Researchers Build Covert Acoustical Mesh Networks In Air

An anonymous reader writes "Researchers at Fraunhofer FKIE, Germany have presented a paper on covert acoustical communications between laptop computers. In their paper 'On Covert Acoustical Mesh Networks in Air', they describe how acoustical communication can be used to secretly bridge air gaps between computers and connect computers and networks that are thought to be completely isolated from each other. By using ad-hoc routing protocols, they are able to build up a complete mesh network of infected computers that leaks data over multiple hops. A multi-hop acoustical keylogger is also presented where keystrokes are forwarded to an attacker over multiple hops between different office rooms. The fundamental part of the communication system is a piece of software that has originally been developed for acoustic underwater communications. The researchers also provide different countermeasures against malicious participation in a covert acoustical network. The limitations of air gaps have been discussed recently in the context of a highly advanced malware, although reports on this so-called badBIOS malware could not yet be confirmed."

Apple already sells this

[ArcadeMan]

It's called AirPort.

Re:Apple already sells this

Acoustic means with hearing.

Not EM, but vibrations of air.

Re:Apple already sells this

[ArcadeMan]

Vibrations of air, like the woosh that just went over your head?

Re:Apple already sells this

Apple fanboys would claim that Apple invented air, so I wouldn't be surprised.

Re:Apple already sells this

Everyone knows IBM created air.

Apple just made it cool to breathe.

Re:Apple already sells this

Everyone knows IBM created air.

I thought that was Adobe.

Re:Apple already sells this

Maybe he just didn't think the joke actually worked.

Re:Apple already sells this

[davester666]

No. Adobe makes it suck.

Three words:

White noise generator

Re:Three words:

At what power?

Re:Three words:

[TechyImmigrant]

Two words: Walsh codes

Re:Three words:

At what power?
(This exact comment has already been posted. Try to be more original...)

Re:Three words:

[TechyImmigrant]

Enough energy per bit to do what needs doing.

Re:Three words:

[Minwee]

Good idea. You could turn up the noise level to defeat just about anything, and then call it The Cone Of Silence.

Who could possibly object to that?

Re:Three words:

[TechyImmigrant]

You don't have to turn up the noise level. Just run quieter symbols for longer and add bucketloads of FEC.

 

Re:Three words:

White noise generator

How about- don't hook up any speakers or microphones in the first place?

Lock down I/O

[l2718]

An "air gap" means making sue a computer cannot exchange information with other computers. LAN is one way to do so, but other sensors on the computer can be used for input, and other devices for output. Is it really a surprise that the microphone on a computer can be used as an input device?

Re:Lock down I/O

[K.+S.+Kyosuke]

I guess it's time for us to upgrade to vacuum-gapped computers.

Re:Lock down I/O

[VVelox]

Nah. The surprising bit is the lack of bandpass filters.

Re:Lock down I/O

[marcello_dl]

You mean downgrade? what about the old desktop box with no mic, an easily detachable and crappy speaker for beep, no wireless stuff integrated into the CPU as an anti theft device, no official wireless modem, and always-on fans at a fixed speed (to stop in his track the resourceful black hat that one day will try malicious communication over fan freq.).

Re:Lock down I/O

[Somebody+Is+Using+My]

I see your vacuum-gapped computer and raise you a webcam + CAPSLock LED.

Re:Lock down I/O

[bhassel]

I wonder what sort of bitrate you could get by modulating energy consumption...

Re:Lock down I/O

[sjames]

Make sure there's plenty of air in that gap though so one machine can't communicate by busying and idling it's CPUs to alter air temp.

Then lock down your "not security critical" read only monitors for power consumption etc. Also your security cameras lest someone have fun with the location lights.

Re:Lock down I/O

[viperidaenz]

You're surprised someone cheapened out making consumer products?
If 5c can be saved per unit by taking out some capacitors and inductors, they'll do it.

Re:Lock down I/O

You forgot that old desktop boxes have those noisy floppy drives...

Re:Lock down I/O

Or give everybody a separate sound proof rooms/offices instead of those crappy "open office"?

Re:Lock down I/O

Not just air temperature, but the operation of your CPU creates sound. Analyzing it is called acoustic cryptanalysis, and researchers have done some amazing things, like cracking RSA keys. http://tau.ac.il/~tromer/acoustic/

These kinds of side-channel attacks have been well known for years. Using these same vectors for penetration, however, is novel and cool, but less interesting from a theoretical perspective. Cracking RSA with a microphone is more than a little harder than using said microphone to receive some data purposefully sent.

Re:Lock down I/O

[fustakrakich]

Somebody locked down Slashdot archives, but I broke through with my acoustic modem. The connection was kinda slow, hence the difference in time stamps

Re:Lock down I/O

You'd better detach that crappy beep speaker. Reengineering beep speaker as microphone is old-school hack.

