Slashdot Mirror
The Computer Security Threat From Ultrasonic Networks
KentuckyFC (1144503) writes Security researchers in Germany have demonstrated an entirely new way to attack computer networks and steal information without anybody knowing. The new medium of attack is ultrasonic sound. It relies on software that uses the built-in speakers on a laptop to broadcast at ultrasonic frequencies while nearby laptops listen out for the transmissions and pass them on, a set up known as a mesh network. The team has tested this kind of attack on a set of Lenovo T400 laptops infected with key-logging software. They say it is possible to transmit ultrasonic signals covertly at data rates of 20 bits per second at distances of up to 20 metres in an office environment. Interestingly, the team created the covert system by adapting a protocol designed for underwater acoustic communication. They've also tested various strategies for defeating this kind of attack. An obvious option is to disable all speakers and microphones but this also prevents ordinary activities such as VOIP communication. Instead, they suggest filtering the audio signals to prevent ultrasonic transmissions or converting them into an audible frequency. This may be newer than most attack vectors, but it's not the first time that ultrasonic transmission has been demonstrated as a vulnerability; in November of last year we mentioned malware operating along the same lines, as investigated byPwn2Own creator Dragos Ruiu.
The easiest way to eliminate this threat is to lock down hardware sampling rates such that ultrasonic frequencies cannot be reliably reproduced (e.g. in the BIOS), and allow the user to flip the switch for higher rate support. At least, that's the first idea that came to mind. I'm sure it's not perfect, but it's better than "kill all audio!"
Another exploit undermines a heretofore unknown weakness.
Exploitation that doesn't kill you makes you stronger.
Happiness in intelligent people is the rarest thing I know.
Ernest Hemingway
WTF ? That's a covert communication channel, not an attack.
At least the original source gets that right. But what idiot writes the slashdot version of the article?
Or just stop shipping audio hardware that supports ultrasonics, given that nobody actually benefits from sampling frequencies above 48kHz (and in certain setups, it can actually distort the audio).
I use VoIP every day, but just leave my bluetooth headset dongle plugged in, so the speaker and mic are disabled. No transmission, no worries. Of course, there is only the one PC in my office since I work at home. My dog might hear the ultrasonic output though :-)
While impractical at scale, this is a very clever way to defeat things like DoD secured air-gap networks, and 20bps is easily capable of say, keylogging :)
Good people go to bed earlier.
I worked on a COMSEC job back in the '90s, and both our device and our building (particularly the windows) had countermeasures for this kind of attack.
Perhaps this is a new thing for garage hackers, but intelligence agencies have known about it for decades.
Does this mean I can get a lirc driver that works with an old Zenith clicker remote?
#naabhaprzrag, #sverubfr-000, #agi-fcbafberq, negvpyr[pynff*=' negvpyr-ary-'] { qvfcynl: abar !vzcbegnag; }
For this to work, the computers must already be 'owned', the fact the computers can communicate 20 meters with another infected machine is the least of the worries if you ask me.
Probably the same one who wrote a similar article about a year back.
Confucius say, "Find worm in apple - bad. Find half a worm - worse."
This. It is NOT an attack. And let's face it, very very few people have an air gap on their computers. Since that's the case, it's so much easier to just use the existing wired network or wireless network to ferret data out. 20 bits per second is hardly practical anyway, even for small amounts of data (which, today, would be classified as megabytes.)
char*f="char*f=%c%s%c;main(){printf(f,34,f,34);}";main(){printf(f,34,f,34);}
The folks who designed my desktop computer were really thinking ahead on this one: it was built without a speaker. Besides enhancing security, an auxiliary benefit of their clever "no-speaker defense" is that saved the manufacturer cost and space.
Just leave your headphones plugged in.
Headphones. Or dummy jack-plugs.
