New Air-Gap Jumper Covertly Transmits Data in Hard-Drive Sounds

Security researchers have found a new way to siphon data out of an infected computer even when it has been physically disconnected from the Internet -- otherwise known as "air-gap" computers -- to prevent the leakage of sensitive information it stores, reports ArsTechnica. From the article: The method has been dubbed "DiskFiltration" by its creators because it uses acoustic signals emitted from the hard drive of the air-gapped computer being targeted. It works by manipulating the movements of the hard drive's actuator, which is the mechanical arm that accesses specific parts of a disk platter so heads attached to the actuator can read or write data. By using so-called seek operations that move the actuator in very specific ways, it can generate sounds that transfer passwords, cryptographic keys, and other sensitive data stored on the computer to a nearby microphone. The technique has a range of six feet and a speed of 180 bits per minute, fast enough to steal a 4,096-bit key in about 25 minutes.

Considering that people play music

[Z00L00K]

Considering that people play music with floppy drives [youtube.com] then the ability to transfer information acoustically with hard drives isn't really different.

Re:

[Anonymous Coward]

Considering that people play music with floppy drives [youtube.com] then the ability to transfer information acoustically with hard drives isn't really different.

I wasn't aware of that, thank you for the link. I find things like that fascinating even if they aren't particularly useful.

A much bigger issue with this: if you can get this program onto the air-gapped machine in the first place, haven't you already compromised it? If I could load say, a flash drive, into the air-gapped system to run this program, why can't I just copy whatever data I was after?

Unrelated side issue: you know what's really broken about Slashdot? An AC post containing GNAA or the N-word

Re:

[Jeff Flanagan]

A much bigger issue with this: if you can get this program onto the air-gapped machine in the first place, haven't you already compromised it? If I could load say, a flash drive, into the air-gapped system to run this program, why can't I just copy whatever data I was after?

This does make these air-gapped hacks much less useful, but it could be used to exfiltrate data on an ongoing basis without having to touch the hacked air-gapped machine again after it's been compromised.

Re:

[Qzukk]

if you can get this program onto the air-gapped machine in the first place, haven't you already compromised it?

Yes, but now your compromise is stuck on a computer with no way off. You drop a handful of flash drives around the target's parking lot, someone plugs it in and gets the internal network pwned... then what? Put the data back on the flash drive and hope they put it back in the parking lot? But say you're a TLA and can track/activate cellphones on demand. Sure, people aren't supposed to carry the

Re:

[blindseer]

A much bigger issue with this: if you can get this program onto the air-gapped machine in the first place, haven't you already compromised it?

The rules on taking data into or out of a secured location is a bit like a roach motel, you can bring things in but taking anything out is difficult. For example, I set up an air gapped system and as I recall there was little I had to do to bring in the software and source code. All I had to do was run any media through a virus check. Taking anything out meant I had to log what was taken, when, and for what reason. It came down to me just making a mental note that I would take nothing off the system, I'

The Floppotron 2.0

[Yvan256]

https://www.youtube.com/watch?... [youtube.com]

Re:

[Anonymous Coward]

Isn't it amazing what math can do?

Unusable

[Anonymous Coward]

Nice theoretical attack, but in practise a HD that makes sounds like this is easy to spot. Just listen.

I remember fondly the drives for the C64 that made music, though.

Re:

[Opportunist]

Just pretend you're defragging and people won't question it.

Most people don't even understand or know half of what's going on in their computer. If the HD suddenly starts to act up, most would probably just assume that Windows is "doing its thing".

Re:

[Yvan256]

When Windows is "doing its thing" I usually get a blue screen.

April fools / bullshit?

[BKDotCom]

This is some serious "Jason Bourne" hoop-jumping technology.

Re:

[Mr D from 63]

They should include an 'effort to success' ratio to rate these hypothetical attack vectors. In general, how hard is it vs. how likely you are to successfully apply it in a real world situation. I'd say the ES ratio here is quite high.

It's fucking air gapped.

[Anonymous Coward]

Exactly how are you planning on getting the malware onto the machine genius? This shit is getting ridiculous.

Re:

[Opportunist]

USB Sticks" [blackhat.com]?

Re:

[mSparks43]

Network booted usb reader that mounts the stick as an nfs share.

problem solved.

Re:

[Yvan256]

USB? You mean a connector that could be used for keyboards, mice, printers, scanners, hard drives?

That sounds like science-fiction to me.

