Slashdot Mirror
The Computer Security Threat From Ultrasonic Networks
KentuckyFC (1144503) writes Security researchers in Germany have demonstrated an entirely new way to attack computer networks and steal information without anybody knowing. The new medium of attack is ultrasonic sound. It relies on software that uses the built-in speakers on a laptop to broadcast at ultrasonic frequencies while nearby laptops listen out for the transmissions and pass them on, a set up known as a mesh network. The team has tested this kind of attack on a set of Lenovo T400 laptops infected with key-logging software. They say it is possible to transmit ultrasonic signals covertly at data rates of 20 bits per second at distances of up to 20 metres in an office environment. Interestingly, the team created the covert system by adapting a protocol designed for underwater acoustic communication. They've also tested various strategies for defeating this kind of attack. An obvious option is to disable all speakers and microphones but this also prevents ordinary activities such as VOIP communication. Instead, they suggest filtering the audio signals to prevent ultrasonic transmissions or converting them into an audible frequency. This may be newer than most attack vectors, but it's not the first time that ultrasonic transmission has been demonstrated as a vulnerability; in November of last year we mentioned malware operating along the same lines, as investigated byPwn2Own creator Dragos Ruiu.
The easiest way to eliminate this threat is to lock down hardware sampling rates such that ultrasonic frequencies cannot be reliably reproduced (e.g. in the BIOS), and allow the user to flip the switch for higher rate support. At least, that's the first idea that came to mind. I'm sure it's not perfect, but it's better than "kill all audio!"
Another exploit undermines a heretofore unknown weakness.
Exploitation that doesn't kill you makes you stronger.
Happiness in intelligent people is the rarest thing I know.
Ernest Hemingway
WTF ? That's a covert communication channel, not an attack.
At least the original source gets that right. But what idiot writes the slashdot version of the article?
While impractical at scale, this is a very clever way to defeat things like DoD secured air-gap networks, and 20bps is easily capable of say, keylogging :)
Good people go to bed earlier.
I worked on a COMSEC job back in the '90s, and both our device and our building (particularly the windows) had countermeasures for this kind of attack.
Perhaps this is a new thing for garage hackers, but intelligence agencies have known about it for decades.
Does this mean I can get a lirc driver that works with an old Zenith clicker remote?
#naabhaprzrag, #sverubfr-000, #agi-fcbafberq, negvpyr[pynff*=' negvpyr-ary-'] { qvfcynl: abar !vzcbegnag; }
For this to work, the computers must already be 'owned', the fact the computers can communicate 20 meters with another infected machine is the least of the worries if you ask me.
Probably the same one who wrote a similar article about a year back.
Confucius say, "Find worm in apple - bad. Find half a worm - worse."
This. It is NOT an attack. And let's face it, very very few people have an air gap on their computers. Since that's the case, it's so much easier to just use the existing wired network or wireless network to ferret data out. 20 bits per second is hardly practical anyway, even for small amounts of data (which, today, would be classified as megabytes.)
char*f="char*f=%c%s%c;main(){printf(f,34,f,34);}";main(){printf(f,34,f,34);}
The folks who designed my desktop computer were really thinking ahead on this one: it was built without a speaker. Besides enhancing security, an auxiliary benefit of their clever "no-speaker defense" is that saved the manufacturer cost and space.
Headphones. Or dummy jack-plugs.
Given that the machines have to have the acoustic networking software installed on them (requiring already having root access), this is at worst a covert communications channel that could be used to bypass network security controls in order to exfiltrate information from an otherwise secure network. It has no impact on whether machines can be hacked to begin with.
cp /dev/zero ~/signature.txt
I do not believe there is anything preventing malicius software from using the speaker and mic in the computer, disregarding the headset. So leaving your headset in, just gives you a false sense of security. Not relevant in your setup (unless they want to covertly send your dog on a murder spree), but still :)
So one infected computer talks to another via this method and the other computer is infected with code that interprets it. How about just use the malicious code on the 2nd computer to do whatever you were going to do with it? For network transmission, obviously just use encryption or a web server in the middle or something.
... Its a covert transmission channel, not an attack...
