Air Gap Attack Exploits Gyroscope Ultrasonic Channel to Leak Data

The new technique of data exfiltration uses an ultrasonic channel to leak sensitive information to nearby smartphones from air-gapped computer.

“Gairoscope”, the adversarial model, is named after Dr. Mordechai Guri who is head of research and development (R&D), in the Cyber Security Research Center at the Ben Gurion University of the Negev.

In a paper, Guri’s research team stated that malware can leak data from remote, air-gapped devices to nearby smartphones by using ultrasonic waves.

“However, access to this covert channel is required to the smartphone’s mic . This microphone is highly protected in Android OS, iOS and may be blocked, disabled, or not accessible.

Gairoscope is an ultrasonic channel which can be used to covertly transmit information without the need for a microphone.

The paper states that malware produces ultrasonic tones at the resonance frequencies of the gyroscope. These resonance frequencies are used to modulate data and then the vibrations from the nearby smartphone are used to decode it.

The malware produces tiny mechanical oscillations in the smartphone’s gyroscope that can be converted into binary information.

Researchers wrote that the gyroscope found in smartphones was considered to be a safe sensor that can legitimately be used from mobile apps and Javascript.

“Our experiments show that attackers can exfiltrate sensitive information from air-gapped computers to smartphones located a few meters away via Speakers-to-Gyroscope covert channel.”

Although the method is still experimental and not yet fully developed, Guri’s team recommended countermeasures to limit the potential impact of the new malware.

First, the researchers mention the zoneing approach in the telecommunication security standard, which ensures that systems are kept within restricted areas defined by a different radius.

The paper states that smartphones should not be kept within eight meters of the secure area.

The paper also recommends that loudspeakers be removed to create an audio-less network environment called “audiogapped”. This means that audio drivers are removed from the OS and the BIOS level configurations of audio hardware are disabled.

Guri’s team suggested that system administrators filter out resonance frequencies from the audio hardware using an Audio Filter, monitor ultrasonic channels for power levels to detect conversion ultrasound transmissions and jam the covert channel with background noises to enhance the acoustic spectrum.

Read also: What should a penetration testing include?

Leave a Reply

Your email address will not be published. Required fields are marked *