Posted from 1986.

pointless stupidity

[iggymanz]

Of course, if I am allowed to install software on an "air-gapped" computer, I can make it transfer information by anything on it that makes noise or can be lit or even via power supply. Speakers, various fans, hard drive heads, retractable optical drive tray, locator blue LED, LCD display, even the power draw....I can manipulate all of those.

There is no point to these studies, they only belabor the obvious.

Any manager that makes some security policy based on such studies should be beaten.

Re:

[fustakrakich]

Any manager that makes some security policy based on such studies should be beaten.

What's wrong with building a windowless soundproof Faraday cage 500 feet underground? I'd like to see the seismographer that can read through that.

Much more stupid than that..

[thesupraman]

'Honest boss, I was sure the computer was secure! How was I to know the high sensitivity microphone pointed at it a few feet away, with a wire running out to the van outside and the stranger asking us to all be very VERY quiet for the next hour was a problem?'

Yes, this 'research' is pure stupidity because the methods are obvious as well as being easily mitigated if you really NEED security.

Although its not quite as stupid as the actually false and incorrect claim of using pixels to an infiltrated monitor w

Re:

[fustakrakich]

Not to mention the obvious workaround, USE A SSD. sigh.

:-) Oh no, don't do that. The RF emissions from that will have Jill Stein up in arms [yahoo.com]

Re:

[sconeu]

'Honest boss, I was sure the computer was secure! How was I to know the high sensitivity microphone pointed at it a few feet away, with a wire running out to the van outside and the stranger asking us to all be very VERY quiet for the next hour was a problem?'

And this goes back to rule 1 of computer security. If you don't have physical security on sensitive machines, you're screwed.

Re:

[iggymanz]

it would need to have its own power supply, if malicious code installed beforehand the power draw can be used to communicate.

By the way, what function does this isolated computer perform? how do people use it?

Re:

[fustakrakich]

it would need to have its own power supply

You're right, I forgot. Use geothermal from even deeper underground. TNX!

By the way, what function does this isolated computer perform?

Solitaire [microsoft.com]. What else is there?

Re:

[iggymanz]

as long as it plays solitaire with itself that's fine, if there's a human down there needing supplies from the surface that's a possible security hole

Re:

[Opportunist]

While true, it highlights a problem: Air-gaping a system is no silver bullet against spying. Managers who think it is should be beaten, too.

Re:

[Oswald McWeany]

No system is foolproof. The idea is to make it harder to crack than is worthwhile for most people to bother with.

If you put a security system on your home, it's not because you think there aren't criminals out there who can disable them, it's because you're going to make yourself a difficult enough target that people are less likely to bother.

Digital security is much the same. There is no system that can't be compromised, not even an air-gapped system; however you can make it ridiculously difficult that f

Re:

[iggymanz]

but the prerequisite for this particular waste of time exercise was allowing the installation of malicious code. You can secure all you want, and then if you allow someone to do that final step of putting in bad code, well guess what..

Re:

[iggymanz]

you're confused, the problem here is allowing installation of malicious code. If that happens of course there is no security and all bets are off. Report for your beating.

Re:

[The-Ixian]

Haven't you ever done something for the "cool" factor? How about because you wanted to know how something was done?

To only read about other people doing stuff and choosing not to do it because it has already been done seems like a pretty boring way to live life...

Re:

[iggymanz]

problem is this things are too trivial to code to even be "cool"

Re:

[The-Ixian]

Glad you don't work in security.

Joke's on you. He works in IoT security...

Re:

[Kjella]

Of course, if I am allowed to install software on an "air-gapped" computer, I can make it transfer information by anything on it that makes noise or can be lit or even via power supply. Speakers, various fans, hard drive heads, retractable optical drive tray, locator blue LED, LCD display, even the power draw....I can manipulate all of those. There is no point to these studies, they only belabor the obvious.

Where does the border between obvious and sci-fantasy (enhance, enhance, enhance) go? If my "airgap" server is next to my normal server in the same rack, can they communicate using power draw? Heat cycles, one server heating up the other? Vibration causing HDD read errors? Can I run the cables down the same canal or can you use crosstalk to steal information? Maybe I have an alarm system with motion detection and a microphone to detect movement/noise in my "top secret" room, despite the machine having no sp

Re:

[The-Ixian]

How about, being able to figure out what is going on in another VM guest or on the host by paying close attention to how much guest resources are throttled/scheduled in the VM?