Re:Lock down I/O

[freeze128]

I trump your webcam with a SPACE Disco.

Checkmate!

Space Gap

[Cold+hard+reality]

Soon we'll have marketers pitching space-gapped machines, so even the acoustics are blocked.

Re:Space Gap

[OhSoLaMeow]

Soon we'll have marketers pitching space-gapped machines, so even the acoustics are blocked.

Then one computer will display moving lips and another computer will read said lips.

I'm sorry Dave, I'm afraid I can't do that.

band pass filters

[VVelox]

I am really surprised so much in the way of audio electronics in computers lacks a bandpass filter to prevent interference from stuff outside of the audible spectrum.

Re:band pass filters

[n1ywb]

What interference? Why would any engineer add cost and complexity to a design by adding (previously considered) unecessary filtering circuitry? We talking analog filters or digital filters? Passive or active? Skirt shapes? It's not as simple as "add filters. problem solved." Really, if you are security paranoid and you don't need them, remove the speakers and mic. Now the problem really is solved. You can alway plug in a headset.

Re:band pass filters

[MightyYar]

Filters usually have some consequence. Something approaching an ideal low-pass filter can be applied to a recorded signal, since you can assume a zero level before and after the recording. But a real-time filter has to make compromises and will result in some kind of distortion (ringing artifacts mostly). You can improve things by adding a delay, but if this delay is too long then you run into latency problems for real-time applications like chat. I'm sure you could produce something of acceptable quality, but it wouldn't necessarily be trivial or transparent.

Re:band pass filters

[AK+Marc]

The only computers I've ever owned with a built-in mic were laptops. Is this really a problem for secure computers? Do business-grade desktops all ship with microphones now?

Re:band pass filters

[jafac]

I guess that, IN THEORY, any speaker can be a microphone. If only there is a circuit that can read voltage levels induced on the speaker-coil by air vibrations on the membrane. (in hardware terms, you can just connect a speaker as a microphone - but in computer-terms, there probably is not the audio-input digitizer on that physical channel, on most audio boards).

Re:band pass filters

You're both uninformed. Computers don't lack filters. There are analog low pass filters on all audio inputs, because they're necessary (see the Nyquist/Shannon sampling theorem). The thing is, the cutoff frequencies are necessarily above the audible range, because there are no perfect "brick-wall" filters. For systems with sampling rates higher than 44.1kHz, the cutoff frequencies are far above the audible range. Otherwise what would be the point of providing the high sampling rate? Yes, it's audiophile hocus-pocus, but people buy it. None of this is relevant to the topic though, because the researchers used frequencies which are theoretically audible. But most adults don't hear much above 15kHz, so they don't notice these "audible" frequencies. When TVs were still called "tube", did you hear a high pitched sound in TV stores? If not, your audible range is already significantly diminished. The horizontal frequency is ca. 16kHz and the oscillating magnetic field caused parts in some TV sets to vibrate and emit noise at that frequency.

Re:band pass filters

Thanks! It makes me physically
ill when I walk into a cheap tv
store with what I suspected
was badly tuned oscillators of
some kind but didn't know what.
People did not believe me.

Air Gaps are Evil

[TechyImmigrant]

Air gaps are a liability. They do not work as advertised. Covert audio channels have nothing to do with it.

When you put a computer in a faraday cage with an air gap, you still need to computer to have some input and output in order to be useful.
So the air gap requires that a human periodically walks into the room and interacts with the machine. At this point, the options for undermining the security of the system have gone up exponentially.

The reality of air gaps is that key signing ceremonies take place with several people packed in the room, while CDs are passed back and forth and put in the machine holding the CSRs, the software and signed certs.

If you instead had a wire to the machine in the room, you could monitor the transactions over the wire. You could ensure a non turing complete language is used in the wire protocol. You can deny humans access. You can apply defense in depth to a wire. No so much to a room full of humans.

Air gaps are evil.

Re:Air Gaps are Evil

[TheCarp]

The reality of air gaps is that key signing ceremonies take place with several people packed in the room, while CDs are passed back and forth and put in the machine holding the CSRs, the software and signed certs.

So because people often conduct their air gapped business in a flawed manner, air gaps are useless? Sorry, I don't follow.

Wouldn't it be better to....embrace the power of AND?

Have an air gap AND pre-compute QR codes or some other encoding that doesn't require the loading of potentially insecure media in order to verify/sign keys?

or

Use two machines, one for loading/verifying keys, with a serial line to a second box, setup to only allow file transfers in over the serial line.... transfer file... log on to console... sign.

Preferably (to limit possibilities for data exfiltration) have the serial cable be one-way only and use QR or similar to get signed keys back out.

Re:Air Gaps are Evil

[mlts]

The perfect is the enemy of the good.