Given that the machines have to have the acoustic networking software installed on them (requiring already having root access), this is at worst a covert communications channel that could be used to bypass network security controls in order to exfiltrate information from an otherwise secure network. It has no impact on whether machines can be hacked to begin with.
cp /dev/zero ~/signature.txt
So one infected computer talks to another via this method and the other computer is infected with code that interprets it. How about just use the malicious code on the 2nd computer to do whatever you were going to do with it? For network transmission, obviously just use encryption or a web server in the middle or something.
In some circumstances, a mesh network that is non-electromagnetic based is particularly useful. Stops people intercepting traffic with powerful reception equipment.
... Its a covert transmission channel, not an attack...
A camera pointed at a computer monitor slowly shifts its average hue (a la 'f.lux') is another such example.
timothy approved it, so it means it probably was not read. I am fairly certain the slashdot staff consists of monkeys hitting randomly on keyboards that only consists of "discard" and "approve" buttons. In case I am mistaked, I consider a cat to be a valid alternative.
IKR... I read the article summary and was double face palming.
You can't install malware via the microphone inputs lol. You can only receive inputs from a preconfigured machine and the attacks still have to happen in other ways.
It tells me things that no one else knows. Things that I'm not supposed to hear.
Sometime it tells me to do things. It told me not to tell you what they are.
Computers only talk to very special people. You wouldn't understand.
It told me to shut up now. Bye.
Why is Snark Required?
Dragos Ruiu's findings from last year were never able to be reproduced by an outsider, and were highly suspect. Sometimes you can be a brilliant security guy, and also a delusional paranoid-- and I think the general consensus was that in that scenario, Dragos was being delusionally paranoid.
The idea that various laptop speakers (all of varying and generally poor quality) will be able to reliably form a wireless network is really far-fetched, no matter how you cut it. Every laptop's mic is different, the speakers are all in different locations, some mics are gonna be off, the acoustics of the room are unknown....
Theres just no way for this to reliably work.
You know, because the sound card probably isn't working right anyway (and forget about the mic).
(Joking, joking...built-in and USB soundcards work just fine on all my Linux computers.)
Yep, that's what I was thinking too.
20 bits per second is 9 kilobytes per hour. That's hardly enough to be useful even for plain text keylogging, let alone for anything more complicated (like uploading new attack code).
Keylogging is often pointless without timing and context.
In other words it's useful to know when something was written and in what window (or even input control).
If you don't have that info, you just have a jumble of characters, which makes it much harder to extract anything (i.e. passwords).
However that context info is much larger than the characters typed and a few kilobytes per hour simply won't do the job very well.
> And let's face it, very very few people have an air gap on their computers.
And so those people don't need to worry about it. Its the people with air gaps who do need to worry about it.
Your argument is kind of like saying that since the majority of people in the world don't own a car, seatbelts aren't a big deal.
To be more specific it is this story - same exact paper from November of last year.
It has Supercow Cow Powers!
That's absolutely true. If you're one of the 0.00002% who does own a car, well, then obviously you should be thinking about seatbelts. But car owners are so rare that I'll probably never meet one, ever. Seatbelts have zero effect on my life.
char*f="char*f=%c%s%c;main(){printf(f,34,f,34);}";main(){printf(f,34,f,34);}
What is it? What is it, girl? Someone running a covert mesh network? Where's it coming from?
.
Prisencolinensinainciusol. Ol Rait!
Over 5 million people in the US hold secret-level or higher security clearances. Nearly all of them have work that involves classified computer systems, ALL of which are air-gapped. And that doesn't even count commercial applications where the company is concerned about industrial espionage.
Your objections here only display your ignorance, not your wisdom.
BTW, you've met at least one now.
In case of Sonic Attack...it is imperative to bring all bodies to orgasm simultaneously.
This is a good way to hide your snooping in sensitive environments that are running adaptive intrusion detection systems. It's also a way to get secure computers that aren't connected to the network, to talk to less secure computers that are. Think military. Jim falls prey to a USB based piece of malware and puts it on a DoD machine that is on their internal, secure network. It talks to an Internet-connected computer to move data from one to the other. The USB vector is exactly how the US/Israel got malware onto Iranian centrifuge controller systems, so it's a valid concern.