Re:

[MrVictor]

Think about what we've all learned from the Snowden leaks. We now know the federal government will stoop to utterly insane levels of paranoia to spread their reach. I would not put it past them to do something like send Microsoft an NSL which forces them to include a DiskFiltration feature in all OS disk drivers just in case they ever encounter a difficult air-gapped target.

Re:

[radarskiy]

By that measure there is no such thing as an air gap, since it is impossible to construct a computer that contains no programming from some other source.

Step G: Whig is outraged by News-Paper Headline

[Pseudonymous Powers]

Speaking as someone who performs even the most simple everyday tasks by way of giant machines that invariably incorporate a bowling ball, a funnel, a teakettle, a feather duster, my uncle sleeping in an armchair, and a live hen, this attack vector seems very relevant and concerning to me.

Re: faraday cage, SSD and blasting gwar soundtrack

[slazzy]

You had me at gwar.

Clicky-clacky white noise

[Oswald McWeany]

Play clicky-clacky-white noise in your server room to confuse any microphone.

Trivial to thwart.

[Lumpy]

Wont work with my SSD. and honestly will not work at all on SAS drives. most places that are serious about their computing and security uses thin clients running SSD boot drives and the rack of servers are all the workstations. good luck recording the drive noises with all those fans and the libert unit running.

It may work if a target's cheap laptop is set on top of the microphone.

Re:

[Anne Thwacks]

libert

Ah, yes - we have a Liebert in the bedroom to drown out our deaf neighbour watching QVC!

Very interesting

[turbidostato]

Well, very interesting were it not for the prevalence of solid-state disks with, oh, the horror, neither plates nor mechanical arms to produce sound with.

Score another point

[liquid_schwartz]

for solid state drives. They are completely quiet.

Re:

[EvilSS]

for solid state drives. They are completely quiet.

All SSDs whine to some extent. The one I have in my laptop sounds like a regular HDD in a quiet room, and it definitely varies as data is written.

Re:

[Oswald McWeany]

I would suspect the vast majority of computers that would be targeted would not have speakers. They're not going to be playing music or youtube videos on an air-gapped computer. Playing on a speaker is pointless.

This method of listening to hard drive reminds me of old spy techniques I've read about such as:

a) recording the sound a printer makes and using it to determine what was printed.
b) by pointing a laser at a window you can "listen" to what is going on inside by tracking how much the window flexes wi

Meh

[JustAnotherOldGuy]

Interesting proof-of-concept, but ridiculously impractical in the real world.

Is it that hard?

[140Mandak262Jamuna]

Penetrating networks airgapped from the internet is difficult, and this novel technique is interesting. But, in the real world, dropping a few thumb drives with malware in the parking lots or getting people to listen/watch music CD/movie DVDs with a malware payload seems to have been very effective. Bribing a janitor to plug in a thumbdrive in an exposed usb port of a computer is a lot easier.

Re:

[Anonymous Coward]

Yes, that's how you get the initial infection. Now assuming you want data from the airgapped system, you need a way to extract that data. Maybe improvise an open-air modem with some form of sound generation on the airgapped system and a microphone on a nearby internet accessible system that you have already compromised?

What about RAID? What about server room noise?

[PeeAitchPee]

We have dozens of 3.5" drives running in multiple arrays at various RAID levels, in a noisy server room with fans continually blasting over 70 db in the background. This trick might work in a lab, but call me when they've got the same attack vector working in a real data center environment. And, oh yeah, and against near-silent SSDs.

Re:

[im_thatoneguy]

Interestingly enough... we have one overloaded UPS so when we RDPed into it the UPS sounded its alarm. It would be really slow but you could definitely hear the UPS alarm over the 20 servers. Just increase the power draw on 10 servers you don't mind shortening the life of to overload a UPS. I bet people don't think to secure their UPS and leave it on "Default" to sound an audio alarm. One more attack vector.

That being said the best advice I ever read was that there are two kinds of attackers "Mossad a

Limited usability?

[ScienceofSpock]

What if the target computer only has an SSD? What if it has multiple hard drives?

Ya but...

[AndyKron]

Ya, but can it play Bohemian Rhapsody?

Not news

[davidwr]

If you are air-gapped for security reasons, you are also aware of other ways to exfiltrate information through the environment and through personnel and are taking precautions appropriate for your situation.

If you aren't, you are doing it wrong.

Important Question...

[avandesande]

If the computer has a RAID array will this work and will the throughput be faster ? ;-)