New Air-Gap Jumper Covertly Transmits Data in Hard-Drive Sounds

Security researchers have found a new way to siphon data out of an infected computer even when it has been physically disconnected from the Internet -- otherwise known as "air-gap" computers -- to prevent the leakage of sensitive information it stores, reports ArsTechnica. From the article: The method has been dubbed "DiskFiltration" by its creators because it uses acoustic signals emitted from the hard drive of the air-gapped computer being targeted. It works by manipulating the movements of the hard drive's actuator, which is the mechanical arm that accesses specific parts of a disk platter so heads attached to the actuator can read or write data. By using so-called seek operations that move the actuator in very specific ways, it can generate sounds that transfer passwords, cryptographic keys, and other sensitive data stored on the computer to a nearby microphone. The technique has a range of six feet and a speed of 180 bits per minute, fast enough to steal a 4,096-bit key in about 25 minutes.

Considering that people play music

[Z00L00K]

Considering that people play music with floppy drives then the ability to transfer information acoustically with hard drives isn't really different.

Re:Considering that people play music

Considering that people play music with floppy drives then the ability to transfer information acoustically with hard drives isn't really different.

I wasn't aware of that, thank you for the link. I find things like that fascinating even if they aren't particularly useful.

A much bigger issue with this: if you can get this program onto the air-gapped machine in the first place, haven't you already compromised it? If I could load say, a flash drive, into the air-gapped system to run this program, why can't I just copy whatever data I was after?

Unrelated side issue: you know what's really broken about Slashdot? An AC post containing GNAA or the N-word or something like that gets downmodded in seconds (which is desirable), but lots of sincere and really informative AC posts never get modded up (which is a loss for everyone). Why the double standard? Editors have infinite mod points, so why not use them constructively? After all, I can see how someone using a work computer really wouldn't want to browse at -1. An easily offended coworker walking by and seeing a GNAA post would be really hard to explain to HR. It's a classic "guilty unless proven innocent, and even then probably still guilty" situation.

Re:Considering that people play music

There was a program that used the micropolis hard drive voice coils to emulate R2-D2 back in the day, I believe they could do limited music as well with the whistles, chirps and pops that the voice-coil actuators made.
 

Re: Considering that people play music

I remember doing that on a Commodore 64 with a 1541 external floppy drive.

Re:Considering that people play music

[jeffmflanagan]

A much bigger issue with this: if you can get this program onto the air-gapped machine in the first place, haven't you already compromised it? If I could load say, a flash drive, into the air-gapped system to run this program, why can't I just copy whatever data I was after?

This does make these air-gapped hacks much less useful, but it could be used to exfiltrate data on an ongoing basis without having to touch the hacked air-gapped machine again after it's been compromised.

Re:Considering that people play music

It is less elegant, music is a beautiful expression of information. This is just bland information exchange.

Also, very slow compared to the music.

Re:Considering that people play music

Isn't it amazing what math can do?

Re:Considering that people play music

[Qzukk]

if you can get this program onto the air-gapped machine in the first place, haven't you already compromised it?

Yes, but now your compromise is stuck on a computer with no way off. You drop a handful of flash drives around the target's parking lot, someone plugs it in and gets the internal network pwned... then what? Put the data back on the flash drive and hope they put it back in the parking lot? But say you're a TLA and can track/activate cellphones on demand. Sure, people aren't supposed to carry their cellphone into the secure area, but they figure if they keep it in their pocket and don't whip it out and start taking pictures, they'll be fine. They might even turn it "off" so it's OK, right? Drop some flash drives there, and turn on the guy's cellphone and listen for the k-tka-tk-tk sound. Could be a failing drive, could be the secret weapon plans.

Re:Considering that people play music

[blindseer]

A much bigger issue with this: if you can get this program onto the air-gapped machine in the first place, haven't you already compromised it?

The rules on taking data into or out of a secured location is a bit like a roach motel, you can bring things in but taking anything out is difficult. For example, I set up an air gapped system and as I recall there was little I had to do to bring in the software and source code. All I had to do was run any media through a virus check. Taking anything out meant I had to log what was taken, when, and for what reason. It came down to me just making a mental note that I would take nothing off the system, I'd leave that to my superiors as I just did not want to bother.

This was a logical way to handle the data, as well as a near necessity. We'd have to bring in a lot of data to do our work from source code, to test data, and so forth. If we had to take as much care as what went in as much as we did to the care on taking things out we'd be spending a lot of time writing logs and not getting our work done. Also, if nothing left the system then we can be quite certain no sensitive data had left. We'd spend months or years on a project where nothing left except at the very end where the finished project was written to a disk or tape, the project shut down, and the system re-tasked to some other project.

