Beta
×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

The Computer Security Threat From Ultrasonic Networks

timothy posted about 2 months ago | from the why-your-bats-are-going-crazy dept.

Security 121

KentuckyFC (1144503) writes Security researchers in Germany have demonstrated an entirely new way to attack computer networks and steal information without anybody knowing. The new medium of attack is ultrasonic sound. It relies on software that uses the built-in speakers on a laptop to broadcast at ultrasonic frequencies while nearby laptops listen out for the transmissions and pass them on, a set up known as a mesh network. The team has tested this kind of attack on a set of Lenovo T400 laptops infected with key-logging software. They say it is possible to transmit ultrasonic signals covertly at data rates of 20 bits per second at distances of up to 20 metres in an office environment. Interestingly, the team created the covert system by adapting a protocol designed for underwater acoustic communication. They've also tested various strategies for defeating this kind of attack. An obvious option is to disable all speakers and microphones but this also prevents ordinary activities such as VOIP communication. Instead, they suggest filtering the audio signals to prevent ultrasonic transmissions or converting them into an audible frequency. This may be newer than most attack vectors, but it's not the first time that ultrasonic transmission has been demonstrated as a vulnerability; in November of last year we mentioned malware operating along the same lines, as investigated byPwn2Own creator Dragos Ruiu.

cancel ×

121 comments

Sorry! There are no comments related to the filter you selected.

Hardware sampling rates (1)

Jody Bruchon (3404363) | about 2 months ago | (#47221195)

The easiest way to eliminate this threat is to lock down hardware sampling rates such that ultrasonic frequencies cannot be reliably reproduced (e.g. in the BIOS), and allow the user to flip the switch for higher rate support. At least, that's the first idea that came to mind. I'm sure it's not perfect, but it's better than "kill all audio!"

Hardware sampling rates (0)

Anonymous Coward | about 2 months ago | (#47221239)

Or just stop shipping audio hardware that supports ultrasonics, given that nobody actually benefits from sampling frequencies above 48kHz (and in certain setups, it can actually distort the audio).

Re:Hardware sampling rates (2)

Bengie (1121981) | about 2 months ago | (#47221767)

I was under the impression that while humans mostly cannot hear ultrasonic sounds, the existence of them can be perceived as a kind of "texture" to other sounds that we can hear. Removing these frequencies all together from all sounds sources can make stuff sounds more artificial.

I have not researched the subject a lot, but these are what I have read across the many years of the discussion reemerging.

Personally, if I listen to an 256kbit MP3, then switch back to FLAC, I hear a slight difference, but it's hard to pinpoint. But if I have one ear listening to the MP3 and the other ear listening to the FLAC, the distinction is HUGE. A lot of the difference is in the highs, and that's with my crappy integrated sound card and semi-decent headphones.

Re:Hardware sampling rates (4, Interesting)

TeknoHog (164938) | about 2 months ago | (#47222259)

I was under the impression that while humans mostly cannot hear ultrasonic sounds, the existence of them can be perceived as a kind of "texture" to other sounds that we can hear. Removing these frequencies all together from all sounds sources can make stuff sounds more artificial.

The timbre of any sound is due to harmonics -- frequencies higher than the fundamental. MP3 and other lossy compression schemes do indeed remove some of the quieter harmonics. However, if the harmonics are outside the hearing range, well, then you can't hear them.

However, there may be nonlinear effects which convert some of the ultrasound to lower frequencies. Also, when a frequency exceeds the Nyquist limit (half the sampling rate), it is aliased to a frequency within the sampling range. (Hence "anti-aliasing", which is simply filtering out too high frequencies to prevent this effect.)

Re: Hardware sampling rates (1)

Anonymous Coward | about 2 months ago | (#47222269)

Yes. Monster Cables can transmit this audio texture more accurately due to the unicorn poop mixed in with their enchanted copper.

Also, no, you're wrong.

Re:Hardware sampling rates (1)

sexconker (1179573) | about 2 months ago | (#47222805)

I was under the impression that while humans mostly cannot hear ultrasonic sounds, the existence of them can be perceived as a kind of "texture" to other sounds that we can hear. Removing these frequencies all together from all sounds sources can make stuff sounds more artificial.

Nope, it's 100% bullshit. Audiophiles cling to it as justification for spending money on 96 or 192 kHz shit.
When recording a physical sound, the sum total of all frequency components interfering with each other will be recorded by the microphone. A microphone does not record individual frequency components, it records a physical pressure wave. Your ear picks up the effects of frequency components outside of its range interfering with frequency components inside its range. A microphone does the exact same thing.

Re:Hardware sampling rates (2)

diamondmagic (877411) | about 2 months ago | (#47224801)

48kHz (98kHz sample rate) is only one octave higher than 24kHz (48kHz sample rate). I most certainly can hear that difference.

And even if we couldn't hear it, audio engineers still need it. Even one octave below the Nyquist limit, you can still lose up to 30% of your original signal.

Re:Hardware sampling rates (2)

Midnight_Falcon (2432802) | about 2 months ago | (#47225033)

You use profanity to refer to audiophiles and you clearly have no idea what you're talking about. 96 or 192kHZ sampling rate doesn't have much to do with frequency response , which is what we are takling about.

