Security Experts:

Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Data Protection

Stealthy Data Exfiltration Possible via Headphones, Speakers

A team of researchers has demonstrated how air-gapped computers can stealthily communicate with each other using speakers or headphones over ultrasonic waves.

A team of researchers has demonstrated how air-gapped computers can stealthily communicate with each other using speakers or headphones over ultrasonic waves.

Experts from the Cyber-Security Research Center at the Ben-Gurion University of the Negev in Israel combined previous research on communications through ultrasonic waves with a technique that can be used to turn a device’s speakers into a microphone in an effort to create a covert data exfiltration channel.

Researchers demonstrated several years ago that audio modulation and demodulation can be used to exchange data between computers over the air via the ultrasonic frequency range. The method requires that the devices communicating with each other are equipped with both microphones and speakers.

However, it’s possible to turn speakers, headphones or earphones into microphones using only software, which Ben-Gurion University researchers demonstrated back in 2016 in an attack they dubbed SPEAKE(a)R.

Experts have now combined the two methods to show that a piece of malware installed on an air-gapped system fitted with speakers, headphones or earphones can transmit bits of data to one or more nearby devices running malware designed to capture the data via an audio output system turned into a microphone. These types of attacks, which they have dubbed MOSQUITO, can be launched in scenarios involving desktop computers that don’t have a microphone, or when the microphone on a laptop or desktop system has been disabled or taped.

The data exchange can take place over inaudible sound waves at frequencies of 18kHz or higher, which can be captured by regular headphones or speakers. The data can be modulated through audio frequency-shift keying (AFSK), which uses one frequency to transmit “0” bits and a different frequency to transmit “1” bits.

MOSQUITO attack

Tests conducted by researchers showed that a transfer rate ranging between 1200 bits/sec and 1800 bits/sec can be obtained for up to 8 meters (26 feet) for audible frequencies transmitted and captured using loudspeakers. The transfer rate drops to between 300 bits/sec and 600 bits/sec for inaudible frequencies.

Experiments conducted using headphones and earphones as recipients showed that they are not much worse than speakers, with transfer rates ranging between 300 bits/sec and 600 bits/sec over distances of 1m (3ft), 5m (16ft) and 8m (26ft). However, performance is significantly degraded when headphones are used both by the sender and the recipient — it only works over a distance of up to 3m (10ft) at a maximum of 250 bits/sec.

It’s worth noting that these are upper theoretical transmission rates. In practice, the transfer rate is influenced by environmental noise, the position of the transmitter and receiver, and bit error rates.

“Our experiments shows that at a distance of three meters between two speakers, a transmission rate of 166 bit/sec results in a 1% bit error rate, during the exfiltration of a 1Kbit binary file,” researchers explained in their paper. “However, at distances of 4-9 meters, the 1% bit error rate is only achieved at transmission rates of 10 bit/sec. Our waveform analysis shows that the signal quality is degraded at distances greater than four meters mainly due to the environmental noise, which results in a lower SNR.”

Researchers at the Ben-Gurion University of the Negev previously demonstrated that stealthy data exfiltration is also possible via magnetic fieldsinfrared camerasrouter LEDsscannersHDD activity LEDs, USB devices, the noise emitted by hard drives and fans, and heat emissions.

Related: Dell Launches Endpoint Security Product for Air-Gapped Systems

Related: Hackers Can Steal Data From Air-Gapped Industrial Networks via PLCs

Written By

Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Expert Insights

Related Content

Application Security

Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.

CISO Strategy

Cybersecurity-related risk is a top concern, so boards need to know they have the proper oversight in place. Even as first-timers, successful CISOs make...

Malware & Threats

Microsoft plans to improve the protection of Office users by blocking XLL add-ins from the internet.

Cybercrime

CISA, NSA, and MS-ISAC issued an alert on the malicious use of RMM software to steal money from bank accounts.

Application Security

Many developers and security people admit to having experienced a breach effected through compromised API credentials.

Cybercrime

A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...

Cybercrime

Chinese threat actor DragonSpark has been using the SparkRAT open source backdoor in attacks targeting East Asian organizations.

Cyberwarfare

Russia-linked cyberespionage group APT29 has been observed using embassy-themed lures and the GraphicalNeutrino malware in recent attacks.