Unusable

Nice theoretical attack, but in practise a HD that makes sounds like this is easy to spot. Just listen.

I remember fondly the drives for the C64 that made music, though.

Re:Unusable

[Opportunist]

Just pretend you're defragging and people won't question it.

Most people don't even understand or know half of what's going on in their computer. If the HD suddenly starts to act up, most would probably just assume that Windows is "doing its thing".

Re:Unusable

[Yvan256]

When Windows is "doing its thing" I usually get a blue screen.

April fools / bullshit?

[BKDotCom]

This is some serious "Jason Bourne" hoop-jumping technology.

Re:April fools / bullshit?

[Mr+D+from+63]

They should include an 'effort to success' ratio to rate these hypothetical attack vectors. In general, how hard is it vs. how likely you are to successfully apply it in a real world situation. I'd say the ES ratio here is quite high.

It's fucking air gapped.

Exactly how are you planning on getting the malware onto the machine genius? This shit is getting ridiculous.

Re:It's fucking air gapped.

[Opportunist]

USB Sticks"?

Re:It's fucking air gapped.

The same way you get a sensitive microphone near the machine... in a lab. So you can publish scary-sounding technical "performance art" for the masses.

Re:It's fucking air gapped.

[mSparks43]

Network booted usb reader that mounts the stick as an nfs share.

problem solved.

Re:It's fucking air gapped.

[Yvan256]

USB? You mean a connector that could be used for keyboards, mice, printers, scanners, hard drives?

That sounds like science-fiction to me.

Posted from 1986.

pointless stupidity

[iggymanz]

Of course, if I am allowed to install software on an "air-gapped" computer, I can make it transfer information by anything on it that makes noise or can be lit or even via power supply. Speakers, various fans, hard drive heads, retractable optical drive tray, locator blue LED, LCD display, even the power draw....I can manipulate all of those.

There is no point to these studies, they only belabor the obvious.

Any manager that makes some security policy based on such studies should be beaten.

Re:pointless stupidity

[fustakrakich]

Any manager that makes some security policy based on such studies should be beaten.

What's wrong with building a windowless soundproof Faraday cage 500 feet underground? I'd like to see the seismographer that can read through that.

Re:pointless stupidity

[Opportunist]

While true, it highlights a problem: Air-gaping a system is no silver bullet against spying. Managers who think it is should be beaten, too.

Re:pointless stupidity

[The-Ixian]

Haven't you ever done something for the "cool" factor? How about because you wanted to know how something was done?

To only read about other people doing stuff and choosing not to do it because it has already been done seems like a pretty boring way to live life...

Re:pointless stupidity

[Oswald+McWeany]

No system is foolproof. The idea is to make it harder to crack than is worthwhile for most people to bother with.

If you put a security system on your home, it's not because you think there aren't criminals out there who can disable them, it's because you're going to make yourself a difficult enough target that people are less likely to bother.

Digital security is much the same. There is no system that can't be compromised, not even an air-gapped system; however you can make it ridiculously difficult that few people would bother putting in the resources to crack you.

Re:pointless stupidity

[iggymanz]

problem is this things are too trivial to code to even be "cool"

Re:pointless stupidity

Think firmware. Think intercepting hardware deliveries. A speaker that suddenly starts beeping is suspicious, a fan which switched speeds for no apparent reason is suspicious, hard disks have always made (to users ears) rather random noises.

Glad you don't work in security.

Re:pointless stupidity

[iggymanz]

you're confused, the problem here is allowing installation of malicious code. If that happens of course there is no security and all bets are off. Report for your beating.

Re:pointless stupidity

[iggymanz]

but the prerequisite for this particular waste of time exercise was allowing the installation of malicious code. You can secure all you want, and then if you allow someone to do that final step of putting in bad code, well guess what..

Re:pointless stupidity

[iggymanz]

it would need to have its own power supply, if malicious code installed beforehand the power draw can be used to communicate.

By the way, what function does this isolated computer perform? how do people use it?

Re:pointless stupidity

[Kjella]

Of course, if I am allowed to install software on an "air-gapped" computer, I can make it transfer information by anything on it that makes noise or can be lit or even via power supply. Speakers, various fans, hard drive heads, retractable optical drive tray, locator blue LED, LCD display, even the power draw....I can manipulate all of those. There is no point to these studies, they only belabor the obvious.

Where does the border between obvious and sci-fantasy (enhance, enhance, enhance) go? If my "airgap" server is next to my normal server in the same rack, can they communicate using power draw? Heat cycles, one server heating up the other? Vibration causing HDD read errors? Can I run the cables down the same canal or can you use crosstalk to steal information? Maybe I have an alarm system with motion detection and a microphone to detect movement/noise in my "top secret" room, despite the machine having no speakers could the keys be stolen from HDD noises out that way?

