20 Mar Data Exfiltration Technique Steals Data From PCs Using Speakers, Headphones
A well-established research team from the Ben-Gurion University of the Negev in Israel has detailed today a new method of extracting data from air-gapped computers using speakers, headphones, earphones, or earbuds.
The attack is only experimental at this point, has not been seen in the real world, but has been proven to work and researchers have also created a custom protocol for transmitting data between two computers —one air-gapped and one Internet-connected that can relay the data further.
Attack scenarios include speaker-to-speaker exfiltration, speaker-to-headphones, and headphones-to-headphones.
Jack retasking strikes again!
The attack —nicknamed MOSQUITO— is possible because of a technique called “jack retasking” that reverses output audio jacks to input jacks, effectively turning speakers into (unconventional) microphones.
The same research team explored jack retasking in a previous research project last year, called Speake(a)r, which researchers used to turn headphones into microphones and record nearby audio and conversations.
For the current experiment, researchers argue that malware that managed to infect an air-gapped computer can transform and modulate locally stored files into audio signals and relay them to another nearby computer via connected speakers, headphones, earphones, or earbuds.
The receiving computer, also infected with malware, uses jack retasking to convert connected speakers, headphones, earphones, or earbuds into a makeshift microphone, receive the modulated audio, and convert back into a data file.
MOSQUITO attack supports pretty fast transfer speeds
Researchers created a custom data protocol that modulates binary data into audio signals, and they tested their attack for distances between 1 and 9 meters (3.2 to 29.5 feet).
Researchers said they managed to transfer data between two computers with speeds varying from 1800 bits/s and 1200 bits/s for speakers facing each other and emitting sound in audible frequency bands (lower than 18kHz).
Transfer speeds decreased if the speakers weren’t facing each other, the distance between speakers increased, or audio frequency changed (towards low or high frequency). While the first two factors are self-explanatory, the last needs an additional explanation.
“The reason for that is that loudspeakers, and particularly home grade PC loudspeakers, were projected and optimized for human auditory characteristics, and therefore they are more responsive to the audible frequency ranges,” said researchers.
Transfer speeds also decreased when using earphones or earbuds (varied between 600 bits/s and 300 bits/s) and went even lower for headphones (around 250 bits/s). The reason was that headphones directed their sound waves in one particular direction, limiting efficient exfiltration cases to very small distances when headphones were close to each other, and when they emitted sound in audible frequencies only.
Other factors that decreased data transfer speeds included environment noise such as music and speech, but researchers said this could be mitigated by moving the data exfiltration frequency above 18kHz.
The research center from the Ben-Gurion University of the Negev who came up with this new data exfiltration technique has a long history of innovative and sometimes weird hacks, all listed below:
SPEAKE(a)R – use headphones to record audio and spy on nearby users
9-1-1 DDoS – launch DDoS attacks that can cripple a US state’s 911 emergency systems
USBee – make a USB connector’s data bus give out electromagnetic emissions that can be used to exfiltrate data
AirHopper – use the local GPU card to emit electromagnetic signals to a nearby mobile phone, also used to steal data
Fansmitter – steal data from air-gapped PCs using sounds emanated by a computer’s GPU fan
DiskFiltration – use controlled read/write HDD operations to steal data via sound waves
BitWhisper – exfiltrate data from non-networked computers using heat emanations
Unnamed attack – uses flatbed scanners to relay commands to malware infested PCs or to exfiltrate data from compromised systems
xLED – use router or switch LEDs to exfiltrate data
Shattered Trust – using backdoored replacement parts to take over smartphones
aIR-Jumper – use security camera infrared capabilities to steal data from air-gapped networks
HVACKer – use HVAC systems to control malware on air-gapped systems
MAGNETO & ODINI – steal data from Faraday cage-protected systems