Air gaps may not be perfect. If one gets physical access, then things are hosed. However it does do a good job at removing an entire type of attack, i.e. from remote. An attacker would have to have a "boots on the ground" presence in order to get software on the machine to use audio as a media layer with another machine to decode it.

Yes, it can be a threat, but it doesn't completely negate the benefits of air-gapping, and it is still prudent to keep the key signing boxes well off any network.

As always, if someone has access, no matter how sophisticated the defense, it likely can be bypassed somehow.

Re:Air Gaps are Evil

[AK+Marc]

You can have secure or usable, not both. And when you get so secure as to be unusable, the users will undermine security for usability. Air gaps are almost always done in a way that doesn't improve security.

Re:Air Gaps are Evil

[DavidTC]

Do you even have the slightest idea how key signing works?

People sign keys on their own computer. Because you signs someone's _public_ key (Which of course you is freely available over the internet, although obviously you should confirm it is their key before signing it.) with your _private_ key.

There's no reason for _anyone_ to access anyone else's computer while signing keys.

But none of that has anything to do with air-gapped computers, which have exactly no role to play in this. Why? Because people do not take air-gapped computers places and leave them unattended. Hell, they probably don't ever take them places, period. That entire concept is perhaps the ultimate in absurdity.

I know it allows you to feel extremely smug imagining some sort of universe where some other smug idiots take air-gapped computers and set them up and _leave them unattended_ while running around handing out keys at a key signing party, and now you're smarter than them.

However, I am sad to say, you have literally just invented those people out of thin air.

There probably are people who have their PGP private keys on some air-gapped computer...and that air-gapped computer is almost certainly stashed in a safe at their house and otherwise never out of their sight. When they sign a key, they get handed it on CD or USB, and it's carried home with them, signed, and carried back out.(1)

Those people are key signing parties? _Those_ people are not air-gapped, and 99% of the time they're downloading everyone's key off the internet and everyone's just wandering by and confirming their hash.

1) Now, they do have to get the key from somewhere, which I guess in theory introduces some sort of security issue in that they are accessing something externally...but if their computer is so insecure as to be exploitable via inserted CD or USB than their computer is probably already hacked, and it's hard to imagine how that is a security issue while transferring things around a random network is not. You actually can confirm a USB device is legit. (Granted, there are firmware hacks and other fake USB things...but that's why you find some old random flash drive somewhere and use _that_ to actually transfer the files in and out. Or just get a DVD-RW.)

Re:Air Gaps are Evil

[TechyImmigrant]

>Do you even have the slightest idea how key signing works?
I have deployed a real CA. The sort with an armed guard on the door. I also wrote the software.
The fact I wrote the software (to verify the spec could work - I also wrote the cert profile spec and the security protocol that uses it) is what got me the deploying job.
So yes.

I'm talking about establishing a root cert for a CA in an X.509 based PKI. Not GPG or any other sort.

>Those people are key signing parties? _Those_ people are not air-gapped, and 99% of the time they're downloading everyone's key off the internet and everyone's just wandering by and confirming their hash.

Not that. I'm talking about vendor, implementer and 'third parties' paid to oversee the process filing into the server room while someone installs the software on a blank server, runs the scripts to make the cert, runs a script to make the NofM unlock keys which are handed to the responsible parties, takes a copy of the root cert on some media and then every files out again.

PGP key signing parties are completely different and arguably a lot more resilient than X.509 PKIs.

1) Now, they do have to get the key from somewhere

Yes, a good RNG. I happen to know where you can find one of those.

Re:Air Gaps are Evil

[DavidTC]

Erm, okay, you're talking about something completely different...

...but still not making much sense to me.

The problem is that 'If you instead had a wire to the machine in the room, you could monitor the transactions over the wire. You could ensure a non turing complete language is used in the wire protocol. You can deny humans access. You can apply defense in depth to a wire. No so much to a room full of humans.' you can do _on an air-gapped machine_.

What you have just proposed doing is to put the UI of the secure machine outside the secure machine, and locking down interactions between it and the secure machine...which is fine, but there's no reason you can't put that UI _inside the air gap_. And in fact that makes much more sense.

You, uh, just need two of them in the room. One that people can physically access, and one, locked behind bars, that they cannot, connected via a wire, with an air-gap between that system and the outside world.

This is a bit of an overkill, though. If you are worried about the people who access the air-gapped computer being a weak link, in actuality you _build the UI with security_ (Just like your hypothetical wire protocol, but much easier.) and then don't let them physically access the CPU or disks. (I recommend a external CD-RW drive.)

And you 'analyze' what they do by simply recording the screen and keyboard. Which you can do by either unidirectional wiring or by literally recording it with a camera. Or having watchers.

