Security Experts:

Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Data Protection

New Air Gap-Jumping Attack Uses Ultrasonic Tones and Smartphone Gyroscope

A researcher from the Ben-Gurion University of the Negev in Israel has shown how a threat actor could stealthily exfiltrate data from air-gapped computers using ultrasonic tones and smartphone gyroscopes.

A researcher from the Ben-Gurion University of the Negev in Israel has shown how a threat actor could stealthily exfiltrate data from air-gapped computers using ultrasonic tones and smartphone gyroscopes.

The attack method, named GAIROSCOPE, assumes that the attacker has somehow managed to plant malware on the air-gapped computer from which they want to steal data, as well as on a smartphone that is likely to go near the isolated device.

According to researcher Mordechai Guri, the malware that is on the air-gapped computer can transmit ultrasonic tones using the device’s loudspeakers. These tones are inaudible and on a frequency that is picked up by a gyroscope.

Gairoscope attack setup

Gyroscope sensors in smartphones determine the direction of the device and they enable users to perform various actions by tilting the phone. This includes automatically rotating the screen and moving characters or objects in a game. Unlike the microphone, which is more difficult to access by a malicious application, a phone’s gyroscope can be accessed by iOS and Android malware that does not have as many permissions.

The malware that is on the isolated device collects valuable data such as passwords and encryption keys, and encodes it using audio frequency-shift keying, where one specified frequency represents a ‘0’ bit and a different frequency represents a ‘1’ bit. The malware uses the device’s speakers to transmit inaudible sounds at those frequencies.

On the phone side of the attack, the infected device’s gyroscope picks up those tones when it’s near the air-gapped computer. The method leverages previous research that showed how gyroscopes are vulnerable to acoustic attacks.

The hacker’s mobile malware continuously samples and processes the gyroscope sensor output. When it detects an exfiltration attempt — a specific bit sequence is used to signal the start of data transmission — it demodulates and decodes the data. The exfiltrated data can then be forwarded to the attacker using the phone’s internet connection.

Experiments conducted by Guri showed that the GAIROSCOPE method allows for a maximum data transmission rate of 8 bits/sec over a distance of up to 8 meters (26 feet).

This is not the only air gap-jumping attack method presented by Guri this week. He has also published a paper demonstrating how hackers could silently exfiltrate data from isolated systems using the LEDs of various types of networked devices.

In the past years, researchers from the Ben-Gurion University of the Negev have demonstrated several methods for covertly exfiltrating data from air-gapped networks, including by using RAM-generated Wi-Fi signals, fan vibrationsheat emissions, HDD LEDs, infrared cameras, magnetic fields, power lines, router LEDs, scanners, screen brightness, USB devices, and noise from hard drives and fans.

Written By

Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Expert Insights

Related Content

Application Security

Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.

Mobile & Wireless

Apple rolled out iOS 16.3 and macOS Ventura 13.2 to cover serious security vulnerabilities.

Mobile & Wireless

Technical details published for an Arm Mali GPU flaw leading to arbitrary kernel code execution and root on Pixel 6.

Mobile & Wireless

Apple’s iOS 12.5.7 update patches CVE-2022-42856, an actively exploited vulnerability, in old iPhones and iPads.

Mobile & Wireless

Two vulnerabilities in Samsung’s Galaxy Store that could be exploited to install applications or execute JavaScript code by launching a web page.

Application Security

Many developers and security people admit to having experienced a breach effected through compromised API credentials.

Mobile & Wireless

South Dakota Gov. Kristi Noem says her personal cell phone was hacked and linked it to the release of documents by the January 6...

Cybercrime

A digital ad fraud scheme dubbed "VastFlux" spoofed over 1,700 apps and peaked at 12 billion ad requests per day before being shut down.