Most music these days is not produced via an analog signal to a microphone. Rather, a digital process creates an analog waveform in software like Ableton Live, Cubase, etc. If an overtone or other sonic artifacts are applied, you can definitely hear the effects on the music even though these are at high frequencies..

Speakers are graded for quality using the "Klippel" test, which measures amount of distortion and how clean the signal comes out at various frequencies. With good speakers, you should be able to have a conversation right in front of them at loud volume, and not have to speak loudly or bring up your voice to clearly understand the person. That is because the audio waveform will be clean and not distort other frequencies.

Re:Hardware sampling rates (0)

Midnight_Falcon (2432802) | about 2 months ago | (#47224997)

While this is true, in that "warmth" is perceived by human ears somewhere in the 16KHZ-25KHZ range, over 30KHZ won't even create a "warm" sensation to human ears. In the range of this network, which from TFA appears to be 20khz, many humans will be able to hear something.

If music is properly recorded and mastered, it will typically not contain any artifacts above the 25-30KHZ range. If you are playing music on a high-end system above this range, typically one will apply a high pass filter on their digital processor or amplifier in order to filter out ultrasonic frequencies, which may damage tweeters trying to reproduce sound beyond their response range.

Disclaimer: I am an audiophile. I use SEAS.no speaker drivers, custom enclosures, and high-end amps like QSC and ZED Audio.

Re:Hardware sampling rates (2)

fuzzyfuzzyfungus (1223518) | about 2 months ago | (#47221307)

The easiest way to eliminate this threat is to lock down hardware sampling rates such that ultrasonic frequencies cannot be reliably reproduced (e.g. in the BIOS), and allow the user to flip the switch for higher rate support. At least, that's the first idea that came to mind. I'm sure it's not perfect, but it's better than "kill all audio!"

Obviously anything that is vulnerable to software tampering is less secure than some elegant hardware based solution; but surely one could apply ACLs to the audio device, to at least ensure that only suitably blessed applications can interact with it? Doesn't stop a root/kernel level exploit, or a blessed application being subverted; but right now, the default is that any program that can run can make noises, which is certainly easier to slip malice through.

Re:Hardware sampling rates (3, Funny)

ColdWetDog (752185) | about 2 months ago | (#47221953)

Ah, but you're missing an entire other defensive mechanism. One that, I will point out, did not escape the genius of Apple. Recall the recent angst about Apple's acquisition of Beats Audio [slashdot.org] . The two theories judged most likely centered around either gratuitously spending money to annoy the Slashdot hive mind or strategically buying up an inconsequential streaming audio business. Of course, careful consideration (yes, I understand that contradiction here) would lead one to realize that neither is very likely, so I offer a more technically sound rationale:

If you've ever listened to a set of Beats headphones, the second thing you notice (the first is that they are ugly and cheap) is that it is engineered to be unable to pass frequencies higher than 4000 Hz. You're not going to hear a set of cymbals or a piccolo to save your life.

So, these nefarious persons can attempt to stuff whatever data they'd like into the higher registers - it will do them no good at all. You don't need complex software rules, you don't need specially constructed DACs. You just need bass. Furthermore, if all you are going to do is to listen to DC to 4 kHz noise, you don't need a particularly robust audio platform to do it (like an iPhone). And, as an added bonus, this limited bandwidth will save on your precious monthly allotment of data.

Apple has you covered, folks.

Re:Hardware sampling rates (2)

Captain Splendid (673276) | about 2 months ago | (#47223007)

he two theories judged most likely centered around either gratuitously spending money to annoy the Slashdot hive mind

Yes, it's amazing what money tech companies will spend to piss off the average slashdotter. We truly are special.

Re:Hardware sampling rates (1)

ColdWetDog (752185) | about 2 months ago | (#47224179)

I presume you mean as in 'short bus' special.

Re:Hardware sampling rates (1)

Captain Splendid (673276) | about 2 months ago | (#47224705)

Yup. Spend enough time here and you'd swear the tech industry orbits Slashdot, and not the other way around.

Re:Hardware sampling rates (1)

Anonymous Coward | about 2 months ago | (#47221365)

Even better would be to install an analog filter on the speakers that limited frequencies to below 20kHz or so. Component cost less than ten cents.

Re: Hardware sampling rates (1)

Anonymous Coward | about 2 months ago | (#47222325)

20 bits per second.

I type 80wpm. 5 characters per word. 400 chars per minute, or 6.7 chars per second, or about 53 bits per second.

Therefore I type almost three times faster than this channel's data rate.

Re: Hardware sampling rates (0)

Anonymous Coward | about 2 months ago | (#47222613)

That's only 53 b/s if encoding in ascii
Given this is for a keylogger you could easily use a Huffman style code, assigning the codes to space, lower case letters, capital letters then symbols in order of increasing length.
That would drop your 80wpm data rate to about 30b/s for general typed text. A little buffering to hold you until the typer takes a thinking break and you're sorted.

Re: Hardware sampling rates (1)

sexconker (1179573) | about 2 months ago | (#47222865)

20 bits per second.