Or, alternately, if you want, you can do it like I said and just put a UI computer in the air-gap room also. You can even render the UI computer fairly difficult to hijack by building it solely out of read-only storage. It would be the perfect place for some sort of dumb terminal that is just running a web browser connected to the actual secure machine, which is locked up inside a box inside the air-gap and none of the users can get to it.

Re:Air Gaps are Evil

[TechyImmigrant]

That could be made to work fine. Understand what you're protecting. In this case root keys in a HSM in a server in a secured room.

E.G. For a CA, the only things you need to ask of the server is "Sign this and return the cert". So have a wire protocol that only lets you ask that and limits side channel attacks, E.G. by quantizing ask and response timing.

The thing you're protecting is the thing that should be behind the limited interface. The UI can swim with the sharks. You need a different set of rules for humans, that are well matched to the needs and behaviors of humans.

But if the air gap is your first line of defense, don't put humans inside it. That's when air gaps are evil.

I've never seen air gaps done in a way that enhances security. They could be used well, but I simply don't see it happening.

Some Technical Details.

[Jah-Wren+Ryel]

They used Lenovo T400 laptops which are circa 2008 models, no extra audio hardware. They could do 20bits/sec over nearly meters 20 meters if they had line-of-site between the laptops.

Re:Some Technical Details.

[gl4ss]

was the earlier story about a researcher bitching about his laptop being hacked through this an advert for these guys?

well.. he claimed to have bios infection which did the airgap jump..

just that you can encode and decode information to and from audio isn't that much of a news.

Re:Some Technical Details.

[AK+Marc]

So they demonstrated bridging the "air gap" with a computer that can't be bought without a wireless card in it (at least through the channels I tried). How about a desktop. Most desktops don't come with microphones, and I don't see why you'd add one to a secure machine.

Re:Some Technical Details.

[pmontra]

But many people add mics to their desktops to use Skype and the like. Most desktops are not bought by people who know anything about security and even when there is an IT department, they still make conference calls with their computers and need a mic.

Anyway, maybe Vinge's Blight will take over the world with an audio malware ;-)

Re:Some Technical Details.

[fast+turtle]

hell I didn't have to buy a fucking mic to use skype/google-talk/whatever as my god damn webcam includes one. Plug it in to video chat and I've got a live mic. Hell the damn thing is good enough for Dragon Speaking 10 to use it instead of a headset. Makes me wonder why this hasn't happened before (remember the movie Silent Running - Sci-fi http://en.wikipedia.org/wiki/Silent_Running) where the droids/bots were taught to play poker (cheated using sounds). That's from 72 and was probably produced in 70 (40+ yrs ago for the fucking concept). Seems that nobody bothers to read anything now days other then fucking comic books.

Shit as a kid, I used to read stuff like the "Hardy Boys", "Nancy Drew", Remember "Tom Swift?" along with F&SF/Galaxy/Analog and a whole rash of exotic fiction. Now get off my fucking lawn

Re:Some Technical Details.

Something about those laptops. I have a T61 and I've tested this. With the microphone disabled in BIOS it will still record audio. Much less sensitive, but try it, and then take a look in Audacity at it.

Re:Some Technical Details.

Someone still reads Tom Swift, or they wouldn't have named the TASER after him. (Thomas A. Swift's Electric Rifle), though the A. was added by Taser.

Re:Some Technical Details.

[akozakie]

As far as I recall he claimed no such thing. He claimed that the malware updated through the air gap. Quite a different thing than hacking - you already have an audio-networking-capable software on both communicating boxes.

This would mean that malware using this technique is already in the wild. Quite an ad for someone offering any protection from this, but if confirmed - very interesting.

Re: Some Technical Details.

[ceoyoyo]

Skype works extremely poorly on an air gapped machine.

Re: Some Technical Details.

[pmontra]

Mmm, you're right and I didn't pay attention. Sorry.

Re:Some Technical Details.

well.. he claimed to have bios infection which did the airgap jump..

No, actually he did not. It was a variety of supposedly tech-savvy journalists with poor reading comprehension skills who made that claim.
What the original guy claimed (yes, I read his actual blog) was that once infected, the malware was using acoustical networking to maintain the infection while he was attempting to clean the system. He never made any claims that the acoustic networking was the original infection vector.

Re: Some Technical Details.

[DavidTC]

Now I'm imagining someone trying transmit a Skype conversation over the air-gap via audio. Or just the audio, at least.

It seems extremely silly, but then I started thinking about a hypothetical audio bug that literally just relayed the audio _as_ encoded audio...but in a way that was easier to hear through walls and windows and stuff. Like pumping it at higher volume, but at frequencies we couldn't hear. Or doing it much slower (Presumably with some sort of voice activation so it would only record 8 hours of audio a day, or whatever, and could take 24 to play it back.) which would allow more error correction.

