The Computer Security Threat From Ultrasonic Networks

KentuckyFC (1144503) writes Security researchers in Germany have demonstrated an entirely new way to attack computer networks and steal information without anybody knowing. The new medium of attack is ultrasonic sound. It relies on software that uses the built-in speakers on a laptop to broadcast at ultrasonic frequencies while nearby laptops listen out for the transmissions and pass them on, a set up known as a mesh network. The team has tested this kind of attack on a set of Lenovo T400 laptops infected with key-logging software. They say it is possible to transmit ultrasonic signals covertly at data rates of 20 bits per second at distances of up to 20 metres in an office environment. Interestingly, the team created the covert system by adapting a protocol designed for underwater acoustic communication. They've also tested various strategies for defeating this kind of attack. An obvious option is to disable all speakers and microphones but this also prevents ordinary activities such as VOIP communication. Instead, they suggest filtering the audio signals to prevent ultrasonic transmissions or converting them into an audible frequency. This may be newer than most attack vectors, but it's not the first time that ultrasonic transmission has been demonstrated as a vulnerability; in November of last year we mentioned malware operating along the same lines, as investigated byPwn2Own creator Dragos Ruiu.

A (hidden) communication channel is not an attack

[thospel]

WTF ? That's a covert communication channel, not an attack.
At least the original source gets that right. But what idiot writes the slashdot version of the article?

Not that new

[T.E.D.]

I worked on a COMSEC job back in the '90s, and both our device and our building (particularly the windows) had countermeasures for this kind of attack.

Perhaps this is a new thing for garage hackers, but intelligence agencies have known about it for decades.

Does it really matter?

[mrspoonsi]

For this to work, the computers must already be 'owned', the fact the computers can communicate 20 meters with another infected machine is the least of the worries if you ask me.

Re:Hardware sampling rates

[Rosco+P.+Coltrane]

The easiest way to eliminate this threat is to lock down hardware sampling rates such that ultrasonic frequencies cannot be reliably reproduced

Nope. The easiest way to eliminate this threat is to keep a pet bat next to your computer to scramble any ultrasonic transmission.

Linux not susceptible to attack

[by+(1706743)]

You know, because the sound card probably isn't working right anyway (and forget about the mic).

(Joking, joking...built-in and USB soundcards work just fine on all my Linux computers.)

Solution: office dog

[RevWaldo]

What is it? What is it, girl? Someone running a covert mesh network? Where's it coming from?

.

Re:Hardware sampling rates

[TeknoHog]

I was under the impression that while humans mostly cannot hear ultrasonic sounds, the existence of them can be perceived as a kind of "texture" to other sounds that we can hear. Removing these frequencies all together from all sounds sources can make stuff sounds more artificial.

The timbre of any sound is due to harmonics -- frequencies higher than the fundamental. MP3 and other lossy compression schemes do indeed remove some of the quieter harmonics. However, if the harmonics are outside the hearing range, well, then you can't hear them.

However, there may be nonlinear effects which convert some of the ultrasound to lower frequencies. Also, when a frequency exceeds the Nyquist limit (half the sampling rate), it is aliased to a frequency within the sampling range. (Hence "anti-aliasing", which is simply filtering out too high frequencies to prevent this effect.)