A team of computer scientists has developed a new breed of malware that can leap between devices using inaudible audio signals, and then covertly transmit passwords and other sensitive data without a network connection. Using just built-in microphones and speakers, the researchers can transmit passwords and other small quantities data over distances of 20m.
Talking to Ars Technica, the computer scientists, from Germany’s Fraunhofer Institute for Communication, Information Processing and Ergonomics, explained:
“In our article, we describe how the complete concept of air gaps can be considered obsolete as commonly available laptops can communicate over their internal speakers and microphones and even form a covert acoustical mesh network. Over this covert network, information can travel over multiple hops of infected nodes, connecting completely isolated computing systems and networks (e.g. the internet) to each other.”
The inaudible sound, borrowed from techniques used to acoustically transmit data under water, allowed the team to transmit data between two Lenovo T400 laptops using just their built-in microphones and speakers. They could only achieve a data rate of 20 bits per second, but that’s plenty enough to grab passwords and the like, as they write in a paper published in the Journal of Communications. Again, the researchers explain:
“This small bandwidth might actually be enough to transfer critical information (such as keystrokes). You don’t even have to think about all keystrokes. If you have a keylogger that is able to recognise authentication materials, it may only occasionally forward these detected passwords over the network, leading to a very stealthy state of the network. And you could forward any small-sized information such as private encryption keys or maybe malicious commands to an infected piece of construction.”
In incredibly sensitive environments, computers are often left with air gaps between them so physical contact can’t be used to transmit malware. This research means that might not be quite as fail-safe in the future — unless you just disable their audio capabilities, that is. [Journal of Communications via Ars Technica]
Picture: Markus Gann/Shutterstock