Everyone always talks about the high-than-human audio frequencies, but I wonder...if you encode it tight enough, and can transmit audio 24/7 and it's not recording that much, could you possibly transmit it on _lower_ frequencies?

Of course, no one actually knows if this is workable but the CIA.

But transmitting data is easy if you can get someone inside where the data is. For example, I once had a weird idea for an bug that pretended to be CFL bulb, but it would slightly modulate the light frequency in response to audio. I think intelligence services have actually done that sort of thing before, but it was amplitude modulation whereas I'm talking about frequency modulation.

Re:Some Technical Details.

So did they just flash the screen on and off and use the webcam to read it? ;-)

(yeah, yeah, I know it's not "acoustical", but then acoustical isn't a word, so who's to say that visual morse code isn't applicable?)

Re:Some Technical Details.

[bill_mcgonigle]

Quite an ad for someone offering any protection from this, but if confirmed - very interesting.

And now you know why infosec hackers play thrash metal all the time.

Re: Some Technical Details.

[ceoyoyo]

Higher frequencies don't work very well through obstructions (these guys specify line-of-sight). Low frequencies though, go through walls better. Presumably you could record and compress audio, then retransmit it using lower frequency sound. The problem is, creating low frequency sound waves requires large speakers, and we hear fairly well down to quite low frequencies.

Modulating the frequency of a conventional light source is pretty difficult. You could use an LED and slightly manipulate the colour mix though.

So I have to disable my audo hardware now?

[bobbied]

Oh great... Can't you hackers just leave well enough alone?

I've had to disconnect my network cable, remove the wireless card, and disable all the USB ports to make my machine secure and now I have to disable the audio hardware too? Man, this is getting out of hand..

Seriously though... This is new how? We have been sending data using audio cards between computers for decades. I remember cranking up the cassette tape drive to load programs into my TRS-80 in high school and hooking up to an acoustic modem to get on dial up AOL. Recently I've used my computer to talk to another computer halfway around the world though an RF link provided by my ham radio. Hams routinely transfer "data" over packet, PSK and other modes over audio links using their audio cards in their computers.

Oh, wait, so the ad-hock links are the new thing? Um, not so fast there either. Mesh networks have been around long enough to fall in and out of favor once or twice. Ham radio operators might know about HSMM Mesh http://www.broadband-hamnet.org/ has been doing mesh networks for nearly a decade, and the protocol it uses internally wasn't the first. So this is not new..

I conclude that NOTHING here is new, except perhaps combining an audio network link with a mesh networking protocol.... But I don't see that as ground breaking..

The only thing this will really do is make it necessary to disable/remove audio hardware from secure computers, just because somebody might try to use it for something stupid. Thanks guys (and gals if there are any working on this) for making my life harder...

Re:So I have to disable my audo hardware now?

[Theaetetus]

This is new how? We have been sending data using audio cards between computers for decades. I remember cranking up the cassette tape drive to load programs into my TRS-80 in high school and hooking up to an acoustic modem to get on dial up AOL. Recently I've used my computer to talk to another computer halfway around the world though an RF link provided by my ham radio. Hams routinely transfer "data" over packet, PSK and other modes over audio links using their audio cards in their computers.

Oh, wait, so the ad-hock links are the new thing? Um, not so fast there either. Mesh networks have been around long enough to fall in and out of favor once or twice. Ham radio operators might know about HSMM Mesh http://www.broadband-hamnet.org/ has been doing mesh networks for nearly a decade, and the protocol it uses internally wasn't the first. So this is not new..

I conclude that NOTHING here is new, except perhaps combining an audio network link with a mesh networking protocol.... But I don't see that as ground breaking..

Maybe you missed the "covert" part. If your computer was hissing and whining away like a 56kbps modem to talk to the computer in the room next door, you'd probably notice.

... Although, maybe not, since it's the third word in the /. headline and second word in the article headline, and yet you still missed even this rudimentary visual communication.

Re:So I have to disable my audo hardware now?

[bobbied]

You haven't been in my lab, it's pretty loud in there... Earplugs are standard and in fact are issued for free just inside the door. So, I might or might not hear a PSK conversation over the din. However, in such an environment would not be very hospitable to acoustic communications in the first place. But I don't think that trying to be covert is going to do anything but lower your though put to near useless.

Like in RF communications, AF links will need to have a minimum S/N ratio and bandwidth. If you keep the used frequency out of the normal audio range (say above 16 Khz where only a few folks might hear it) you are going to have to be loud enough and use enough bandwidth that it's going to be hard for even deaf old guys like me not to notice. You might get by me with a carrier centered on 16Khz, but if you are trying to transfer data at any kind of useable data rate (say 9600 bps) you will have a minimum bandwidth of about 10 Khz. Keeping things above 16 Khz means your going to be transmitting between 16 and 26 Khz, which is way outside the usable specs of almost all audio hardware (speakers and microphones) I've happened onto in real life. So the only choice is really going extremely low bandwidth or venture into non covert frequencies and risk detection. I say this is either easily heard, not that useful, prone to interference or low bandwidth.