How many people really need to be this paranoid? I'm not sure, it has to be serious military secrets/industrial espionage/core infrastructure to get this level of attention. But I think you need to have researchers working on whether this is actually feasible and how feasible it is, not just hand-waving it. Unless you want to say if they manage to install software we're screwed anyway but defense in depth and many layers of tripwires is better than one thick wall and free roaming on the inside.

Re:pointless stupidity

[fustakrakich]

it would need to have its own power supply

You're right, I forgot. Use geothermal from even deeper underground. TNX!

By the way, what function does this isolated computer perform?

Solitaire. What else is there?

Re:pointless stupidity

[iggymanz]

as long as it plays solitaire with itself that's fine, if there's a human down there needing supplies from the surface that's a possible security hole

Re:pointless stupidity

If you can ensure 100% that no opponent can take control of the computer, it's pointless to air-gap it.
Air-gapping is used precisely because you may not be able to guarantee that no-one will somehow get stuff on it. On the one hand it makes it harder to take control of the computer (though not impossible since no computer can work indefinitely without maintenance) and on the other hand it makes it harder to get information out of the system.
As such, this attack is interesting since it questions the effectiveness of the second aspect of air-gapping, but it also allows people to think of potential counter-measures. In this case, using SSDs on air-gapped systems seems like an obvious move, but also possibly designing operating systems to make it hard for user-mode code to control disk access too much.

Re:pointless stupidity

[MrVictor]

Think about what we've all learned from the Snowden leaks. We now know the federal government will stoop to utterly insane levels of paranoia to spread their reach. I would not put it past them to do something like send Microsoft an NSL which forces them to include a DiskFiltration feature in all OS disk drivers just in case they ever encounter a difficult air-gapped target.

Re:pointless stupidity

If my "airgap" server is next to my normal server in the same rack, can they communicate using power draw?

That's going to be in a future security paper. How to tell what's on the adjacent servers to the physical server that hosts your VM supplied by your cloud provider.

Re:pointless stupidity

[The-Ixian]

Glad you don't work in security.

Joke's on you. He works in IoT security...

Re:pointless stupidity

[The-Ixian]

How about, being able to figure out what is going on in another VM guest or on the host by paying close attention to how much guest resources are throttled/scheduled in the VM?

Re:pointless stupidity

when patches/upgrades are proprietary, they could be anything. With unique h/w information presumably collected by W*ndows and software like Sky*e, the sky is the limit!

Re:pointless stupidity

[radarskiy]

By that measure there is no such thing as an air gap, since it is impossible to construct a computer that contains no programming from some other source.

Step G: Whig is outraged by News-Paper Headline

[Pseudonymous+Powers]

Speaking as someone who performs even the most simple everyday tasks by way of giant machines that invariably incorporate a bowling ball, a funnel, a teakettle, a feather duster, my uncle sleeping in an armchair, and a live hen, this attack vector seems very relevant and concerning to me.

faraday cage, SSD and blasting gwar soundtrack

just saying.

Re: faraday cage, SSD and blasting gwar soundtrack

[slazzy]

You had me at gwar.

Re: faraday cage, SSD and blasting gwar soundtrack

You had me at gwar.

God What Alotta Racket

range

so.. all you need to do is look out for the guy with the parabolic microphone pointed at your computer, standing.. six feet away.

Morse code...

via hard drive chatter?

Clicky-clacky white noise

[Oswald+McWeany]

Play clicky-clacky-white noise in your server room to confuse any microphone.

Trivial to thwart.

[Lumpy]

Wont work with my SSD. and honestly will not work at all on SAS drives. most places that are serious about their computing and security uses thin clients running SSD boot drives and the rack of servers are all the workstations. good luck recording the drive noises with all those fans and the libert unit running.

It may work if a target's cheap laptop is set on top of the microphone.

Re:Trivial to thwart.

[Anne+Thwacks]

libert

Ah, yes - we have a Liebert in the bedroom to drown out our deaf neighbour watching QVC!

Much more stupid than that..

[thesupraman]

'Honest boss, I was sure the computer was secure! How was I to know the high sensitivity microphone pointed at it a few feet away, with a wire running out to the van outside and the stranger asking us to all be very VERY quiet for the next hour was a problem?'

Yes, this 'research' is pure stupidity because the methods are obvious as well as being easily mitigated if you really NEED security.