> That's hardly enough to be useful even for plain text keylogging,
That's funny since the paper cited in TFA includes a key-logger as part of their demonstration.
I was wondering how this speed compared to a telegraph operator sending Morse Code. Googling about, words per minute, based on the standard five characters per word plus spaces and punctuation, works out to about bps * 1.2.
http://superuser.com/questions...
So 20 bps is about 24 words per minute. Compare this to a skilled telegraph operator, who can manage 40 wpm.
http://en.wikipedia.org/wiki/M...
So yeah, it's slow, BUT for keylogging it couldn't keep up only if users typed constantly, which they don't. Plenty of time in between to do some catch up.
.
Prisencolinensinainciusol. Ol Rait!
Would animals such as dogs work as low budget detection systems? Isn't this how dog whistles work?
Frankly I'm surprised that this could be a potential issue. I would of expected any DAC (Digital to Analog Converters) used to generate the analog sound output from any sound card or motherboard to have a low-pass filter at the range of human hearing (nominally 20 kHz).
Okay, so according to the article at one of the links, they focus on the near-ultrasonic or upper range of what is normally considered the limit of human hearing of operating near 20 kHz. This also explains why their bits or symbol rate is so low, they are presumably using a reasonably narrow baseline (audio) frequency bandwidth in terms of contemporary digital communication, though numerous methods are used in amateur radio at HF in the RF portion of the frequency spectrum, a la PSK-31 et all.
Depends on the data, doesn't it?
If I've installed something which is designed to capture passwords, your 20 bits/sec means I can transmit your password in just a few seconds.
So if all it does it say "got it, user X has this password" ... that can be pretty valuable and is likely do-able in under 30 seconds.
This may not be an attack, but it is an attack vector.
Lost at C:>. Found at C.
I thought most soundcards had a capacitor on the inputs that already filters out the higher frequencies. I read this when reading about using sound cards directly as software defined radios for receiving VLF signals. To receive higer frequencies some people have shorted the input capacitor out.
The password was GOD
Those folks wouldn't be allowed to bring their non-cleared devices into a SCIF anyways. You'd need to check your phone/laptop etc in at the front desk. Or you should be anyways.
Physical security is one of the few things the feds seem to do right with their computing systems.
You are correct - this is utter and complete nonsense. No uninfected computer is going to consider what comes into the mic channel as potentially sensible to execute, or, indeed do anything other than save it as audio data.
If your computer is in the habit of executing WAV of MP3 files, or saving audio as .exe files, you are already more than truely and completely stuffed.
Sent from my ASR33 using ASCII
> Those folks wouldn't be allowed to bring their non-cleared devices into a SCIF anyways.
Man I get damn sick of people like you. Instead of trying to think like the "enemy" and come up with ways to break the system you think like a naive baby and just assume that the system must works because of that's what the owners want it to do. People like you are the reason the internet is the security equivalent of swiss cheese - you can't build good security if you don't even try to think like an attacker.
Nobody said anything about bringing your own hardware into a SCIF. If you haven't been paying attention there are lots of opportunities for infiltration - the US DoD got owned by a USB virus back in 2008, the NSA intercepts hardware shipments before delivery to the customer and implants their own malware. We are constantly hearing (unproven) accusations of China doing the same thing and they manufacture like 99% of all computing hardware nowadays.
The amount of serious discussions of how to mitigate this "attack" above this comment saddens me. If you have rouge software on your computer, severing one of the least efficient communication channels I've heard of is not going to be helpful.
Over 5 million people in the US hold secret-level or higher security clearances. Nearly all of them have work that involves classified computer systems, ALL of which are air-gapped. And that doesn't even count commercial applications where the company is concerned about industrial espionage.