Never the less, I'm guessing the next thing I'm going to have to do is disable/remove all of the audio hardware..

Re:So I have to disable my audo hardware now?

[Theaetetus]

You haven't been in my lab, it's pretty loud in there... Earplugs are standard and in fact are issued for free just inside the door. So, I might or might not hear a PSK conversation over the din. However, in such an environment would not be very hospitable to acoustic communications in the first place. But I don't think that trying to be covert is going to do anything but lower your though put to near useless... I say this is either easily heard, not that useful, prone to interference or low bandwidth.

And since we're talking about transferring small pieces of data, such as user names, passwords, account numbers, etc., you're talking about maybe 10-12 bytes at a time, tops. It could take a minute and you'd never hear it.

Re:So I have to disable my audo hardware now?

[Gim+Tom]

You covered most of what I was going to say except that in my younger days I could almost always hear the flyback whine from any CRT raster scan device be it TV or monitor. I think those generally operated in about the same frequency range as this technique does so many younger people should be able to HEAR the stealth transmissions just fine. On another note our Ham Radio club used HSMM routers during field day this year to connect the operating positions around the large field with the logging computer and it worked far better than expected, and better than straight Wi-Fi had in previous years. 73 OM

Re:So I have to disable my audo hardware now?

[dpidcoe]

You covered most of what I was going to say except that in my younger days I could almost always hear the flyback whine from any CRT raster scan device be it TV or monitor. I think those generally operated in about the same frequency range as this technique does so many younger people should be able to HEAR the stealth transmissions just fine.

They may hear it, but will they notice it? Intermittent and faint high pitched frequencies are common around electronics, I don't think I'd flag that sound as out of the ordinary under normal circumstances.

Re:So I have to disable my audo hardware now?

[fufufang]

You could wear headphone, you know...

Re:So I have to disable my audo hardware now?

[bill_mcgonigle]

Thanks guys (and gals if there are any working on this) for making my life harder...

If it's nothing new, why does it make your life harder? Ah-ha!

What?

No one can hear this going on?

Sound off

[Impy+the+Impiuos+Imp]

OH. MY. GOD. Air gaps.

I thought my tinfoil hat was sufficient, but you're telling me I now have to worry about sounds going in my ears that modify my behavior!?!?!

This is really, really simple to understand

[nctritech]

Without the software required to use the hardware for communication, the communication doesn't work. If your air-gapped computer has not been infected prior to air-gapping, this simply can't work. I can smell conspiracy theorists a mile away with "but what about malicious BIOSes or pre-infected hardware designs or..." and the solution for all of those remains the same: if it's that big of a concern, remove it from the computer. Rip open the laptop and disconnect or desolder the speakers and microphone, and while you're in there you can heat-gun off the magnetics for the network card and all the external USB port connectors. If you're gonna do paranoid, you might as well do it right.

Re:This is really, really simple to understand

[mlts]

I wonder if this would be a niche market for a company. Create an x86 motherboard that is epoxied tight, and the only thing coming out would be a serial port, a power port, a MicroSD card slot for the OS, and a SD card to handle data.

Maybe another version might have a USB connector for the keyboard and mouse (with the BIOS limiting the devices connected to those ports to just HIDs), and a VGA connector for the monitor.

Stick all this in a tamper-resistant aluminum case, and it might sell as a poor man's HSM for RSA keys. Copy what needs to be signed onto the SD card, sign it, copy it off.

Re:This is really, really simple to understand

And yet, if you buy a new Intel chip, they'll include a cell modem for free! http://www.popularresistance.org/new-intel-based-pcs-permanently-hackable/

Re:This is really, really simple to understand

[VortexCortex]

I think I'll call it: System on a Chip. Or, just get an old beige box x86 with no USB -- Has serial ports, no sound card, etc.

Look, the problem is that provably secure operating systems and software are possible to create, but prohibitively expensive to create and maintain. Before some nutter harps on about a "halting problem": No, stop it. Computers have FINITE state. I have written drivers (and small embedded OSs) that are mathematically provably secure. Every combination of inputs (expected or otherwise) to every interface and function work exactly as they should and no unexpected code execution vulnerabilities exist. It's expensive as hell, but it actually can be done. Provable security can be done at larger scales too. The problem is that as long as we're prioritizing newer and shittier exploitable code over provably secure code we'll have these software problems.

As to the matter of routing out Ken Thompson Microcode Hacks -- Well, there's answers to that too which are just as expensive.

TL;DR: Your shit's insecure only because you accept it to be that way.

Re:This is really, really simple to understand

[nctritech]

Won't do much good with no antenna. Find the trace for it and cut it.

