Bad news for fans of air-gapped security – researchers have outlined how it could be defeated by converting speakers into ultra-sonic transceivers.
Air-gapping is based on the idea that two computers or networks can be viewed as isolated from one another if there is no physical or logical connection linking them.
The flaw is that computers come with interfaces not designed for communication which could, in principle, be covertly modified to bridge such a gap.
According to researchers based at Israel’s Ben-Gurion University of the Negev, this includes devices such as speakers and headphones.
Previous research by the same team showed how microphones (receivers) and speakers (transmitters) could be exploited in this way, primarily through laptops which come equipped with both.
However, doing the same for two devices of the same type – speakers and headphones both designed to transmit sound – should be much harder.
Overcoming this required exploiting two obscure techniques: speaker reversibility and jack re-tasking.
Reversibility is based on the observation that speakers and headphones can be thought of as microphones in reverse:
A loudspeaker converts electric signals into a sound waveform, while a microphone transforms sounds into electric signals.
The researchers found that it is possible to use electrical reversal to turn a speaker or headphone into a device that will behave like a crude microphone.
For this to work, they also had to re-programme the speaker port (designed to output sound) via the PC’s audio chipset.
A real-world attack based on this method could use inaudible sound in the 18kHz to 24kHz frequency range to send sound from a speaker to another speaker or headphone.
Such a method is not without limitations. This would only work on passive non-amplified speakers rather than active ones that have become common in many headphones and some speakers.
Data rates were also severely constrained, achieving a paltry, “166 bit/sec with a 1 per cent error rate when transmitting a 1KB binary file over a distance of three meters.”
Up this to between four and nine metres, and the rate drops off to as little as 10 bits per second. It’s hard to see this being useful for anything other than command and control under real-world conditions.
Previous, mainly Israeli, research has found ways to use infra-red surveillance cameras, hard drive LEDs and even acoustic fan noise to beat air gaps.
A month ago, news emerged of MAGENTO and ODINI, proof-of-concept attacks designed to use magnetic fields to break out of systems inside Faraday cages.
It’s tempting to dismiss some of this as the work of researchers with time on their hands. There are also simpler ways of beating air gaps such as exploiting portable storage.
But the bigger message is hard to miss: air gaps aren’t the impermeable barrier everyone once thought they were.
5 comments on “Speakers can be used to jump air-gapped systems”
A machine is no longer air-gapped as soon as you plug speakers into it, no more than if you plugged a usb wifi into it. How are the two any different? They both transmit and receive emissions invisible to the human eyes and ears. Is there truly any accessory you can plug into a machine that the emissions thereof could not be used to transmit data?
@Shane. I agree. As an electrical engineer with an advanced degree I can tell you that the only real difference between the WiFi hub and the speakers would be in distance and bandwidth. Both of these points were already mentioned by @John Dunn. Indeed any form of electromagnetic radiation, actually even ionizing radiation such as X-rays can be modulated to transmit digital or analog information.
A proper air-gap includes (and always has included) defences against physical intrusion, such as sound proofing, secured physical access routes, not having any visibility/audibility during entry/exit to the area….
Good operational security is hard, but if you need it enough that you need an airgapped device of some sort, you spend the time and effort on the rest.
None of these fancy theoretical attacks will ever outperform human compromise anyway, however, and its still the point most infosec falls down on.
It is unsurprising. If it can be exploited someone will find a way. The take away here is that it is beyond most peoples ability and the return does not out way the difficulty. I would be curious to see the study data. Things like ambient background noise, humidity and other factors can affect the results. I dare say even 166 bit/sec is stretching it a bit and 1% error rate over 1k is enough to make any data unreliable. 🙂
How did Stuxnet get into an Iranian nuclear powerplant again? And who were the main suspects? Owh wait, thats right!