New computer virus ‘secretly leaks data’ through air

Security researchers have developed malware that can capture keystrokes from a computer and hijack the soundcard to broadcast the data to a nearby machine as a high-frequency sound which cannot be heard by humans.

In extremely high-security environments it is common practice to create an “air gap” between PCs containing sensitive information and others which are connected to the internet, in order to prevent remote malicious attacks. This research proves that it would be possible to use computer speakers and microphones to bridge this gap and send sensitive information back to a remote attacker, which authors warned was a “considerable threat to computer security”.

In the proof-of-concept attack from Germany’s Fraunhofer Institute for Communication, Information Processing and Ergonomics, researchers were able to use the built-in speakers and microphones of computers to transmit passwords and other data at a rate of 20 bits per second over a distance of almost 20 metres, allowing the malware to “secretly leak critical data to the outside world”.

“If we want to exploit a rigorously hardened and tested type of computing system or networks of this type of computing system, we have to break new ground,” said the paper.

Speakers and microphones are often overlooked in security planning, and by using frequencies outside the range of human hearing it is likely that such messages could escape detection even when they are beamed across an office full of staff.

Cunningly, the paper does not stop at transmitting audio from one computer to another, but aims to infect as many PCs as possible and create a mesh network to enable multi-hop communication. In this way the victim’s machine and the computer which transmits data back to the attacker via the internet do not have to be within audible range of each other.

Researchers made use of an existing communication protocol designed for underwater communication as the relatively complex TCP/IP stacks used to transmit data over the internet have too large an overhead in terms of additional bits that are wrapped around the content. Because electromagnetic waves are highly absorbed by seawater it is common to send and receive data acoustically in underwater applications.

The experiment used five Lenovo T400 laptops running Debian 7.1, and was performed in a standard computer lab with no particularly unusual audio characteristics.

Transmissions were sent at around 20kHz and were found to be totally inaudible to humans during the experiment. The paper suggests that this frequency could be even higher, to make it even less likely to be detected, but that this would reduce the broadcast range.

During the experiment the researchers were able to covertly log the keystrokes made by a user at one computer and broadcast them over audio through a chain of other computers until the message was eventually passed to a machine connected to the internet, and sent back to a malicious attacker.

“Alongside keystroke information it would also be possible to forward other security critical data such as private encryption keys or small-sized text files with classified information from the infected victim to the covert network,” said researchers.

“This data could be sent out periodically to maximize the likelihood of data extraction from the host and it could also be spread to different environments when the computing system is carried around.”

“We have shown that the establishment of covert acoustical mesh networks in air is feasible in setups with commonly available business laptops.”

Examples of malware that can bridge air gaps have been found in the wild, such as Flame, which used Bluetooth to download contact information from nearby devices. Iran was first discovered in 2012 and seemed to disproportionately infect machines in Iran, leading to a story in The Washington Post claiming that it had been developed by the NSA and CIA in order to slow Iran’s nuclear weapons research.