I type 80wpm. 5 characters per word. 400 chars per minute, or 6.7 chars per second, or about 53 bits per second.

Therefore I type almost three times faster than this channel's data rate.

Log keystrokes.
Optionally, filter (look for the @ symbol for email addresses, a known bank in a browser window's title, symbols / cAPs near eachother for passwords, whatever).
Compress.
Send.

Unless you type > 20 bps after compression (and filtering), the entire time your computer is on, it will keep up.
Even if you do outpace it by a factor of infinity, it will still be transmitting at 20 bps, so it'll still be getting your shit. As hits something interesting (login credentials, your Harry Potter fanfic, whatever) you're fucked, regardless of how far ahead you are.

Re:Hardware sampling rates (4, Funny)

Rosco P. Coltrane (209368) | about 2 months ago | (#47221389)

The easiest way to eliminate this threat is to lock down hardware sampling rates such that ultrasonic frequencies cannot be reliably reproduced

Nope. The easiest way to eliminate this threat is to keep a pet bat next to your computer to scramble any ultrasonic transmission.

Re:Hardware sampling rates (1)

Applehu Akbar (2968043) | about 2 months ago | (#47222393)

OR...issue whistles to everyone in your office, to be used at random intervals.

Re:Hardware sampling rates (1)

evilviper (135110) | about 2 months ago | (#47222945)

The easiest way to eliminate this threat is to lock down hardware sampling rates such that ultrasonic frequencies cannot be reliably reproduced

That's very short-sighted. The ultrasonics are only a matter of making the communications stealthier. Systems unable to produce ultrasonics could still communicate with each other, using audible ranges.

Doing so, undetected, just requires a little intelligence. It could wait until late at night, when all the systems have been idle for some time. The malware could even set a wake-up time in the BIOS to ensure they all start up some time after everyone has left, and communicate.

Or, you could modulate the data inside some sounds that wouldn't be out-of-place in an office. For computers, the obvious option is to play the sound of fan noises, with a little data modulated in with the audio.

Re:Hardware sampling rates (1)

Archfeld (6757) | about 2 months ago | (#47225017)

I swear on some late night upgrades I've heard the machines talking to me, but NOW I know it was true...

Re:Hardware sampling rates (1)

klui (457783) | about 2 months ago | (#47224939)

An easier way is just cheap speakers doing what they do best.

Re:Hardware sampling rates (1)

Midnight_Falcon (2432802) | about 2 months ago | (#47225007)

Hardware sampling rate is actually a kind of roundabout way to do it. More easily, one can place an analog high-pass filter set at 20KHZ or so before the speakers in the sound driver hardware etc. These are very cheap for low-power applications like laptops.

Just a technology arms race (1)

rmdingler (1955220) | about 2 months ago | (#47221213)

You patch this hole in your defenses.

Another exploit undermines a heretofore unknown weakness.

Exploitation that doesn't kill you makes you stronger.

A (hidden) communication channel is not an attack (5, Insightful)

thospel (99467) | about 2 months ago | (#47221227)

WTF ? That's a covert communication channel, not an attack.
At least the original source gets that right. But what idiot writes the slashdot version of the article?

Re:A (hidden) communication channel is not an atta (2)

Hognoxious (631665) | about 2 months ago | (#47221339)

But what idiot writes the slashdot version of the article?

Probably the same one who wrote a similar article about a year back.

Re:A (hidden) communication channel is not an atta (1)

Anonymous Coward | about 2 months ago | (#47221897)

To be more specific it is this story [slashdot.org] - same exact paper from November of last year.

Re:A (hidden) communication channel is not an atta (1)

burisch_research (1095299) | about 2 months ago | (#47221345)

This. It is NOT an attack. And let's face it, very very few people have an air gap on their computers. Since that's the case, it's so much easier to just use the existing wired network or wireless network to ferret data out. 20 bits per second is hardly practical anyway, even for small amounts of data (which, today, would be classified as megabytes.)

Re:A (hidden) communication channel is not an atta (0)

Anonymous Coward | about 2 months ago | (#47221813)

Yep, that's what I was thinking too.
20 bits per second is 9 kilobytes per hour. That's hardly enough to be useful even for plain text keylogging, let alone for anything more complicated (like uploading new attack code).

Re:A (hidden) communication channel is not an atta (0)

Anonymous Coward | about 2 months ago | (#47222107)

> That's hardly enough to be useful even for plain text keylogging,

That's funny since the paper cited in TFA includes a key-logger as part of their demonstration.

Re: A (hidden) communication channel is not an att (1)

garompeta (1068578) | about 2 months ago | (#47222495)

The password was GOD

Re:A (hidden) communication channel is not an atta (0)

Anonymous Coward | about 2 months ago | (#47221859)

> And let's face it, very very few people have an air gap on their computers.

And so those people don't need to worry about it. Its the people with air gaps who do need to worry about it.

Your argument is kind of like saying that since the majority of people in the world don't own a car, seatbelts aren't a big deal.

