air gap

A researcher from Israel’s Ben Gurion University of the Negev, Dr. Mordechai Guri recently published a research paper which introduce a technique that could be used to exfiltrate sensitive data acoustically from air-gapped and audio-gapped systems.

An air gap is a kind of network security measure used on one or more computers to ensure that a secure computer network is isolated from unsecured networks, such as the public Internet or an unsecured local area network. Audio-gapped systems typically have their audio hardware disabled to avoid the data exfiltering from built-in speakers and microphones via sonic and ultrasonic waves.Therefore data can only be passed to it physically (via USB, removable media or a firewire with another machine).Military computers,financial systems and internal networks of life-critical systems like nuclear power plants most probably air gapped.

Malware with above approach named ‘POWER-SUPPLaY ‘ can exploit the computer power supply unit (PSU) to play sounds and use it as an out-of-band, secondary speaker with limited capabilities.Here the malicious code manipulates the switching frequency of the power supply unit.As a result malware can controls the sound waveforms generated from PSU’s capacitors and transformers.

image from 'The Hacker News'

According to the research paper, this technique enables producing audio tones in a frequency band of 0-24khz and playing audio streams without the presence of audio hardware or speakers.Binary data such as files, keylogging ,encryption keys and other sensitive information can be modulated over the acoustic signals and sent to a nearby receiver which located 2.5 meters away with a maximal bit rate of 50 bit/sec.The receiver may be a computer or even a smartphone.Malware code can operate from an ordinary user-mode process and doesn’t need any hardware access or special privileges.

As a countermeasure, the researcher Dr. Mordechai Guri suggests to separate critical systems in restricted areas where mobile phones and other electronic equipment are banned. Having an intrusion detection system to monitor suspicious CPU behavior, and setting up hardware-based signal detectors and jammers could also help defend against this kind of attacks.

Leave a Reply

Your email address will not be published. Required fields are marked *