Advertisement

Acoustic Data Exfiltration from Speakerless Air-Gapped Computers via Covert Hard-Drive Noise (‘DiskFiltration’)

  • Mordechai Guri
  • Yosef Solewicz
  • Andrey Daidakulov
  • Yuval Elovici
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 10493)

Abstract

In the past, it has been shown that malware can exfiltrate data from air-gapped (isolated) networks by transmitting ultrasonic signals via the computer’s speakers. However, such a communication relies on the availability of speakers on a computer. In this paper, we present ‘DiskFiltration’, a method to leak data from speakerless computers via covert acoustic signals emitted from its hard disk drive (HDD) (Video: https://www.youtube.com/watch?v=H7lQXmSLiP8 or http://cyber.bgu.ac.il/advanced-cyber/airgap). Although it is known that HDDs generate acoustical noise, it has never been studied in the context of a malicious covert-channel. Notably, the magnetic HDDs dominate the storage wars, and most PCs, servers, and laptops todays are installed with HDD drive(s). A malware installed on a compromised machine can generate acoustic emissions at specific audio frequencies by controlling the movements of the HDD’s actuator arm. Binary Information can be modulated over the acoustic signals and then be picked up by a nearby receiver (e.g., microphone, smartphone, laptop, etc.). We examine the HDD anatomy and analyze its acoustical characteristics. We also present signal generation and detection, and data modulation and demodulation algorithms. Based on our proposed method, we developed a transmitter and a receiver for PCs and smartphones, and provide the design and implementation details. We examine the channel capacity and evaluate it on various types of internal and external HDDs in different computer chassis and at various distances. With DiskFiltration we were able to covertly transmit data (e.g., passwords, encryption keys, and keylogging data) between air-gapped computers to a nearby receiver at an effective bit rate of 180 bits/min (10,800 bits/h).

