Advertisement
A novel data exfiltration technique has been found that uses a covert ultrasonic channel to relay sensitive information from isolated air-gap computers to a nearby smartphone that doesn’t even need a microphone to pick up the sound waves.
Synced GAIROSCOPEThe Adversary Model is the latest addition to a long list of acoustic, electromagnetic, optical, and thermal approaches developed by Dr. Mordechai Guri, head of research and development at the Cyber Security Research Center at Ben Gurion University of the Negev in Israel.
“Our malware produces ultrasonic tones at the resonant frequencies of the MEMS gyroscope,” said Dr. Guri in a new paper published this week. “These inaudible frequencies create tiny mechanical vibrations in the smartphone’s gyroscope that can be demodulated into binary information.”
Air-gapping is considered an essential security measure that isolates a computer or network and prevents it from making an external connection, effectively creating an impenetrable barrier between a digital asset and threat actors attempting to pave a path for espionage attacks.
Like other attacks on air-gap networks, GAIROSCOPE is no different in that it relies on an attacker’s ability to breach a target environment through tricks such as infected USB sticks, water holes, or supply chain compromises to deliver the malware.
What is new this time is that the smartphones of the employees of the affected organization must also be infected with a fraudulent app, which in turn is deployed via attack vectors such as social engineering, malicious advertising or compromised websites.
In the next phase of the killing chain, the attacker abuses the established base to steal sensitive data (e.g., encryption keys, credentials, etc.), encrypts, and broadcasts the information in the form of stealthy acoustic sound waves through the machine’s speaker.
The transmission is then detected by an infected smartphone that is in close physical proximity and listens to the device’s built-in gyroscope sensor, whereupon the data is demodulated, decrypted and transmitted over the Internet via Wi-Fi to the attacker.
This is made possible by a phenomenon called ultrasonic distortion, which affects MEMS gyroscopes at resonant frequencies. “When this inaudible noise is played near the gyroscope, it creates internal distortion of the signal output,” explained Dr. guri “The errors in the output can be used to encode and decode information.”
Experimental results show that the covert channel can be used to transmit data at bit rates from 1-8 bits/sec. at distances of 0 – 600 cm, with the transmitter reaching a distance of 800 cm in confined spaces.
Should employees place their mobile phones on desks near their work stations, the method could be used to exchange data, including short texts, encryption keys, passwords or keystrokes.
The distinguishing feature of the data exfiltration method is that the malicious app on the receiving smartphone (in this case, One Plus 7, Samsung Galaxy S9, and Samsung Galaxy S10) does not need to have access to the microphone, thereby tricking the users into authorizing their unsuspecting access.
The covert speaker-to-gyroscope channel is also beneficial from an enemy perspective. Not only are there no visual cues on Android and iOS when an app is using the gyroscope (as in the case of location or microphone), the sensor is also accessible via HTML via standard JavaScript.
It also means that the attacker does not need to install an app to achieve their intended goals, and instead can inject backdoor JavaScript code on a legitimate website that will scan the gyroscope, receive the covert signals, and exfiltrate the information over the internet.
To mitigate GAIROSCOPE, organizations must enforce segregation policies to keep smartphones at least 800cm from secured areas, remove speakers and audio drivers from endpoints, filter out ultrasonic signals using SilverDog and SoniControl firewalls, and disrupt the covert channel by adding background noise to the acoustic spectrum .
The study comes just over a month after Dr. Guri SATAn has demonstrated a mechanism for skipping air gaps and extracting information using SATA (Serial Advanced Technology Attachment) cables.