Re:A (hidden) communication channel is not an atta (1)

burisch_research (1095299) | about 2 months ago | (#47221909)

That's absolutely true. If you're one of the 0.00002% who does own a car, well, then obviously you should be thinking about seatbelts. But car owners are so rare that I'll probably never meet one, ever. Seatbelts have zero effect on my life.

Re:A (hidden) communication channel is not an atta (0)

Anonymous Coward | about 2 months ago | (#47222021)

Over 5 million people in the US hold secret-level or higher security clearances. [washingtonpost.com] Nearly all of them have work that involves classified computer systems, ALL of which are air-gapped. And that doesn't even count commercial applications where the company is concerned about industrial espionage.

Your objections here only display your ignorance, not your wisdom.

BTW, you've met at least one now.

Re:A (hidden) communication channel is not an atta (0)

Anonymous Coward | about 2 months ago | (#47222527)

Those folks wouldn't be allowed to bring their non-cleared devices into a SCIF anyways. You'd need to check your phone/laptop etc in at the front desk. Or you should be anyways.

Physical security is one of the few things the feds seem to do right with their computing systems.

Re:A (hidden) communication channel is not an atta (0)

Anonymous Coward | about 2 months ago | (#47222691)

> Those folks wouldn't be allowed to bring their non-cleared devices into a SCIF anyways.

Man I get damn sick of people like you. Instead of trying to think like the "enemy" and come up with ways to break the system you think like a naive baby and just assume that the system must works because of that's what the owners want it to do. People like you are the reason the internet is the security equivalent of swiss cheese - you can't build good security if you don't even try to think like an attacker.

Nobody said anything about bringing your own hardware into a SCIF. If you haven't been paying attention there are lots of opportunities for infiltration - the US DoD got owned by a USB virus back in 2008, the NSA intercepts hardware shipments before delivery to the customer and implants their own malware. We are constantly hearing (unproven) accusations of China doing the same thing and they manufacture like 99% of all computing hardware nowadays.

Re:A (hidden) communication channel is not an atta (2)

sexconker (1179573) | about 2 months ago | (#47222889)

Over 5 million people in the US hold secret-level or higher security clearances. [washingtonpost.com] Nearly all of them have work that involves classified computer systems, ALL of which are air-gapped. And that doesn't even count commercial applications where the company is concerned about industrial espionage.

Your objections here only display your ignorance, not your wisdom.

BTW, you've met at least one now.

I will take the 5 million number at face value.
I laugh at the idea that nearly all of those people access classified computer systems.
And the idea that they're all air gapped? That's just complete bullshit, as recent history has shown.

Re:A (hidden) communication channel is not an atta (1)

burisch_research (1095299) | about 2 months ago | (#47223013)

Over 5 million people in the US hold secret-level or higher security clearances.

I'm not from the US; as a proportion of population, 5 million is a very high number indeed -- and I believe the proportion in the civilized world is much lower.

Re:A (hidden) communication channel is not an atta (0)

Anonymous Coward | about 2 months ago | (#47225129)

If the computers are air gapped than how is the software that tells it to transmit over ultrasonic sound supposed to get on them in the first place?

Re:A (hidden) communication channel is not an atta (1)

rhsanborn (773855) | about 2 months ago | (#47222085)

This is a good way to hide your snooping in sensitive environments that are running adaptive intrusion detection systems. It's also a way to get secure computers that aren't connected to the network, to talk to less secure computers that are. Think military. Jim falls prey to a USB based piece of malware and puts it on a DoD machine that is on their internal, secure network. It talks to an Internet-connected computer to move data from one to the other. The USB vector is exactly how the US/Israel got malware onto Iranian centrifuge controller systems, so it's a valid concern.

Re:A (hidden) communication channel is not an atta (2)

RevWaldo (1186281) | about 2 months ago | (#47222147)

I was wondering how this speed compared to a telegraph operator sending Morse Code. Googling about, words per minute, based on the standard five characters per word plus spaces and punctuation, works out to about bps * 1.2.

http://superuser.com/questions... [superuser.com]

So 20 bps is about 24 words per minute. Compare this to a skilled telegraph operator, who can manage 40 wpm.

http://en.wikipedia.org/wiki/M... [wikipedia.org]

So yeah, it's slow, BUT for keylogging it couldn't keep up only if users typed constantly, which they don't. Plenty of time in between to do some catch up.

.

Re:A (hidden) communication channel is not an atta (2)

gstoddart (321705) | about 2 months ago | (#47222277)

20 bits per second is hardly practical anyway, even for small amounts of data

Depends on the data, doesn't it?

If I've installed something which is designed to capture passwords, your 20 bits/sec means I can transmit your password in just a few seconds.

So if all it does it say "got it, user X has this password" ... that can be pretty valuable and is likely do-able in under 30 seconds.

This may not be an attack, but it is an attack vector.

Re:A (hidden) communication channel is not an atta (1)

freeze128 (544774) | about 2 months ago | (#47223449)

That scenario would require that there be some sort of keylogger already present and running on the compromised machine. If that's the case, then why bother with all this cloak and dagger shit? Hell, there are plenty of other routes that the data could take:

Store the data in a file on a local drive (hard drive or even USB flash drive)
Transmit it over Ethernet.
Transmit it over Wi-Fi.
Transmit it over bluetooth.
Transmit it over IRDA.

