Air-Gap Attack Exploits Gyroscope Ultrasonic Covert Channel to Leak Data

A new data exfiltration technique has been discovered, which uses a covert ultrasonic channel to leak sensitive information from air-gapped computers to a nearby smartphone device.

The adversarial model is called “Gairoscope” and was designed by Dr. Mordechai Guri, head of research and development (R&D) in the Cyber Security Research Center at the Ben Gurion University of the Negev in Israel.

“It is known that malware can leak data from isolated, air-gapped computers to nearby smartphones using ultrasonic waves,” Guri’s team wrote in a new research paper.

“However, this covert channel requires access to the smartphone’s microphone, which is highly protected in Android OS and iOS, and might be non-accessible, disabled or blocked.”

Gairoscope, on the other hand, is a covert ultrasonic channel that does not require a microphone on the receiving side. 

“Our malware generates ultrasonic tones in the resonance frequencies of the MEMS gyroscope,” the paper reads. “Data is modulated on these resonance frequencies and then decoded via the vibrations generated in the nearby smartphone.”

According to the new research, the inaudible frequencies created by the malware produce tiny mechanical oscillations within the smartphone’s gyroscope, which can be demodulated into binary information.

“Notably, the gyroscope in smartphones is considered to be a ’safe’ sensor that can be used legitimately from mobile apps and javascript,” the researchers wrote.

“Our experiments show that attackers can exfiltrate sensitive information from air-gapped computers to smartphones located a few meters away via Speakers-to-Gyroscope covert channel.”

While the method is still experimental, Guri’s team has recommended some countermeasures aimed at limiting the impact of the new malware.

Firstly, the researchers mentioned the zoning approach used in the telecommunication security standards, which makes sure systems are kept in restricted zones defined by a different radius.

“In our case, smartphones should be kept at a range of eight meters or more from the secured area,” reads the paper.

Secondly, the paper recommends the elimination of loudspeakers to create an audio-less networking environment known as ‘audiogapped’ and removing the audio drivers from the OS or completely disabling the audio hardware in the BIOS level configurations.

Guri’s team also said system administrators should filter out the resonance frequencies generated by the audio hardware using an audio filter, monitor the ultrasonic audio channels for power levels in order to detect convert ultrasound transmissions, and jam the covert channel by adding background noises to the acoustic spectrum.

For a complete list of countermeasures, you can view the paper’s original text here.

What’s Hot on Infosecurity Magazine?