The Computer Security Threat From Ultrasonic Networks

KentuckyFC (1144503) writes Security researchers in Germany have demonstrated an entirely new way to attack computer networks and steal information without anybody knowing. The new medium of attack is ultrasonic sound. It relies on software that uses the built-in speakers on a laptop to broadcast at ultrasonic frequencies while nearby laptops listen out for the transmissions and pass them on, a set up known as a mesh network. The team has tested this kind of attack on a set of Lenovo T400 laptops infected with key-logging software. They say it is possible to transmit ultrasonic signals covertly at data rates of 20 bits per second at distances of up to 20 metres in an office environment. Interestingly, the team created the covert system by adapting a protocol designed for underwater acoustic communication. They've also tested various strategies for defeating this kind of attack. An obvious option is to disable all speakers and microphones but this also prevents ordinary activities such as VOIP communication. Instead, they suggest filtering the audio signals to prevent ultrasonic transmissions or converting them into an audible frequency. This may be newer than most attack vectors, but it's not the first time that ultrasonic transmission has been demonstrated as a vulnerability; in November of last year we mentioned malware operating along the same lines, as investigated byPwn2Own creator Dragos Ruiu.

Re:Hardware sampling rates

[Rosco+P.+Coltrane]

The easiest way to eliminate this threat is to lock down hardware sampling rates such that ultrasonic frequencies cannot be reliably reproduced

Nope. The easiest way to eliminate this threat is to keep a pet bat next to your computer to scramble any ultrasonic transmission.

Linux not susceptible to attack

[by+(1706743)]

You know, because the sound card probably isn't working right anyway (and forget about the mic).

(Joking, joking...built-in and USB soundcards work just fine on all my Linux computers.)

Solution: office dog

[RevWaldo]

What is it? What is it, girl? Someone running a covert mesh network? Where's it coming from?

.

Re:Hardware sampling rates

[ColdWetDog]

Ah, but you're missing an entire other defensive mechanism. One that, I will point out, did not escape the genius of Apple. Recall the recent angst about Apple's acquisition of Beats Audio. The two theories judged most likely centered around either gratuitously spending money to annoy the Slashdot hive mind or strategically buying up an inconsequential streaming audio business. Of course, careful consideration (yes, I understand that contradiction here) would lead one to realize that neither is very likely, so I offer a more technically sound rationale:

If you've ever listened to a set of Beats headphones, the second thing you notice (the first is that they are ugly and cheap) is that it is engineered to be unable to pass frequencies higher than 4000 Hz. You're not going to hear a set of cymbals or a piccolo to save your life.

So, these nefarious persons can attempt to stuff whatever data they'd like into the higher registers - it will do them no good at all. You don't need complex software rules, you don't need specially constructed DACs. You just need bass. Furthermore, if all you are going to do is to listen to DC to 4 kHz noise, you don't need a particularly robust audio platform to do it (like an iPhone). And, as an added bonus, this limited bandwidth will save on your precious monthly allotment of data.

Apple has you covered, folks.