Keywords

Air-gap Exfiltration Malware Acoustic Covert-channel Hard-disk drive 

References

  1. 1.
    McAfee: Defending Critical Infrastructure Without Air Gaps And Stopgap Security, August 2015. https://blogs.mcafee.com/executive-perspectives/defending-critical-infrastructure-without-air-gaps-stopgap-security/. Accessed 01 July 2016
  2. 2.
    SECURELIST: Agent.btz: A Source of Inspiration? (2014). https://securelist.com/blog/virus-watch/58551/agent-btz-a-source-of-inspiration/. Accessed 01 July 2016
  3. 3.
    Goodin, D.: How “omnipotent” hackers tied to NSA hid for 14 years—and were found at last, arstechnica (2015). http://arstechnica.com/security/2015/02/how-omnipotent-hackers-tied-to-the-nsa-hid-for-14-years-and-were-found-at-last/. Accessed 01 July 2016
  4. 4.
    Kuhn, M.G., Anderson, R.J.: Soft tempest: hidden data transmission using electromagnetic emanations. In: Aucsmith, D. (ed.) IH 1998. LNCS, vol. 1525, pp. 124–142. Springer, Heidelberg (1998). doi: 10.1007/3-540-49380-8_10CrossRefGoogle Scholar
  5. 5.
    Guri, M., Kachlon, A., Hasson, O., Kedma, G., Mirsky, Y., Elovici, Y.: GSMem: data exfiltration from air-gapped computers over GSM frequencies. In: 24th USENIX Security Symposium (USENIX Security 15), Washington, D.C. (2015)Google Scholar
  6. 6.
    Guri, M., Zadov, B., Atias, E., Elovici, Y.: LED-it-GO: leaking (a lot of) data from air-gapped computers via the (small) Hard Drive LED. In: 14th Conference on Detection of Intrusions and Malware & Vulnerability Assessment (DIMVA), Bonn (2017)Google Scholar
  7. 7.
    Mordechai, G., Matan, M., Yiroel, M., Yuval, E.: BitWhisper: covert signaling channel between air-gapped computers using thermal manipulations. In: Computer Security Foundations Symposium (CSF). IEEE (2015)Google Scholar
  8. 8.
    Hanspach, M., Goetz, M.: On covert acoustical mesh networks in air. J. Commun. 8, 758–767 (2013)CrossRefGoogle Scholar
  9. 9.
    Guri, M., Solewicz, Y., Daidakulov, A., Elovici, Y.: Fansmitter: Acoustic Data Exfiltration from (Speakerless) Air-Gapped Computers. arXiv:1606.05915 [cs.CR] (2016)
  10. 10.
    a. Blog: Air Gap Computer Network Security, 30 December 2014. http://abclegaldocs.com/blog-Colorado-Notary/air-gap-computer-network-security/. Accessed 01 July 2016
  11. 11.
    R.I. GUIDANCE: NSTISSAM TEMPEST/2-95, 12 December 1995. https://cryptome.org/tempest-2-95.htm. Accessed 01 July 2016
  12. 12.
    J.-P. Power: Mind the gap: are air-gapped systems safe from breaches? Symantec, 05 Dec 2015. http://www.symantec.com/connect/blogs/mind-gap-are-air-gapped-systems-safe-breaches. Accessed 01 July 2016
  13. 13.
    HDD still dominate the storage wars, June 2013. http://datastorageasean.com/daily-news/hdd-still-dominate-storage-wars. Accessed 01 July 2016
  14. 14.
  15. 15.
    Thiele, E.: Tempest for Eliza (2001). http://www.erikyyy.de/tempest/. Accessed 4 Oct 2013
  16. 16.
    Guri, M., Gabi, K., Assaf, K., Yuval, E.: AirHopper: bridging the air-gap between isolated networks and mobile phones using radio frequencies. In: 2014 9th International Conference on Malicious and Unwanted Software: the Americas (MALWARE), pp. 58–67. IEEE (2014)Google Scholar
  17. 17.
    Guri, M., Monitz, M., Elovici, Y.: Bridging the air gap between isolated networks and mobile phones in a practical cyber-attack. ACM Trans. Intell. Syst. Technol. (TIST) 8(4) (2017)Google Scholar
  18. 18.
    Guri, M., Monitz, M., Elovici, Y.: USBee: air-gap covert-channel via electromagnetic emission from USB. In: 14th Annual Conference on Privacy, Security and Trust (PST), 2016, Auckland, New Zealand (2016)Google Scholar
  19. 19.
    Loughry, J., Umphress, A.D.: Information leakage from optical emanations. ACM Trans. Inf. Syst. Secur. (TISSEC) 5(3), 262–289 (2002)CrossRefGoogle Scholar
  20. 20.
    Guri, M., Hasson, O., Kedma, G., Elovici, Y.: An optical covert-channel to leak data through an air-gap. In: 14th Annual Conference on Privacy, Security and Trust (PST) (2016)Google Scholar
  21. 21.
    Guri, M., Zadov, B., Daidakulov, A., Elovici, Y.: xLED: Covert Data Exfiltration from Air-Gapped Networks via Router LEDs. arXiv:1706.01140 [cs.CR]
  22. 22.
    Bartolini, D.B., Miedl, P., Thiele, L.: On the capacity of thermal covert channels in multicores. In: Proceedings of the Eleventh European Conference on Computer Systems (EuroSys 2016) (2016)Google Scholar
  23. 23.
    Madhavapeddy, A., Sharp, R., Scott, D., Tse, A.: Audio networking: the forgotten wireless technology. IEEE Pervasive Comput. 4(3), 55–60 (2005)CrossRefGoogle Scholar
  24. 24.
    M. a. G. M. Hanspach: On Covert Acoustical Mesh Networks in Air. arXiv preprint arXiv:1406.1213 (2014)
  25. 25.
    Deshotels, L.: Inaudible sound as a covert channel in mobile devices. In: USENIX Workshop for Offensive Technologies (2014)Google Scholar
  26. 26.
  27. 27.
    Larimer, J.: An inside look at Stuxnet. IBM X-Force (2010)Google Scholar
  28. 28.
    Gostev, A.: Agent.btz: a Source of Inspiration? SecureList, 12 March 2014. http://securelist.com/blog/virus-watch/58551/agent-btz-a-source-of-inspiration/
  29. 29.
    GReAT team: A Fanny Equation: “I am your father, Stuxnet”, Kaspersky Labs’ Global Research & Analysis Team, 17 February 2015. https://securelist.com/blog/research/68787/a-fanny-equation-i-am-your-father-stuxnet/. Accessed 01 July 2016
  30. 30.
  31. 31.
    Mamun‏, A.A., Guo, G., Bi, C.: Hard Disk Drive: Mechatronics and ControlGoogle Scholar
  32. 32.
    Inside a Working Hard Drive (Part 1). https://www.youtube.com/watch?v=oIwaNmNMfPU. Accessed 01 July 2016
  33. 33.
    Ying, Y., Feng, G., Fah, Y.F.: Vibro-acoustic Experimental Analysis in Hard Disk Drives. http://www.sea-acustica.es/fileadmin/publicaciones/Sevilla02_sta01001.pdf
  34. 34.
    Wikipedia: Automatic_acoustic_management. https://en.wikipedia.org/wiki/Automatic_acoustic_management. Accessed 01 July 2016
  35. 35.
    Western Digitial, “intelliseek,” Western Digitial. http://www.wdc.com/en/flash/index.asp?family=intelliseek
  36. 36.
  37. 37.
  38. 38.
  39. 39.
  40. 40.
    Goertzel, G.: An algorithm for the evaluation of finite trigonometric series. Am. Math. Mon. 65(1), 34–35 (1958). doi: 10.2307/2310304MathSciNetCrossRefGoogle Scholar
  41. 41.
    Marple, S.L.: Digital Spectral Analysis with Applications. Prentice Hall, Englewood Cliff (1987)Google Scholar
  42. 42.
    Spatula: Modulating and Demodulating Signals in Java. http://spatula.net/mt/blog/2011/02/modulating-and-demodulating-signals-in-java.html. Modulating and Demodulating Signals in Java
  43. 43.
  44. 44.
    Silentpcreview: Recommended Hard Drives. http://www.silentpcreview.com/Recommended_Hard_Drives
  45. 45.
  46. 46.
    Pulsar Instruments: Pulsar Instruments for noise meters, sound level meters and noise monitoring equipment. http://pulsarinstruments.com/products/
  47. 47.
    Blunden, B.: The Rootkit Arsenal: Escape and Evasion in the Dark Corners of the System. Jones & Bartlett, Burlington (2012)Google Scholar

Copyright information

© Springer International Publishing AG 2017

Authors and Affiliations

  • Mordechai Guri
    • 1
  • Yosef Solewicz
    • 1
  • Andrey Daidakulov
    • 1
  • Yuval Elovici
    • 1
  1. 1.Cyber-Security Research CenterBen-Gurion University of the NegevBeershebaIsrael

Personalised recommendations