Or, my favorite, just have the machine use text to voice to shout out the user's password over the speakers. Then it's a race to see if you can login before the user can change the password. :)

Re:A (hidden) communication channel is not an atta (1)

gstoddart (321705) | about 2 months ago | (#47224335)

That scenario would require that there be some sort of keylogger already present and running on the compromised machine. If that's the case, then why bother with all this cloak and dagger shit?

Well, given the prevalence of things like spear phishing and the like, maybe it's not all that tough.

And the point of the cloak and dagger is, if they don't know you're listening, and you're using a channel they're not scanning for ... you can keep doing it with impunity.

So, say I worked for an agency which relied on secrecy ... call them the Notional Security Assholes for sake of argument ... wouldn't it be in my interest to want to gather as much data as possible without you knowing I'm doing it?

If the value of what you're spying on is high value enough, and you want to conceal your ways and means, it doesn't seem like there's an upper bound on how much trouble something is worth.

Because you extract the passwords one way, and exploit them via another, and it's impossible to identify how you got the password, and maybe you can conceal that it was ever used at all.

Sure, it's right out of Tom Clancy or Hollywood, but some of the cold war stuff was pretty wacky by today's standards. Think "Remote Sensing" and some of the other stuff that we more or less consider pretty loony.

Re:A (hidden) communication channel is not an atta (0)

Anonymous Coward | about 2 months ago | (#47221515)

timothy approved it, so it means it probably was not read. I am fairly certain the slashdot staff consists of monkeys hitting randomly on keyboards that only consists of "discard" and "approve" buttons. In case I am mistaked, I consider a cat to be a valid alternative.

Re:A (hidden) communication channel is not an atta (1)

Anonymous Coward | about 2 months ago | (#47221519)

IKR... I read the article summary and was double face palming.

You can't install malware via the microphone inputs lol. You can only receive inputs from a preconfigured machine and the attacks still have to happen in other ways.

Re:A (hidden) communication channel is not an atta (1)

Anne Thwacks (531696) | about 2 months ago | (#47222677)

YOU cant install malware this way, but people who have machines which are already 99% malware can (but probably never will).

You are correct - this is utter and complete nonsense. No uninfected computer is going to consider what comes into the mic channel as potentially sensible to execute, or, indeed do anything other than save it as audio data.

If your computer is in the habit of executing WAV of MP3 files, or saving audio as .exe files, you are already more than truely and completely stuffed.

Re:A (hidden) communication channel is not an atta (2)

killkillkill (884238) | about 2 months ago | (#47222875)

The amount of serious discussions of how to mitigate this "attack" above this comment saddens me. If you have rouge software on your computer, severing one of the least efficient communication channels I've heard of is not going to be helpful.

Re:A (hidden) communication channel is not an atta (0)

Anonymous Coward | about 2 months ago | (#47224463)

WTF ? That's a covert communication channel, not an attack. At least the original source gets that right. But what idiot writes the slashdot version of the article?

What, your computer doesn't auto-execute whatever ultrasonic binary data arrives over the mic?

Much simpler method (0)

Anonymous Coward | about 2 months ago | (#47221255)

I use VoIP every day, but just leave my bluetooth headset dongle plugged in, so the speaker and mic are disabled. No transmission, no worries. Of course, there is only the one PC in my office since I work at home. My dog might hear the ultrasonic output though :-)

Re:Much simpler method (1)

hotcut (1289754) | about 2 months ago | (#47221443)

I do not believe there is anything preventing malicius software from using the speaker and mic in the computer, disregarding the headset. So leaving your headset in, just gives you a false sense of security. Not relevant in your setup (unless they want to covertly send your dog on a murder spree), but still :)

Re:Much simpler method (1)

Phreakiture (547094) | about 2 months ago | (#47221977)

You will be disappointed to learn that the disablement of the speaker and mic are done in a fly-by-wire manner. I became aware of this firsthand when I discoverd that a bad audio driver was allowing the audio I was listening to to go both to my headphones and my speakers. I wasn't aware of it until a co-worker tapped me on the shoulder. Fixing the mixer settings caused the audio not to go to the speakers.

Further to that, BT is an even bigger fly-by-wire. With BT, you are essentially putting an additional sound card onto your machine, and choosing to use it (via software) instead of the built in one. The built-in one is still there, however, and still availble to any software that chooses to use it. There exists no mechanism through which BT presence can cause a not-software-overridable hard interrupt of audio to the speakers and from the mic.

I would advocate for there to be a switch installed on every laptop that, when flipped, interruptes, in a hardware-based, analogue manner, the connection of the speakers and mic to the sound hardware. Open the circuit in a way that no software can close it.

useful in some very interesting ways (1)

nimbius (983462) | about 2 months ago | (#47221285)

While impractical at scale, this is a very clever way to defeat things like DoD secured air-gap networks, and 20bps is easily capable of say, keylogging :)

useful in some very interesting ways (0)

Anonymous Coward | about 2 months ago | (#47221853)

Keylogging is often pointless without timing and context.
In other words it's useful to know when something was written and in what window (or even input control).
If you don't have that info, you just have a jumble of characters, which makes it much harder to extract anything (i.e. passwords).
However that context info is much larger than the characters typed and a few kilobytes per hour simply won't do the job very well.