A camera pointed at a computer monitor slowly shifts its average hue (a la 'f.lux') is another such example.
IKR... I read the article summary and was double face palming.
You can't install malware via the microphone inputs lol. You can only receive inputs from a preconfigured machine and the attacks still have to happen in other ways.
It tells me things that no one else knows. Things that I'm not supposed to hear.
Sometime it tells me to do things. It told me not to tell you what they are.
Computers only talk to very special people. You wouldn't understand.
It told me to shut up now. Bye.
Why is Snark Required?
Dragos Ruiu's findings from last year were never able to be reproduced by an outsider, and were highly suspect. Sometimes you can be a brilliant security guy, and also a delusional paranoid-- and I think the general consensus was that in that scenario, Dragos was being delusionally paranoid.
The idea that various laptop speakers (all of varying and generally poor quality) will be able to reliably form a wireless network is really far-fetched, no matter how you cut it. Every laptop's mic is different, the speakers are all in different locations, some mics are gonna be off, the acoustics of the room are unknown....
Theres just no way for this to reliably work.
You know, because the sound card probably isn't working right anyway (and forget about the mic).
(Joking, joking...built-in and USB soundcards work just fine on all my Linux computers.)
To be more specific it is this story - same exact paper from November of last year.
That's absolutely true. If you're one of the 0.00002% who does own a car, well, then obviously you should be thinking about seatbelts. But car owners are so rare that I'll probably never meet one, ever. Seatbelts have zero effect on my life.
char*f="char*f=%c%s%c;main(){printf(f,34,f,34);}";main(){printf(f,34,f,34);}
What is it? What is it, girl? Someone running a covert mesh network? Where's it coming from?
.
Prisencolinensinainciusol. Ol Rait!
You will be disappointed to learn that the disablement of the speaker and mic are done in a fly-by-wire manner. I became aware of this firsthand when I discoverd that a bad audio driver was allowing the audio I was listening to to go both to my headphones and my speakers. I wasn't aware of it until a co-worker tapped me on the shoulder. Fixing the mixer settings caused the audio not to go to the speakers.
Further to that, BT is an even bigger fly-by-wire. With BT, you are essentially putting an additional sound card onto your machine, and choosing to use it (via software) instead of the built in one. The built-in one is still there, however, and still availble to any software that chooses to use it. There exists no mechanism through which BT presence can cause a not-software-overridable hard interrupt of audio to the speakers and from the mic.
I would advocate for there to be a switch installed on every laptop that, when flipped, interruptes, in a hardware-based, analogue manner, the connection of the speakers and mic to the sound hardware. Open the circuit in a way that no software can close it.
www.wavefront-av.com
This is a good way to hide your snooping in sensitive environments that are running adaptive intrusion detection systems. It's also a way to get secure computers that aren't connected to the network, to talk to less secure computers that are. Think military. Jim falls prey to a USB based piece of malware and puts it on a DoD machine that is on their internal, secure network. It talks to an Internet-connected computer to move data from one to the other. The USB vector is exactly how the US/Israel got malware onto Iranian centrifuge controller systems, so it's a valid concern.
I was wondering how this speed compared to a telegraph operator sending Morse Code. Googling about, words per minute, based on the standard five characters per word plus spaces and punctuation, works out to about bps * 1.2.
http://superuser.com/questions...
So 20 bps is about 24 words per minute. Compare this to a skilled telegraph operator, who can manage 40 wpm.
http://en.wikipedia.org/wiki/M...
So yeah, it's slow, BUT for keylogging it couldn't keep up only if users typed constantly, which they don't. Plenty of time in between to do some catch up.
.
Prisencolinensinainciusol. Ol Rait!
Depends on the data, doesn't it?
If I've installed something which is designed to capture passwords, your 20 bits/sec means I can transmit your password in just a few seconds.
So if all it does it say "got it, user X has this password" ... that can be pretty valuable and is likely do-able in under 30 seconds.
This may not be an attack, but it is an attack vector.
Lost at C:>. Found at C.
I thought most soundcards had a capacitor on the inputs that already filters out the higher frequencies. I read this when reading about using sound cards directly as software defined radios for receiving VLF signals. To receive higer frequencies some people have shorted the input capacitor out.