Re:This is really, really simple to understand

[bill_mcgonigle]

a MicroSD card slot for the OS

Why would you trust the MicroSD controller to not inject a known attack when presented with a special sequence of input that can be hidden in a filesystem structure?

Re:This is really, really simple to understand

[bill_mcgonigle]

If you're gonna do paranoid, you might as well do it right.

What's the point? We all know that Intel puts special logic in that changes the operation of the CPU given certain parameters. That's why Intel RdRand isn't directly accessible but has to be accessed through the hashing logic unit. That way They just have to sneak in a small bit of malware that will hose up your RNG and then your keys can be trivially cracked into the future.

Then we have the news that GCC has been compromised for years, and all of the linux distros need to be completely recompiled (that's gonna hurt the mirrors).

(apply Poe's Law liberally but don't miss the broader point)

Re:This is really, really simple to understand

[bill_mcgonigle]

As to the matter of routing out Ken Thompson Microcode Hacks -- Well, there's answers to that too which are just as expensive.

Doing provably secure is one thing, but just having open, auditable code would be a great leap forward. We can be sure that the AMI BIOS contains bugs and reasonably sure that the NSA has copies of that source in their lab.

Then, maybe somebody can work on taking the open code and working through it one function at a time to secure it.

Re:This is really, really simple to understand

[freeze128]

This might be a little less invasive:

http://www.thingiverse.com/thing:126097

Re:This is really, really simple to understand

[JamieIanMacgregor]

you're trying to tell us that an intel chip contains a 3g modem that works through the Faraday cage also knows as your computer case? good luck getting a signal from in there

Anyone remember bus radio?

[TheCarp]

Not only is it not new, I remember almost 10 years ago now, somebody had demonstrated that he could slam the bus in such a way as to generate radio signals that he could pick up on a nearby reciever.

There was even a slashdot story about it back then, but damned if I can find anything on it now. Pretty sure it was only a one way channel but, depending on the circumstances, that could be enough.

Re:Anyone remember bus radio?

[Anne+Thwacks]

That was standard practice on the PDP8 in the 1970s. There were even compilers to produce music that way. There was always a radio ontop the computer so you could tell if it got in a loop (constant frequency). Some people even knew which loop by the tone! (Cue Newton-Raphson agorithm approaching solution with a recognisable whine!)

Re:Anyone remember bus radio?

The TI-83+ calculator will give you beeps and buzzes that can be picked up with an AM radio placed suitably close. I think someone managed to use it to play music.

Re:Anyone remember bus radio?

[bill_mcgonigle]

Neat. That's awfully useful for the Tempest van parked down the street, but for in-house peer to peer leakage you'd need an radio receiver on the other machine.

Don't get me wrong, I can't wait to have SDR's on every device I buy, but this one is a risk worth appreciating.

Soon(tm)

[lapm]

If malware dint use it before, its sure going to use it soon enough after this paper.

Re:Soon(tm)

If malware dint use it before, its sure going to use it soon enough after this paper.

Most malware isn't going to have any real need for such systems.
You can send all the acoustic network data you want, if the machines within range don't have software to support such a mechanism they simply won't pay any attention to it... it'll just be like any other noise coming into the mic. So unless your air-gapped machine is already compromised, you really don't have to worry (much) about this type of technique.
It's more of a worry for people who are concerned about a system getting infected, then transmitting data one-way to an external system, or a nearby system which isn't secured as heavily for further relay to an external listening device.

In terms of most malware, all this would do is give them an alternate communication channel which could help them avoid things like network-based intrusion detection systems. But frankly speaking it's going to be easier to hide your comms inside normal-looking network traffic than it is adding some type of network capability to the audio system.

Finally, offices

Finally employers are motivated enough to offer silent office spaces for every employee. The silence of the machines is a desirable feature, even without Jodie Foster - Arnold Schwarzenegger team-up.

Mod parent up.

[khasim]

However it does do a good job at removing an entire type of attack, i.e. from remote.

Exactly. And Bruce Schneier has an excellent article on that concept. He calls it "attack trees".

https://www.schneier.com/paper-attacktrees-ddj-ft.html

I think that the biggest problem here is that there isn't a recognized definition of "security" as it applies to computers.

Security is not about becoming invulnerable. That is impossible. Mostly because there is no "secure". There is only "more secure" or "less secure" than your starting point.

Improving security is, initially, about reducing the number of people who can EFFECTIVELY attack you. Then increase the number of people REQUIRED to attack you.

And that isn't even addressing the issue of whether you KNOW that you're being attacked and/or whether the data has been compromised.

BadBIOS?

[Peter+Simpson]

Interesting timing, considering the recent exposure (and debunking?) of BadBIOS "acoustical networking".

Re:BadBIOS?