Re:useful in some very interesting ways (0)

Anonymous Coward | about 2 months ago | (#47222045)

If you manage to put it on an airgapped PC, you probably wouldn't need full realtime keylogging.

Airgapping is usually used for cryptography-related tasks - you could exfiltrate a 16kbit private key and its passphrase at 20bps just fine.

Re:useful in some very interesting ways (0)

Anonymous Coward | about 2 months ago | (#47222835)

hate to break it to the hackers of the world (this is probably not news to them) - that if there's a DoD "airgapped" system, they're also required to address TEMPEST standards. I don't think that TEMPEST includes microphones and speakers. But you can bet it soon will.

Not that new (4, Informative)

T.E.D. (34228) | about 2 months ago | (#47221293)

I worked on a COMSEC job back in the '90s, and both our device and our building (particularly the windows) had countermeasures for this kind of attack.

Perhaps this is a new thing for garage hackers, but intelligence agencies have known about it for decades.

Re:Not that new (1)

Ryanrule (1657199) | about 2 months ago | (#47221691)

Yeah you could read old punch cipher locks if you listed closely.

Re:Not that new (0)

Anonymous Coward | about 2 months ago | (#47221737)

Yup, more effective to point a laser at the window and measure the vibrations from the noises within the building.

Laptops should, regardless, not be able to product ultrasonic noises or receive them (or at least the capability should be off as a default). There's no currently daily-use usecase for the regular joe to have this capability. The only real currently viable application for this is in listening for and transmitting proximity based authentication codes.

Re:Not that new (1)

Anonymous Coward | about 2 months ago | (#47222253)

> Yup, more effective to point a laser at the window and measure the vibrations from the noises within the building.

Laser microphones are not that precise. [npr.org]

Re:Not that new (3, Insightful)

slew (2918) | about 2 months ago | (#47223809)

FWIW, Back in the 90's people were also worried about tempest-like stuff (e.g., EM emissions), but simply disabling the speakers isn't enough to inhibit the sonic transmission path. Electronics can "hum" at ultra-sonic frequencies (and fans can transmit audible frequencies), so by running of a suitable thermal virus actions, it is possible to leak information from a previously compromised machine that was not network connected.

However, disabling the microphone would certain make it harder to control such a compromised, air-gapped machine...

Ultrasonic reception? (1)

Megane (129182) | about 2 months ago | (#47221295)

Does this mean I can get a lirc driver that works with an old Zenith clicker remote?

Re:Ultrasonic reception? (1)

jones_supa (887896) | about 2 months ago | (#47221645)

I doubt there is a ready-made LIRC driver, but in theory it might be possible to get it working with a computer. Try recording some button presses with a sound recording program using the mic input and see if anything shows up in the waveform. Then write some software which bridges the sound driver to the remote controller API.

Does it really matter? (4, Insightful)

mrspoonsi (2955715) | about 2 months ago | (#47221313)

For this to work, the computers must already be 'owned', the fact the computers can communicate 20 meters with another infected machine is the least of the worries if you ask me.

Re:Does it really matter? (0)

Anonymous Coward | about 2 months ago | (#47221709)

Why should a valid concern be totally quashed because another is subjectively more important?

Re:Does it really matter? (1)

evilviper (135110) | about 2 months ago | (#47222845)

For this to work, the computers must already be 'owned',

Computer viruses spread long before there was networking... One infected file on a CD, DVD, USB Flash drive, etc. Or it could be even more covert, like a USB mouse/keyboard modified with data storage.

the fact the computers can communicate 20 meters with another infected machine is the least of the worries if you ask me.

It's still significant. It may offer the only method of getting information in/out of an otherwise isolated network.

While fully autonomous malware can do some serious damage, it doesn't approach the level of damage possible by leaking sensitive information out to the world, or using some human intelligence to guide some very finely-grained data manipulation / corruption.

Re:Does it really matter? (1)

mrspoonsi (2955715) | about 2 months ago | (#47222929)

Normally Desktops do not have inbuilt speakers, so they can be ruled out, that leaves laptops, which do have wifi. An owned laptop could self enable the wifi, create its self as a hot spot and allow other computers elsewhere in the building to connect to it (through walls and what not).

A simple defense (2)

Marginal Coward (3557951) | about 2 months ago | (#47221373)

The folks who designed my desktop computer were really thinking ahead on this one: it was built without a speaker. Besides enhancing security, an auxiliary benefit of their clever "no-speaker defense" is that saved the manufacturer cost and space.

Re:A simple defense (1)

drinkypoo (153816) | about 2 months ago | (#47222173)

The folks who designed my desktop computer were really thinking ahead on this one: it was built without a speaker. Besides enhancing security, an auxiliary benefit of their clever "no-speaker defense" is that saved the manufacturer cost and space.