Although its not quite as stupid as the actually false and incorrect claim of using pixels to an infiltrated monitor was, which was basically all just a scam (there are NOT several x86 cpus in a monitor, the cpu that is sometimes there CANNOT read individual pixels, and you CANNOT infect them without a usb connection to the monitor).

Not to mention the obvious workaround, USE A SSD. sigh.

Re:Much more stupid than that..

[fustakrakich]

Not to mention the obvious workaround, USE A SSD. sigh.

:-) Oh no, don't do that. The RF emissions from that will have Jill Stein up in arms

Re:Much more stupid than that..

[sconeu]

'Honest boss, I was sure the computer was secure! How was I to know the high sensitivity microphone pointed at it a few feet away, with a wire running out to the van outside and the stranger asking us to all be very VERY quiet for the next hour was a problem?'

And this goes back to rule 1 of computer security. If you don't have physical security on sensitive machines, you're screwed.

Re:Much more stupid than that..

"Not to mention the obvious workaround, USE A SSD. sigh."

Sure! That will work!

Just like the next software patch will solve a problem but another patch then another comes to address new issues.

Sure! Give me new technology and in a few years we'll learn about additional side channels, if not sooner! Hope you find something for that sigh.

Very interesting

[turbidostato]

Well, very interesting were it not for the prevalence of solid-state disks with, oh, the horror, neither plates nor mechanical arms to produce sound with.

Score another point

[liquid_schwartz]

for solid state drives. They are completely quiet.

Re:Score another point

[EvilSS]

for solid state drives. They are completely quiet.

All SSDs whine to some extent. The one I have in my laptop sounds like a regular HDD in a quiet room, and it definitely varies as data is written.

Re:Score another point

Must be a switching power supply's coil.

https://en.wikipedia.org/wiki/Coil_noise

Re:Score another point

Must be a switching power supply's coil.

https://en.wikipedia.org/wiki/Coil_noise

Ah, another attack vector. Monitor the coile noise to track the power consumption of the SSD.

Sounds overcomplicated

If an infected system wants to transmit data to a nearby microphone, a much more straightforward way would be to do so via the computer's speaker, so the usefulness of this nifty trick is limited to systems that

(a) you managed to infect despite them being air-gapped;
(b) do not have a speaker that can be activated by the malware; and
(c) you can get a microphone physically close enough to to listen in on the hard drive noises.

And if you think speaker sounds are more likely to tip someone off than funny hard drive noises, it's pretty easy to generate high-frequency sounds inaudible to the human ear via the speaker.

Re:Sounds overcomplicated

[Oswald+McWeany]

I would suspect the vast majority of computers that would be targeted would not have speakers. They're not going to be playing music or youtube videos on an air-gapped computer. Playing on a speaker is pointless.

This method of listening to hard drive reminds me of old spy techniques I've read about such as:

a) recording the sound a printer makes and using it to determine what was printed.
b) by pointing a laser at a window you can "listen" to what is going on inside by tracking how much the window flexes with vibrations.

Re:Sounds overcomplicated

"Our method utilizes the noise emitted from the CPU and chassis fans which are present in virtually every computer today." https://arxiv.org/pdf/1606.05915.pdf

"Michael Hanspach and Michael Goetz say that malware could transmit sensitive data (such as confidential databases or logs of keypresses), covertly and secretly, by transmitting it via the infected computer's speaker at near ultrasonic frequencies through the infected computer's built-in speaker." https://www.grahamcluley.com/2013/12/malware-air-gap-computer-sound/ https://it.slashdot.org/story/13/11/01/0120220/airgap-jumping-malware-may-use-ultrasonic-networking-to-communicate

"In this paper we present GSMem, a malware that can exfiltrate data through an air-gap over cellular frequencies. Rogue software on an infected target computer modulates and transmits electromagnetic signals at cellular frequencies by invoking specific memory-related instructions and utilizing the multi-channel memory
architecture to amplify the transmission." https://www.usenix.org/system/files/conference/usenixsecurity15/sec15-paper-guri-update.pdf

"[Chris] is playing music on the radio by sending bits over the system bus without using any wires at all. ... [Chris] also ... can send one bit at a time by opening and closing a CD-ROM drive, capturing these bits with a webcam." http://hackaday.com/2016/07/05/data-exfiltration-with-broadcast-radio-and-cd-rom-drives/

The Floppotron 2.0

[Yvan256]

https://www.youtube.com/watch?...

Meh

[JustAnotherOldGuy]

Interesting proof-of-concept, but ridiculously impractical in the real world.

Re:Meh

That's what she said.

Is it that hard?