The password was GOD
You are correct - this is utter and complete nonsense. No uninfected computer is going to consider what comes into the mic channel as potentially sensible to execute, or, indeed do anything other than save it as audio data.
If your computer is in the habit of executing WAV of MP3 files, or saving audio as .exe files, you are already more than truely and completely stuffed.
Sent from my ASR33 using ASCII
the senior engineers that tested the system consider it undetectable. The intern just smiled and said nothing...
Nullius in verba
The amount of serious discussions of how to mitigate this "attack" above this comment saddens me. If you have rouge software on your computer, severing one of the least efficient communication channels I've heard of is not going to be helpful.
Over 5 million people in the US hold secret-level or higher security clearances. Nearly all of them have work that involves classified computer systems, ALL of which are air-gapped. And that doesn't even count commercial applications where the company is concerned about industrial espionage.
Your objections here only display your ignorance, not your wisdom.
BTW, you've met at least one now.
I will take the 5 million number at face value.
I laugh at the idea that nearly all of those people access classified computer systems.
And the idea that they're all air gapped? That's just complete bullshit, as recent history has shown.
Wow! So, after 4 days, 17 hours, 46 minutes and 40 seconds, you could transfer a whopping... 1 whole MEGABYTE.
sig: sauer
A simple defence would be to have ultrasonic noise generators emitting enough interference to effectively jam any transmissions. It should be no more audible than the transmissions.
Of course, the average user wouldn't need or probably want this (unless they're security paranoid/enthusiasts), but it might be useful in environments where information security is essential. Maybe even 'hardened' secure devices could have built in noise generators that can't be software disabled as an extra defence feature.
It might seem simpler to just limit the frequency ranges of the built in speakers/microphones, but it doesn't eliminate the threat completely as it is still possible there could be a headset, USB sound interface or devices in the microphone and earphone jacks in use without these filters. This way, regardless of the kind of sound I/O, the surrounding area of the device is blacked out.
Over 5 million people in the US hold secret-level or higher security clearances.
I'm not from the US; as a proportion of population, 5 million is a very high number indeed -- and I believe the proportion in the civilized world is much lower.
char*f="char*f=%c%s%c;main(){printf(f,34,f,34);}";main(){printf(f,34,f,34);}
That scenario would require that there be some sort of keylogger already present and running on the compromised machine. If that's the case, then why bother with all this cloak and dagger shit? Hell, there are plenty of other routes that the data could take:
:)
Store the data in a file on a local drive (hard drive or even USB flash drive)
Transmit it over Ethernet.
Transmit it over Wi-Fi.
Transmit it over bluetooth.
Transmit it over IRDA.
Or, my favorite, just have the machine use text to voice to shout out the user's password over the speakers. Then it's a race to see if you can login before the user can change the password.
Well, given the prevalence of things like spear phishing and the like, maybe it's not all that tough.
And the point of the cloak and dagger is, if they don't know you're listening, and you're using a channel they're not scanning for ... you can keep doing it with impunity.
So, say I worked for an agency which relied on secrecy ... call them the Notional Security Assholes for sake of argument ... wouldn't it be in my interest to want to gather as much data as possible without you knowing I'm doing it?
If the value of what you're spying on is high value enough, and you want to conceal your ways and means, it doesn't seem like there's an upper bound on how much trouble something is worth.
Because you extract the passwords one way, and exploit them via another, and it's impossible to identify how you got the password, and maybe you can conceal that it was ever used at all.
Sure, it's right out of Tom Clancy or Hollywood, but some of the cold war stuff was pretty wacky by today's standards. Think "Remote Sensing" and some of the other stuff that we more or less consider pretty loony.
Lost at C:>. Found at C.
As one person commented when the last version of this went around, the sound card hardware or driver would have to have something like a TCP/IP stack built in to the microphone input. In other words, the only way a computer would be vulnerable is if it already has an ultrasonic communication feature installed. The only way I can see this happening is possibly at the behest of a certain agency which has a history of covertly installing security vulnerabilities, but they would probably just put it in the WiFi.
Sucks to be you.
www.wavefront-av.com