Virtually no PC desktops have internal speakers connected to the sound card, and even fewer of them have a microphone. Many PCs no longer even have a speaker connector for POST code beeps, and depend solely on a flush-mount piezo buzzer. But virtually all laptops today have both speakers and mic...

Re:A simple defense (0)

Anonymous Coward | about 2 months ago | (#47222289)

And laptops are great for classified work because at the end of the day they can be secured in a safe - a common thing to do at higher classification levels.

Re:A simple defense (1)

triffid_98 (899609) | about 2 months ago | (#47224159)

Actually...for ultrasonics piezoelectric speakers are far better than conventional cone drivers...just not the 2 cent variety you're referring to here.

Easy defense (0)

Anonymous Coward | about 2 months ago | (#47221401)

Just leave your headphones plugged in.

Fix (3, Insightful)

Bazman (4849) | about 2 months ago | (#47221421)

Headphones. Or dummy jack-plugs.

In what way is this a "vulnerabilty"? (1)

REggert (823158) | about 2 months ago | (#47221429)

Given that the machines have to have the acoustic networking software installed on them (requiring already having root access), this is at worst a covert communications channel that could be used to bypass network security controls in order to exfiltrate information from an otherwise secure network. It has no impact on whether machines can be hacked to begin with.

Re:In what way is this a "vulnerabilty"? (0)

Anonymous Coward | about 2 months ago | (#47221769)

> this is at worst a covert communications channel that could be used to bypass network security controls in order to exfiltrate information from an otherwise secure network

Dude, you answered your own damn question. Covert communications channels for otherwise secure networks are a big fucking deal.

Complaining that this is not full-blown "bad bios" is to totally miss the point that something like this is absolutely necessary for a real life "bad bios." We've already seen a ton [theguardian.com] of other [wired.com] ways [ieee.org] to get the software on the secure network in the first place.

stupid (2)

slashmydots (2189826) | about 2 months ago | (#47221449)

So one infected computer talks to another via this method and the other computer is infected with code that interprets it. How about just use the malicious code on the 2nd computer to do whatever you were going to do with it? For network transmission, obviously just use encryption or a web server in the middle or something.

Re:stupid (1)

by (1706743) (1706744) | about 2 months ago | (#47221833)

Seems silly, yeah. Though there are certain very peculiar setups where this might be desirable, for example: computer 1 has network access, computer 2 does not, but gets the occasional USB thumbdrive from computer 1. If you can manage to infect computer 1, transmit it to computer 2, then you can gain get keylogging data from computer 2 in real-time (as opposed to waiting until someone plugs in a thumbdrive to computer 2 and then back into computer 1, where you can send over the network again).

Of course, if the whole reason computer 2 isn't connected to the network is security, you'd hope they have better security on their USB drives...

Re:stupid (0)

Anonymous Coward | about 2 months ago | (#47222145)

> Of course, if the whole reason computer 2 isn't connected to the network is security, you'd hope they have better security on their USB drives...

The NSA might have something to say about that. [bgr.com]

Re:stupid (1)

slashmydots (2189826) | about 2 months ago | (#47223227)

That make sense but here's what the failed to consider. People with higher IQs and better functioning nervous systems can hear 45KHz + frequencies. I'm one of them. So your IT dept would probably catch it pretty darn quick.

Re:stupid (1)

Lord Lemur (993283) | about 2 months ago | (#47223641)

Better yet, you can remotely execute pre-installed code. Think less of information gathering and more of weaponizing.

If I may be really long winded, let's imagine a system where there is a secure machine that is air gapped by say 30" from a non secured machine. The secure machine has privilleged access to $Doomsday_weapon_001, let's say a missle or better yet the control surface of a critical peice of infrastructure. Once infection has occured, and a payload delivered the two machines can lay in wait. At a particular time, like superbowl, the unsecure machine tells the secure machine to execute a preplanned attack using $Doomsday_weapon_001. The conversation can be really short less then a second or so, and boom goes the dynamite.

Leaking information onto secure systems is alot less complex then leaking information off. Why keylog when you can actully use the asset directly.

Actually useful (0)

Anonymous Coward | about 2 months ago | (#47221463)

In some circumstances, a mesh network that is non-electromagnetic based is particularly useful. Stops people intercepting traffic with powerful reception equipment.

As others have pointed out... (1)

sonamchauhan (587356) | about 2 months ago | (#47221503)

... Its a covert transmission channel, not an attack...

A camera pointed at a computer monitor slowly shifts its average hue (a la 'f.lux') is another such example.

My computer talks to me (1)

Required Snark (1702878) | about 2 months ago | (#47221553)

When I'm near the computer I hear these voices that no one else can hear.

It tells me things that no one else knows. Things that I'm not supposed to hear.

Sometime it tells me to do things. It told me not to tell you what they are.

Computers only talk to very special people. You wouldn't understand.

It told me to shut up now. Bye.

"Threat" from last year??? (3, Insightful)

LordLimecat (1103839) | about 2 months ago | (#47221655)

Dragos Ruiu's findings from last year were never able to be reproduced by an outsider, and were highly suspect. Sometimes you can be a brilliant security guy, and also a delusional paranoid-- and I think the general consensus was that in that scenario, Dragos was being delusionally paranoid.