Actually the BadBIOS guy was referencing these guys. ./ is just lagging behind.

Re:BadBIOS?

On Covert Acoustical Mesh Networks in Air (RE: Bad Bios)

"Abstract-Covert channels can be used to circumvent system and network policies by establishing communications that have not been considered in the design of the computing system. We construct a covert channel between different computing systems that utilizes audio modulation/demodulation to exchange data between the computing systems over the air medium. The underlying network stack is based on a communication system that was originally designed for robust underwater communication. We adapt the communication system to implement covert and stealthy communications by utilizing the near ultrasonic frequency range.

We further demonstrate how the scenario of covert acoustical communication over the air medium can be extended to multi-hop communications and even to wireless mesh networks. A covert acoustical mesh network can be conceived as a botnet or malnet that is accessible via nearfield audio communications. Different applications of covert acoustical mesh networks are presented, including the use for remote keylogging over multiple hops. It is shown that the concept of a covert acoustical mesh network renders many conventional security concepts useless, as acoustical communications are usually not considered. Finally, countermeasures against covert acoustical mesh networks are discussed, including the use of lowpass filtering in computing systems and a host-based intrusion detection system for analyzing audio input and output in order to detect any irregularities."

Index Terms-malware, network covert channels, wireless mesh networks, ultrasonic communication

Cite: Michael Hanspach and Michael Goetz, "On Covert Acoustical Mesh Networks in Air," Journal of Communications, vol. 8, no. 11, pp. 758-767, 2013. doi: 10.12720/jcm.8.11.758-767"

Volume 8, No. 11, November 2013

http://www.jocm.us/uploadfile/2013/1125/20131125103803901.pdf
http://www.jocm.us/index.php?m=content&c=index&a=show&catid=124&id=600
http://www.jocm.us/index.php?m=content&c=index&a=lists&catid=124

#

RE: #BadBios, BadBios, badbios, bad bios

"utilizing the near ultrasonic frequency range"

[twmcneil]

So, dogs will bark constantly when these devises are attempting to communicate? Bring Rover in to work with you. Problem solved.

Re:Obama lies

How much are you getting paid for this offtopic claptrap on every post? At least the "Cruz Control" guy who spews stuff how NASA should be privatized, has tried to make posts fairly relevant to the topic hand before going into how deeply in debt we are in with China.

There was a tenant from the old Soviets. Tell a lie often enough, and people will start believing it. Guess this is working.

Re:Obama lies

"Tell a lie often enough, and people will start believing it. Guess this is working."

It's not just a Soviet axiom, it's also part of Alinskys rules. So I take it you see right through the bullshit then huh? Yes Obama knows his Alinsky as well as anyone could.

“If you push a negative hard enough, it will push through and become a positive.”

Out With This so Fast?

A few weeks ago, we all read about a new form of malware that uses acoustics, and now we have "researchers" doing writeups and building networks so soon? Hmmm. Something smells fishy here.

Finally a rational explantion

[deviated_prevert]

Why my network crashed when I farted!

not going to be very fast

[johnrpenner]

back in the day — with TRS80 300 baud cassette loading — we thought 300 bps was pretty SSSSLLLOOOWWW..

they managed the blazing speed 20bps (bits per second) at 3 meters using 18khz carrier frequency — and that had a faint clicking sound.

20 bps is slower than most people type — you're not going to be transmitting any high-res jpeg images this way..

good enough to capture and transmit a password though, or to do command-control type actions.

heh heh — transmitting a spy app between nodes as a payload could take weeks..

when they made it quieter so you couldnt hear the slight clicking sound — the range was http://www.jocm.us/uploadfile/2013/1125/20131125103803901.pdf

QR Code viruses

[Tenebrousedge]

The smallest viruses are well within the storage capacity of a QR code, and an exploit could be a mere handful of bytes; what makes you think that they are somehow inherently secure?

Re:QR Code viruses

[TheCarp]

Except that the QR codes are a replacement for using other, even more vulnerable media, which can hold gigabytes of extra payload.

You have to exchange key data somehow. It doesn't matter what encoding you use as long as everyone can read it and preferably without doing anything potentially unsafe, like mounting unknown filesystems on the most protected node.

Pretty sure I would take a QR code as an acceptable trade off between manually typing in key data for signing and mounting your usb drive (or mine on your system) to get it from you. If it meant I could avoid even mounting my own media, all the better.

RaspberryPi FM Transmitter

FM radio transmissions are possible on the R.Pi by toggling the spread-spectrum setting of a clock output pin.

http://www.icrobotics.co.uk/wiki/index.php/Turning_the_Raspberry_Pi_Into_an_FM_Transmitter

Been there, done that

[Webmoth]

"Covert acoustical mesh networks"?!? Housewives invented this thousands of years ago, only back then they called it "gossip."