Your objections here only display your ignorance, not your wisdom.
BTW, you've met at least one now.
I will take the 5 million number at face value.
I laugh at the idea that nearly all of those people access classified computer systems.
And the idea that they're all air gapped? That's just complete bullshit, as recent history has shown.
Wow! So, after 4 days, 17 hours, 46 minutes and 40 seconds, you could transfer a whopping... 1 whole MEGABYTE.
sig: sauer
A simple defence would be to have ultrasonic noise generators emitting enough interference to effectively jam any transmissions. It should be no more audible than the transmissions.
Of course, the average user wouldn't need or probably want this (unless they're security paranoid/enthusiasts), but it might be useful in environments where information security is essential. Maybe even 'hardened' secure devices could have built in noise generators that can't be software disabled as an extra defence feature.
It might seem simpler to just limit the frequency ranges of the built in speakers/microphones, but it doesn't eliminate the threat completely as it is still possible there could be a headset, USB sound interface or devices in the microphone and earphone jacks in use without these filters. This way, regardless of the kind of sound I/O, the surrounding area of the device is blacked out.
Over 5 million people in the US hold secret-level or higher security clearances.
I'm not from the US; as a proportion of population, 5 million is a very high number indeed -- and I believe the proportion in the civilized world is much lower.
char*f="char*f=%c%s%c;main(){printf(f,34,f,34);}";main(){printf(f,34,f,34);}
That scenario would require that there be some sort of keylogger already present and running on the compromised machine. If that's the case, then why bother with all this cloak and dagger shit? Hell, there are plenty of other routes that the data could take:
:)
Store the data in a file on a local drive (hard drive or even USB flash drive)
Transmit it over Ethernet.
Transmit it over Wi-Fi.
Transmit it over bluetooth.
Transmit it over IRDA.
Or, my favorite, just have the machine use text to voice to shout out the user's password over the speakers. Then it's a race to see if you can login before the user can change the password.
Well, given the prevalence of things like spear phishing and the like, maybe it's not all that tough.
And the point of the cloak and dagger is, if they don't know you're listening, and you're using a channel they're not scanning for ... you can keep doing it with impunity.
So, say I worked for an agency which relied on secrecy ... call them the Notional Security Assholes for sake of argument ... wouldn't it be in my interest to want to gather as much data as possible without you knowing I'm doing it?
If the value of what you're spying on is high value enough, and you want to conceal your ways and means, it doesn't seem like there's an upper bound on how much trouble something is worth.
Because you extract the passwords one way, and exploit them via another, and it's impossible to identify how you got the password, and maybe you can conceal that it was ever used at all.
Sure, it's right out of Tom Clancy or Hollywood, but some of the cold war stuff was pretty wacky by today's standards. Think "Remote Sensing" and some of the other stuff that we more or less consider pretty loony.
Lost at C:>. Found at C.
WTF ? That's a covert communication channel, not an attack. At least the original source gets that right. But what idiot writes the slashdot version of the article?
What, your computer doesn't auto-execute whatever ultrasonic binary data arrives over the mic?
plug in a cheap headset. This allows VoIP over it And solves the problem.
If the computers are air gapped than how is the software that tells it to transmit over ultrasonic sound supposed to get on them in the first place?
I suspect you could also use very short duration screen flashes and camera on laptops...
As one person commented when the last version of this went around, the sound card hardware or driver would have to have something like a TCP/IP stack built in to the microphone input. In other words, the only way a computer would be vulnerable is if it already has an ultrasonic communication feature installed. The only way I can see this happening is possibly at the behest of a certain agency which has a history of covertly installing security vulnerabilities, but they would probably just put it in the WiFi.
There's an easy fix. Allow users to set a top end frequency that'd be passed to speakers. HiFi fans could set it high. With my aging ears, cutting off anything over 8K wouldn't make must difference. Also that feature could be made app specific. Users could specify which apps could exceed the limit.