The idea that various laptop speakers (all of varying and generally poor quality) will be able to reliably form a wireless network is really far-fetched, no matter how you cut it. Every laptop's mic is different, the speakers are all in different locations, some mics are gonna be off, the acoustics of the room are unknown....

Theres just no way for this to reliably work.

Re:"Threat" from last year??? (3, Insightful)

Anonymous Coward | about 2 months ago | (#47221837)

> Every laptop's mic is different, the speakers are all in different locations, some mics are gonna be off, the acoustics of the room are unknown....

Says the guy demonstrating his utter lack of knowledge about DSP. All of those things can be compensated for with the right software, The price is simply reduced throughput. But when you've got days or weeks to run because no one even knows to look for you, even just 1bps can be sufficient.

Dragos being right or wrong says absolutely nothing about the viability of these techniques, only about his particular circumstances.

Re:"Threat" from last year??? (0)

Anonymous Coward | about 2 months ago | (#47222457)

Dragos implied that this software could be stored into the BIOS memory.

Re:"Threat" from last year??? (0)

Anonymous Coward | about 2 months ago | (#47222591)

Given that this paper was only published AFTER badbios hit the news, Dragos had nothing to say about THIS software.

Linux not susceptible to attack (4, Funny)

by (1706743) (1706744) | about 2 months ago | (#47221779)

You know, because the sound card probably isn't working right anyway (and forget about the mic).

(Joking, joking...built-in and USB soundcards work just fine on all my Linux computers.)

Ultrasonic sound! (0)

Anonymous Coward | about 2 months ago | (#47221903)

It has Supercow Cow Powers!

Solution: office dog (5, Funny)

RevWaldo (1186281) | about 2 months ago | (#47221935)

What is it? What is it, girl? Someone running a covert mesh network? Where's it coming from?

.

Sonic attack (0)

Anonymous Coward | about 2 months ago | (#47222049)

In case of Sonic Attack...it is imperative to bring all bodies to orgasm simultaneously.

Low budget detection (0)

Anonymous Coward | about 2 months ago | (#47222165)

Would animals such as dogs work as low budget detection systems? Isn't this how dog whistles work?

No audio filters on the DACs? (0)

Anonymous Coward | about 2 months ago | (#47222197)

Frankly I'm surprised that this could be a potential issue. I would of expected any DAC (Digital to Analog Converters) used to generate the analog sound output from any sound card or motherboard to have a low-pass filter [wikipedia.org] at the range of human hearing (nominally 20 kHz).

Okay, so according to the article at one of the links, they focus on the near-ultrasonic or upper range of what is normally considered the limit of human hearing of operating near 20 kHz. This also explains why their bits or symbol rate is so low, they are presumably using a reasonably narrow baseline (audio) frequency bandwidth in terms of contemporary digital communication, though numerous methods are used in amateur radio at HF in the RF portion of the frequency spectrum, a la PSK-31 et all.

Re:No audio filters on the DACs? (2)

bugs2squash (1132591) | about 2 months ago | (#47222693)

the senior engineers that tested the system consider it undetectable. The intern just smiled and said nothing...

Already filtered? (1)

morgauxo (974071) | about 2 months ago | (#47222313)

I thought most soundcards had a capacitor on the inputs that already filters out the higher frequencies. I read this when reading about using sound cards directly as software defined radios for receiving VLF signals. To receive higer frequencies some people have shorted the input capacitor out.

bit34 (-1)

Anonymous Coward | about 2 months ago | (#47222429)

ca8 r3ally ask of

20 bits per second (1)

ichthus (72442) | about 2 months ago | (#47222925)

Wow! So, after 4 days, 17 hours, 46 minutes and 40 seconds, you could transfer a whopping... 1 whole MEGABYTE.

Simple defence (1)

twazzock (928396) | about 2 months ago | (#47223009)

A simple defence would be to have ultrasonic noise generators emitting enough interference to effectively jam any transmissions. It should be no more audible than the transmissions.

Of course, the average user wouldn't need or probably want this (unless they're security paranoid/enthusiasts), but it might be useful in environments where information security is essential. Maybe even 'hardened' secure devices could have built in noise generators that can't be software disabled as an extra defence feature.

It might seem simpler to just limit the frequency ranges of the built in speakers/microphones, but it doesn't eliminate the threat completely as it is still possible there could be a headset, USB sound interface or devices in the microphone and earphone jacks in use without these filters. This way, regardless of the kind of sound I/O, the surrounding area of the device is blacked out.

$2 solution (0)

Anonymous Coward | about 2 months ago | (#47225037)

plug in a cheap headset. This allows VoIP over it And solves the problem.

Load More Comments
Slashdot Login

Need an Account?

Forgot your password?

Submission Text Formatting Tips

We support a small subset of HTML, namely these tags:

  • b
  • i
  • p
  • br
  • a
  • ol
  • ul
  • li
  • dl
  • dt
  • dd
  • em
  • strong
  • tt
  • blockquote
  • div
  • quote
  • ecode

"ecode" can be used for code snippets, for example:

<ecode>    while(1) { do_something(); } </ecode>