Speakers can be used to jump air-gapped systems

http://sophosnews.files.wordpress.com/2018/03/shutterstock_237028816.jpg?w=170&h=90&crop=1

Bad news for fans of air-gapped security – researchers have outlined how it could be defeated by converting speakers into ultra-sonic transceivers.

Air-gapping is based on the idea that two computers or networks can be viewed as isolated from one another if there is no physical or logical connection linking them.

The flaw is that computers come with interfaces not designed for communication which could, in principle, be covertly modified to bridge such a gap.

According to researchers based at Israel’s Ben-Gurion University of the Negev, this includes devices such as speakers and headphones.

Previous research by the same team showed how microphones (receivers) and speakers (transmitters) could be exploited in this way, primarily through laptops which come equipped with both.

However, doing the same for two devices of the same type – speakers and headphones both designed to transmit sound – should be much harder.

Overcoming this required exploiting two obscure techniques: speaker reversibility and jack re-tasking.

Reversibility is based on the observation that speakers and headphones can be thought of as microphones in reverse:

A loudspeaker converts electric signals into a sound waveform, while a microphone transforms sounds into electric signals.

The researchers found that it is possible to use electrical reversal to turn a speaker or headphone into a device that will behave like a crude microphone.

For this to work, they also had to re-programme the speaker port (designed to output sound) via the PC’s audio chipset.

A real-world attack based on this method could use inaudible sound in the 18kHz to 24kHz frequency range to send sound from a speaker to another speaker or headphone.

Such a method is not without limitations. This would only work on passive non-amplified speakers rather than active ones that have become common in many headphones and some speakers.

Data rates were also severely constrained, achieving a paltry, “166 bit/sec with a 1 per cent error rate when transmitting a 1Kb binary file over a distance of three meters.”

Up this to between four and nine metres, and the rate drops off to as little as 10 bits per second. It’s hard to see this being useful for anything other than command and control under real-world conditions.

Previous, mainly Israeli, research has found ways to use infra-red surveillance cameras, hard drive LEDs and even acoustic fan noise to beat air gaps.

A month ago, news emerged of MAGENTO and ODINI, proof-of-concept attacks designed to use magnetic fields to break out of systems inside Faraday cages.

It’s tempting to dismiss some of this as the work of researchers with time on their hands. There are also simpler ways of beating air gaps such as exploiting portable storage.

But the bigger message is hard to miss: air gaps aren’t the impermeable barrier everyone once thought they were.


Leave a Reply

Your email address will not be published.