The Cyber-Security Research centre at Ben-Gurion University of the Negev in Israel has published research demonstrating how air-gapped computer security can be bypassed using covert speaker-to-speaker, or even headphone-to-headphone, communication.
The researchers describe how the air-gap between two isolated computers can be bridged by opening a covert communications channel using the speakers of each machine. It is claimed that the technique, which has been codename Mosquito, can also enable this communication between microphone-less headphones.
In their paper, MOSQUITO: Covert Ultrasonic Transmissions between Two Air-Gapped Computers using Speaker-to-Speaker Communications' the researchers state that their method is "based on the capability of a malware to exploit a specific audio chip feature in order to reverse the connected speakers from output devices into input devices - unobtrusively rendering them microphones."
Which sounds very similar to another vulnerability published by the same set of researchers in 2016. 'SPEAKE(a)R: Turn Speakers to Microphones for Fun and Profit' which involved something called jack-retasking. This enabled malware to stealthily reconfigure a headphone jack from a line out into to microphone jack. This enables a connected output device to be turned into a recording device, even when no microphone is present.
"Even if there was no network connection between the computers, and even if the microphones had been turned off deliberately as an anti-surveillance measure" Paul Ducklin, senior technologist (Asia Pacific) at Sophos says "the computers could therefore exchange data anyway, even across a so-called airgap." Provided you can implant malware on the computers in the first place, of course.
Which should be impossible on properly secured and air-gapped devices, right? Well, no, not if you recall how Stuxnet was most likely installed onto just such a computer presumed to be by using an infected USB key. The key words being 'properly secured' which is easier to define than it is to accomplish.
SC Media UK put it to Dr. Mordechai Guri, Head of R&D, Cyber-Security Research Centre at Ben-Gurion University of the Negev, who co-authored the Mosquito paper, that it's pretty much game over once physical access has been gained to an air-gapped computer anyway.
"From a security point of view, getting into an air-gapped computer is one issue and exfiltrating data is a different issue" Dr. Guri responded, continuing "for example, you can think about a computer that was infected via supply chain attack. It is infected, malware inside, but no way to exfiltrate data out. This is where the air-gap covert channel is relevant."
That said, this sounds suspiciously like a case of an interesting attack methodology in theory, or at least within the confines of the lab environment, but not so much a practical attack-vector in the real-world. The research paper itself admits that both air-gapped computers would need to be infected with the malware, would require the speakers or headphones to be passive and unpowered, and in the case of a 'headphone-to-headphone' exploit be within a maximum of three metres of each other. In fact, it states that the attack model is only relevant "where the headphones are located side by side or on two adjacent tables." Speaker-to-speaker channels can extend that range to nine metres.
As Paul Edon, technical director (EMEA) Tripwire, told SC Media "there are a number of reasons why this should be considered as an interesting but theoretical case." As well as the need to gain physical or logical access to both discrete systems, such jack-retasking will almost certainly require System or Administrator level access on both systems. "If System or Administrator access to both discrete systems has been achieved" Edon continues "there are much more effective and simple methods of extracting data of interest." That's without taking into account most server environments are high in ambient noise making clear communication between speakers highly unlikely outside the lab.
"This paper is a bit of a hammer looking for a nail" Paul Ducklin concluded, adding "if you've already got matching malware infections on both sides of your airgap, you have much bigger problems to worry about than speaker-to-speaker data leakage..."
Is Zero Trust really achievable given the complexity in finance service organisations?
Brought to you in partnership with Forescout