when any possible hardware for modulation is available.
You claim that it is not practical? You should think harder and more out of your daily bubble.
For example what about journalists handling sensitive information using isolated laptop that is never connected to the network?