On Acoustic Covert Channels Between Air-Gapped Systems

  • Brent CarraraEmail author
  • Carlisle Adams
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 8930)


In this work, we study the ability for malware to leak sensitive information from an air-gapped high-security system to systems on a low-security network, using ultrasonic and audible audio covert channels in two different environments: an open-concept office and a closed-door office. Our results show that malware installed on unmodified commodity hardware can leak data from an air-gapped system using the ultrasonic frequency range from 20 kHz to 20.5 kHz at a rate of 140 bps and at a rate of 6.7 kbps using the audible spectrum from 500 Hz to 18 kHz. Additionally, we show that data can be communicated using ultrasonic communication at distances up to 11 m with bit rates over 230 bps and a bit error rate of 2 %. Given our results, our attacks are able to leak captured keystrokes in real-time using ultrasonic signals and, using audible signals when nobody is present in the environment - the overnight attack, both keystrokes and recorded audio.


Malware communication Audio communication Ultrasonic Jumping air-gaps Out-of-band covert channels 


  1. 1.
    File sizes and types (2014).
  2. 2.
    Baken, R.J., Orlikoff, R.F.: Clinical Measurement of Speech and Voice. Cengage Learning, Clifton Park (2000)Google Scholar
  3. 3.
    Domingues, N., Lacerda, J., Aguiar, P.M., Lopes, C.V.: Aerial communications using piano, clarinet, and bells. In: 2002 IEEE Workshop on Multimedia Signal Processing, pp. 460–463. IEEE (2002)Google Scholar
  4. 4.
    Ellison, R.J., Goodenough, J.B., Weinstock, C.B., Woody, C.: Evaluating and mitigating software supply chain security risks. Technical report, DTIC Document (2010)Google Scholar
  5. 5.
    Gerasimov, V., Bender, W.: Things that talk: using sound for device-to-device and device-to-human communication. IBM Syst. J. 39(3.4), 530–546 (2000)CrossRefGoogle Scholar
  6. 6.
    Goldman, A., Apuzzo, M.: How bin Laden emailed without being detected (2011).
  7. 7.
    Hanspach, M., Goetz, M.: On covert acoustical mesh networks in air. J. Commun. 8(11), 758–767 (2013)CrossRefGoogle Scholar
  8. 8.
    Hanspach, M., Goetz, M.: Recent developments in covert acoustical communications. In: Sicherheit, pp. 243–254 (2014)Google Scholar
  9. 9.
    Kinsler, L.E., Frey, A.R., Coppens, A.B., Sanders, J.V.: Fundamentals of Acoustics, 4th edn., p. 560. Wiley-VCH, December 1999. ISBN: 0-471-84789-5Google Scholar
  10. 10.
    Landström, U.: Noise and fatigue in working environments. Environ. Int. 16(4), 471–476 (1990)CrossRefGoogle Scholar
  11. 11.
    Lee, K.S., Cox, R.V.: A very low bit rate speech coder based on a recognition/synthesis paradigm. IEEE Trans. Speech Audio Process. 9(5), 482–491 (2001)CrossRefGoogle Scholar
  12. 12.
    Lindqvist, U., Jonsson, E.: A map of security risks associated with using COTS. Computer 31(6), 60–66 (1998)CrossRefGoogle Scholar
  13. 13.
    Lopes, C.V., Aguiar, P.M.: Aerial acoustic communications. In: 2001 IEEE Workshop on the Applications of Signal Processing to Audio and Acoustics, pp. 219–222. IEEE (2001)Google Scholar
  14. 14.
    Lopes, C.V., Aguiar, P.M.: Acoustic modems for ubiquitous computing. IEEE Pervasive Comput. 2(3), 62–71 (2003)CrossRefGoogle Scholar
  15. 15.
    Lopes, C.V., Aguiar, P.M.: Alternatives to speech in low bit rate communication systems. arXiv preprint. arXiv:1010.3951 (2010)
  16. 16.
    Madhavapeddy, A., Scott, D., Sharp, R.: Context-aware computing with sound. In: Dey, A.K., Schmidt, A., McCarthy, J.F. (eds.) UbiComp 2003. LNCS, vol. 2864, pp. 315–332. Springer, Heidelberg (2003) CrossRefGoogle Scholar
  17. 17.
    Madhavapeddy, A., Sharp, R., Scott, D., Tse, A.: Audio networking: the forgotten wireless technology. IEEE Pervasive Comput. 4(3), 55–60 (2005)CrossRefGoogle Scholar
  18. 18.
    Nandakumar, R., Chintalapudi, K.K., Padmanabhan, V., Venkatesan, R.: Dhwani: secure peer-to-peer acoustic NFC. In: Proceedings of the ACM SIGCOMM 2013 Conference on SIGCOMM, pp. 63–74. ACM (2013)Google Scholar
  19. 19.
    O’Malley, S.J., Choo, K.K.R.: Bridging the air gap: inaudible data exfiltration by insiders. In: 20th Americas Conference on Information Systems (AMCIS 2014), pp. 7–10 (2014)Google Scholar
  20. 20.
    Proakis, J.G.: Digital Communications. McGraw-Hill, New York (2008)Google Scholar
  21. 21.
    Reed, I.S., Solomon, G.: Polynomial codes over certain finite fields. J. Soc. Ind. Appl. Math. 8(2), 300–304 (1960)CrossRefzbMATHMathSciNetGoogle Scholar
  22. 22.
    Sanger, D.E.: Obama order sped up wave of cyberattacks against Iran. The New York Times 1, 2012 (2012)Google Scholar
  23. 23.
  24. 24.
    Stallings, W.: Network Security Essentials: Applications and Standards. Pearson Education, India (2007)Google Scholar
  25. 25.
    Szor, P.: The Art of Computer Virus Research and Defense. Pearson Education, Indianapolis (2005)Google Scholar
  26. 26.
    Tempest, W.: The Noise Handbook. Academic Press, New York (1985)Google Scholar
  27. 27.
    Zetter, K.: FAA: Boeings new 787 may be vulnerable to hacker attack (2008).

Copyright information

© Springer International Publishing Switzerland 2015

Authors and Affiliations

  1. 1.School of Electrical Engineering and Computer ScienceUniversity of OttawaOttawaCanada

Personalised recommendations