[140Mandak262Jamuna]

Penetrating networks airgapped from the internet is difficult, and this novel technique is interesting. But, in the real world, dropping a few thumb drives with malware in the parking lots or getting people to listen/watch music CD/movie DVDs with a malware payload seems to have been very effective. Bribing a janitor to plug in a thumbdrive in an exposed usb port of a computer is a lot easier.

Re:Is it that hard?

Nice Mr. Robot tip of the hat there, mate.

Re: Is it that hard?

Except for the fact that we follow janitor and keep an eye on her everytime she enters corridor where air-gapped system is installed.
She is not allowed to touch any computer or other data processing equipment unless we specifically ask her to dust it.

Re:Is it that hard?

Yes, that's how you get the initial infection. Now assuming you want data from the airgapped system, you need a way to extract that data. Maybe improvise an open-air modem with some form of sound generation on the airgapped system and a microphone on a nearby internet accessible system that you have already compromised?

Re:Is it that hard?

"Maybe improvise an open-air modem with some form of sound generation on the airgapped system and a microphone on a nearby internet accessible system that you have already compromised?"

Some people have been using built in sound cards / soft modems for ham / packet radio for a long time, now think simple radio / FM. Isn't it any wonder a lot of cell phones have FM built in? What about other smart devices?

and in today's news

here's manishs and his dan goodin obsession... i will never understand why every article dan goodin posts ends up on slashdot... without being submitted by anyone

What about RAID? What about server room noise?

[PeeAitchPee]

We have dozens of 3.5" drives running in multiple arrays at various RAID levels, in a noisy server room with fans continually blasting over 70 db in the background. This trick might work in a lab, but call me when they've got the same attack vector working in a real data center environment. And, oh yeah, and against near-silent SSDs.

Other Channels

Let's See:

Monitor i2c-ddc channel
Hard Drive Motors
Blinking Pixels
Caps Lock LED / Num Lock LED /
SMBUS Port
JTAG Port
PS/2 , USB Mouse Port
Sound Card High Frequency Noise
Blinking Network Card LED - Even Unconnected
Fan Speed Toggling
CPU "Noise" Analysis
JoyStick Port
MIDI Port
Hard Drive LED

Analysis: If I want the information, I can get it.

Limited usability?

[ScienceofSpock]

What if the target computer only has an SSD? What if it has multiple hard drives?

This is such an impractial and slow hack...

[jkg2]

..but I love it for its crypto-weirdness. "a speed of 180 bits per minute, fast enough to steal a 4,096-bit key in about 25 minutes." Have fun with that.

Can they compensate for fan noise?

The fans in my system dwarf the sounds from the HDD's!

Well, the more modern HDDs anyway.

I still have some Seagate Medallist and random Conner drives which clack so loud it sounds like they use stepper motors instead of voice-coil actuators...

Makes no sense

So, you can install the malware on the air-gaped computer, meaning you can sneak in a usb drive or CD or some other attack vector, then you can get something with a microphone (like a cell phone) within 6 feet, and then you are going to wait a LONG time to extract even small amounts of data off said computer. Preposterous. USB drives, CDs and cell phones are typically not permitted in such places, and if you can get one in, why not just copy to it in the first place? It would be faster/easier to write down, take a picture of the screen with your cell phone, or even memorize the password or key you are trying to extract.

Ya but...

[AndyKron]

Ya, but can it play Bohemian Rhapsody?

Not news

[davidwr]

If you are air-gapped for security reasons, you are also aware of other ways to exfiltrate information through the environment and through personnel and are taking precautions appropriate for your situation.

If you aren't, you are doing it wrong.

Important Question...

[avandesande]

If the computer has a RAID array will this work and will the throughput be faster ? ;-)

Re:What about RAID? What about server room noise?

[im_thatoneguy]

Interestingly enough... we have one overloaded UPS so when we RDPed into it the UPS sounded its alarm. It would be really slow but you could definitely hear the UPS alarm over the 20 servers. Just increase the power draw on 10 servers you don't mind shortening the life of to overload a UPS. I bet people don't think to secure their UPS and leave it on "Default" to sound an audio alarm. One more attack vector.

That being said the best advice I ever read was that there are two kinds of attackers "Mossad and Not-Mossad" "If it's mossad, you're screwed no matter what they'll find a way in." All security is really to stop Not-Mossad. That's true of physical security, digital security, information security whatever... if Mossad wants you dead you'll die. If the CIA wants into your database they'll get in. All you can really hope to stop is a guy in Bulgaria acting alone.

so-called

"so-called seek operations"

Does that phrase annoy anyone else?

Slashdot. News for FBI, by FBI.

Nobody will ever use this, except the FBI hope to. Why though?

oooold

Old news