Researchers at Korea University in Seoul have published a paper detailing a new method of data theft from a computer that has maximum protection; that is — placed in an isolated room and surrounded with an air gap (i.e., connected to neither the internet nor a local network). This type of attack may serve as a last resort for a malicious actor when no other, simpler methods are feasible.
Data exfiltration in this case uses the computer’s speaker: not some plug-in device, but a relic of the first personal computers — the internal speaker, also known as the “PC speaker”. Motherboards still typically feature one for compatibility, and it turns out that such a speaker can be used for data exfiltration.
Background
We’ve published several stories on data-theft methods. This one, for instance, is about wiretapping smartphones by using their built-in accelerometer. This story is about data being stolen by manipulating the radio signal from the CPU power supply. Data exfiltration via the speaker mounted on the motherboard might appear unsophisticated in comparison with those two methods, but let’s not forget that the simpler the attack — the higher the odds of success. Besides, an attacker needs no specialized equipment to obtain the precious data: all it takes is bringing a smartphone close to the target computer.
Any research of this kind starts with a description of a hypothetical attack scenario. In this case, it’s this one: let’s take a government or corporate computer that holds secret information. The data is so highly classified that the computer is isolated from the internet, and possibly even the LAN, for enhanced security; but the scenario implies that the computer still gets infected with spyware one way or another. However, finding out exactly how this occurred isn’t the subject of the researchers’ paper. Suppose a spy managed to get a flash drive into the secured room and plug it into the computer. Or, the computer could have been infected via a supply-chain attack even before it was delivered to the organization.
So, the spy program has collected the secrets, but now the attacker needs a way to get them out of there. In the scenario used by the Korean researchers, the spy physically enters the room where the computer is, bringing with them a smartphone with basic sound recording software running. The spyware broadcasts the data in the form of audio signals at a frequency so high that most humans’ ears can’t hear it. The smartphone records that sound, which is then decoded by the attackers to restore the data.
Importantly, research on data exfiltration through speakers has been carried out before. This 2018 research paper from Israel demonstrates a way for two computers to communicate via ultrasound using loudspeakers and a built-in microphone. That theoretical attack method has one flaw, though: imagine a computer that controls valuable equipment. Would company really fit it with additional external audio devices for the operator’s comfort? Thus, this attack is feasible only if the protected information is stored on a laptop, because laptops usually have integrated audio speakers.
The challenges of pulling off an ultrasound heist
The Korean researchers suggest that their attacker would use the built-in PC speaker. Back in 1981, that was the only sound device on the first IBM PC. Although PC speaker mostly produced only squeaky noises, some video game developers managed to use its crude capabilities to create decent soundtracks. Modern PCs seldom use the internal speaker for anything but diagnostics. If the computer just won’t boot up, a technician can identify the errors by the number and duration of tones that the built-in speaker is emitting. The original eighties’ PC speaker was a separate unit attached to the motherboard connectors. Modern circuit boards typically have a tiny speaker soldered onto them.
The Korean researchers needed to demonstrate a reliable data-transfer channel that uses the speaker and, more importantly, a practical one. The transmission part was fairly simple: “malware” running on an Ubuntu Linux-powered machine alternated between short 18kHz and 19kHz beeps, with the former being the “dot”, and the latter — the “dash”. This could be used for sending information in Morse code, which is typically used for radio communication. If you record this sound transmission (inaudible to most humans) on a smartphone, you get something like this:
The spectrogram shows the sounds used for encoding the word “covert”. It took roughly four seconds to transfer just six characters, so the exfiltration process is slow but still usable for certain types of information such as passwords and encryption keys. The lines at 18kHz and 19kHz are the signals produced by the computer speaker. Their volume is similar to the background noise inside the room, which can be seen in the bottom portion of the spectrogram.
The researchers conducted multiple experiments to arrive at ideal conditions for data transfer: the data rate had to stay at or below 20 bits per second for data to be received reliably from a distance of up to 1.5 meters. Slowing down the transmission even further could increase that distance by about half a meter. Placing the phone centimeters away from the system unit allowed doubling the data transfer rate. Anything but brief snippets of data would take hours to transmit, making an attack impractical.
An air gap does not guarantee a secure system
Ultrasound data transfer is a well-researched method that’s sometimes used for consumer purposes. In a secured environment, this side channel poses a threat. The Korean researchers suggest removing the speaker from the motherboard as a safeguard against this type of attack. However, as we know from other studies, when the stakes are high and the adversary is committed to spending both time and resources to achieve their goal, it’s hard to protect against every possible data exfiltration trick. Removing the built-in speaker still leaves the possibility of capturing radio waves from SATA cables, the CPU or the monitor, albeit by using far more sophisticated methods.
Maximum isolation of any computer that stores secret data is imperative. However, it’s so much more practical to invest in a malware detection system, remembering that every espionage scenario begins with attackers installing malware on the target system. Nonetheless, the Korean researchers’ work teaches us about new covert channels that can be used for data theft.