Using Ultrasound to Hack Air-Gapped Computers

Air-gapped computers are computers that are not connected to any network. They may even be physically isolated. Such computers are usually presumed to be safe from cyber manipulation. For this reason, businesses or organizations will often store important data on such computers. However, they are not as safe as most people think. Researchers have found a number of ways to breach such computers. For example, it has been found that the pressing of keys on a keyboard emits electronic signals that can be detected and analyzed. So, it would be possible for a hacker with the right equipment to analyze these signals to, at least theoretically, steal passwords and other data. It would be the same as if they had installed a keylogger. Other air-gapped hacking has used variations in magnetic, radio, or optical signals that have escaped from the air-gapped computer during its normal operations. Here is a summary of ways air-gapped computers have been breached.

air gapped channels

But there’s a problem. Such hacks are limited by proximity and transfer speed. All attempted hacks of air-gapped computers need to occur physically close to the target machine and the data they access is only transferable in bits per second. In other words, for a successful hack of an air-gapped computer to occur, a malicious machine in the same room or, at best, a nearby room, must have appropriate malware installed on it and, in addition, be connected to some network so that the information it receives from the air-gapped computer can be transferred to the hacker. The other alternative is to have data hacked from the air-gapped computer and stored on the hacking computer. Later, the hacking computer and the stolen data can be physically accessed by an insider.

The concept of hacking through ultrasound has been around for a while. In most of these scenarios, communication with an air-gapped computer was established using the computer’s speaker and microphone. In 2014, Hanspach and Goetz showed how ultrasound communications could use a series of ultrasound-connected laptops to extend the normal transmission range. The use of ultrasound is important in keeping these transmissions covert, i.e. above the level of human auditory detection. However, there is one big problem. Such attacks can be easily thwarted by simply turning off the microphone on the air-gapped computer. In addition, some desk top computers may not have a built-in microphone as laptops do.

This problem has now been solved by researchers at Israel’s Ben-Gurion University. They have demonstrated how audio output devices can be converted into audio input devices, and visa versa. This means that a computer’s speakers can be used, not only to receive ultrasound signals, but transmit them. In other words, turning off an air-gapped computer’s microphone will not stop the transmission of data. Speaker to speaker communication is a possible channel. Not only that, but headphones and earphones can also be used for transmission. The main problem here is installing malware on the target computer which is necessary to make this audio transformation possible.

This attack vector shows some increase in transmission rates (300 to 600 bits/sec), but still has a limited range of about 8 meters (~25ft). One positive point about using ultrasound is that it is not substantially affected by background noise. On the other hand, ultrasound is more affected by the directionality of the transmitting and receiving devices. That is, they work better if they are aligned, which, you cannot always rely on to occur in a natural setting.

With such limitations, is it really worth worrying about being hacked in such a way? For the average individual, probably not. The difficulty of accomplishing such a breach means that it is beyond the capability of the everyday bedroom hacker. This is a technique that would be reserved for nation-states looking for specific information on specific air-gapped computers. Such attacks would need to be well-organized and precisely targeted. A computer in proximity to the target air-gapped computer must get the appropriate malware installed on it before any attack could take place. This would normally require the use of either a well-formed spear phishing email or the help of a malicious insider. Far more troublesome would be getting malware onto the air-gapped computer. Again, this would likely be in the form of an insider working with the attackers or a naïve insider using something like an infected USB. The installation of malware on both devices would open a communication channel between the two devices. 

The transfer rate of data is also a problem, but that can be overcome with pure patience. Even small bits of code can compromise machine performance. Passwords, for example, can be transferred in bits of code.

The malware installed, the two computers, using the speakers or earphones on the air-gapped computer, would establish a communication channel and begin exchanging information. Obviously, one way to stop any such attack would be to disable any speakers or the use of earphones on the air-gapped computer. Apparently, even using an amplifier on the air-gapped computer can prevent an attack. Here is a summary of countermeasures from the same report.

air gapped countermeasures

All of this may make it seem as if ultrasound communication between devices is nothing to worry about. This would be a mistake. Last year, researchers learned that voice assistants, such as Siri and Alexa, have a better hearing range than humans. In other words, they can hear commands in the ultrasound range. In fact, any device that can be voice activated may be commanded to do things that its owner may not want it to do. Yet, they would never hear these commands themselves. Advertisers could, for example, have these devices go to their web pages and play ad messages. But before you panic, this only seems to work when the ultrasonic message transmitter is near the listening device, often, within one meter.

Thus, if the distance limitations can be overcome with amplification of the ultrasonic signal, all sorts of unusual and dangerous hacks could take place. Ultrasound has been amplified using the SASER (sound amplification by stimulated emission of radiation), which is, basically, the sound equivalent of a laser. Could this be used to infect an air-gapped computer at a distance? I simply don’t know, but it is an avenue that is no doubt being explored. The problem is that such ultrasonic waves can be dangerous to nearby humans. In fact, 180 decibels of ultrasound can even cause death.

Hearing loss is the major result of being exposed to ultrasound. Studies on the effect of ultrasound exposure have found people also complain of “fatigue (36.8%), headache (12.1%), somnolence (5.3%), dizziness (5.3%) and palpitations (5.3%).” Other studies on excessive ultrasound exposure found people complaining of “irritation, memory problems and difficulties with concentration and learning.” These symptoms are similar to those reported by workers at the American Embassies in Cuba and China. Some have claimed that these symptoms were psychosomatic; however, if some sort of ultrasound hacking was being attempted, it could have accidentally produced these symptoms. In fact, research done by the University of Michigan indicates that this is a possible explanation for the health problems experienced by the embassy staff.

There is no way for us to know how far nation-states have advanced in such hacking, but I have no doubt it is under development. Could malware be installed directly onto an air-gapped computer through ultrasound? That would be the next big step and it would mean that any computer, not only an air-gapped computer, could be vulnerable. If all this is true, businesses and agencies serious about security need to consider using ultrasonic jammers as part of their cybersecurity architecture. In any event, the cybersecurity landscape has just become a lot more complicated.

About Steve Mierzejewski

Marketing consultant for InZero Systems, developer of the next generation in hardware-separated security, WorkPlay Technologies, TrustWall and Mobile bare-metal virtualization. I've worked in Poland, Japan, Korea, China, and Afghanistan. I'm a writer, technical editor, and an educator.
This entry was posted in Uncategorized and tagged , . Bookmark the permalink.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s