Researchers at the Fraunhofer Institute for Communication, Information Processing and Ergonomics have put up a proof of concept that shows the potential for “acoustical malware,” which uses a PC’s built-in microphone and speakers to open up an inaudible, covert channel that has no need for an internet or peer-to-peer wireless connection. The algorithm completely subverts the “air gap” idea, wherein machines that are not connected to a network in any way are considered safe from remote tampering.
Using technology originally conceived for underwater communications, researchers were able to perform remote keylogging at distances of about 65 feet, sending small amounts of data and passwords to other test machines via sound waves. But before we heave a sigh of relief that there is at least a distance restriction involved, the scientists pointed out that this can be overcome with a mesh network architecture that could relay the data through several P2P hops using the same technology.
“A covert acoustical mesh network can be conceived as a botnet or malnet that is accessible via near-field audio communications,” the researchers explained in the paper. “It is shown that the concept of a covert acoustical mesh network renders many conventional security concepts useless.”
Presumably, everything from offline, “air gapped” nuclear facilities to the innermost, most-protected sanctums of corporations could now be made vulnerable.
As for applications, in addition to the multi-hop acoustical local keylogging that the scientists were able to perform, it’s also possible to connecting to and tunneling over the internet. By connecting the attacker to an SMTP server that is connected to the internet, it’s possible to collect frames or lines of keystrokes and send them out as e-mail.
And it doesn’t stop there.
“Alongside the presented proof-of-concept, even more applications of covert networks are conceivable,” they noted. “For instance, it might be possible to break two-factor-authentication by extracting the authentication feedback of a hardware dongle or a smartcard. This way, it might be possible to authenticate oneself to a service with the credentials of a different user who tries to authenticate himself at the very moment.” And that, of course, gives attackers remote access.
Alongside keystroke information it would also be possible to forward other security-critical data such as private encryption keys or small-sized text files with classified information from the infected victim to the covert network. This data could be sent out periodically to maximize the likelihood of data extraction from the host, and it could also be spread to different environments: an infected drone might serve as a router in the covert network to provide access to further networks.
So far, only 20KB of data can currently be transmitted, making it inefficient for malware authors as it stands. But the fact that the algorithm has been shown to be effective at all should be cause for worry, because further development is bound to happen.
Fortunately, there are mitigations, like manually switching off the speakers, or installing an audio filter.