One day Dragos Ruiu noticed that his MacBook Air was behaving like it had a virus. Over the next few months, things got stranger: One of Ruiu’s other computers running Open BSD started to modify its own settings and delete data without any explanation--even though Ruiu, a security consultant, had removed all of the networking cards from the machines as a preventative measure.
How were his computers infecting each other without being connected?
Ruiu assumed his machines were protected because of the "airgap" between them, a slang term which refers to a computer that is not connected to the Internet or any other computers by anything except... air. And yet somehow Ruiu's virus was able to go airborne--meaning that it could infect computers it wasn't connected to.
Ruiu called the anomaly "BadBIOS" and has spent much of the past few years investigating it--although up until recently it hadn't received much in the way of academic scrutiny. Now two German computer scientists named Michael Hanspach and Michael Goetz claim to have cracked the mystery (or a variation of it) by creating a proof-of-concept code which shows that the technology does indeed exist to allow malware to jump between two non-connected systems.
Why this should be an important discovery is clear: Conventional wisdom states that removing a computer from the Internet makes it all but impenetrable. Just last month, while speaking at a Defense One conference, retired Capt. Mark Hagerott theorized that malware able to jump the airgap could “disrupt the world balance of power.” It is for this reason that some people have referred to the mysterious BadBIOS as the "God of Malware" due its apparent invulnerability and potentially major consequences.
So how exactly does Hanspach and Goetz's power-disrupting malware work then?
As it turns out, the answer is all to do with sound. In their paper--published last month by the Journal of Communications--the two computer scientists describe the way in which a computer’s built-in sound card and microphone can be used to transmit information from one end (the client or application installed on the target system) to the other (the server) through the air.
“Our research was carried out half a year ago, so it wasn’t motivated by [the BadBIOS] findings, but it’s certainly a similar type of attack pattern,” Hanspach says.
“We found that even there was no existing network interface, they could still communicate using the internal speakers and microphones,” Hanspach says. “This is done with a high frequency audio signal which also makes it inaudible.” According to Hanspach and Goetz this transmission can take place over a considerable distance: up to 64 feet if both systems are infected.
The technology Hanspach and Goetz used to create their prototype malware was based on software originally designed for underwater communication, which uses ultrasonic frequency ranges to transmit messages.
While the distances involved are impressive, however, Hanspach points out that transmitting data is slow going. In fact, in their study the researchers measured a transmission speed of just 20 bits per second, which averages to two keyed-in characters each second. To put that in perspective, an article like the one you’re reading right now would take roughly 30 minutes to send via such acoustical methods: hardly the stuff for the kind of high-speed espionage you see in a spy movie, where whole hard drives are transferred within minutes or even seconds.
Reaching this “optimal” speed is also dependent on having access to a clear and reliable data feed. This is easily established when working under lab conditions, but is likely to prove more difficult to replicate in the real world, where interference like cell phone signals, television, and other electronic emissions may all have a detrimental effect.
This last point was made by Malware Intelligence Team lead and Malware Unpacked scribe Adam Kujawa, who also speculated that infection (in order to allow the signals to be sent and received) could not be carried out entirely without contact:
“While I personally don’t think remote infection would be possible using this method, if an attacker were to use something like an infected USB that was plugged into an airgapped system, it could automatically install the malware and begin sending or receiving data.”
“Nonetheless, it’s pretty interesting,” Kujawa writes.
All of this suggests that, as far as infection methods go, there are far more efficient ways to infect or hack another machine. It’s for this reason Hanspach says that your “average” computer user doesn’t necessarily need to worry about the “airgap” problem--even if he or she has personally sensitive material, like private files or banking details, saved on their computer. A bit like crossing a busy road and worrying about being hit by lightning, there are far more imminent threats around.
“As an average user, you’re likely to be connected to the Internet and other networks on a regular basis,” Hanspach says. “You’re more vulnerable to these other attacks--most likely over the Internet--than you are to the kind of acoustical attacks that we’re working on. It’s more of an issue for those working in high security.”
It is in this area that Hanspach and Goetz focus their research--and where they have had the most feedback regarding their discovery. “Prior to our work I think it would be fair to say that there was not much awareness of the possibility of these attacks,” Hanspach says.
“People working in security are understandably on the lookout for problems like this which could result in theft--since they represent remaining threats in high security systems,” Hanspach says. “People need to be aware of these attack patterns because if, for example, you have a laptop that contains highly valuable information, you should not assume that the data cannot be stolen just because the computer is not connected to any existing networks. It’s all about creating a more secure system for high security applications.”
As to what concerned parties can do about the problem, Hanspach and Goetz have a few suggestions. “The most obvious solution would be to deactivate your audio devices, although you don’t have to do this,” Hanspach says. “Instead you could carry out audio filtering--to filter out parts of the signals that do not register to the human ear, so that this sort of communication no longer becomes possible.”
“These are the solutions we reported in our paper, although I am sure that far more countermeasures will be presented in the future.”
[Image: Flickr user Mikhail Koninin]