科学新闻3：不良音波传导装置引发担忧

蒋继平

2013年12月7日

德国Fraunhofer通讯和信息处理以及人类工程学研究所的科学家们最近研究证实了可以利用高频率音波的高端“不良装置”来侵染没有任何连接的机械设备的可能性。这给商业和政府部门的网络安全带来了另一个安全隐患。下面是这篇报道的原文。

Scientist-developed malware prototype covertly jumps air gaps using inaudible sound Malware communicates at a distance of 65 feetusing built-in mics and speakers.

by Dan Goodin- Dec 2 2013, 2:29pm EST

• Hacking

• NationalSecurity

151

Enlarge/ Topology of a covert mesh network that connects air-gappedcomputers to the Internet.

Hanspachand Goetz

Computer scientists have proposed a malware prototype that uses inaudible audio signals to communicate, a capability that allows themalware to covertly transmit keystrokes and other sensitive data even when infected machines have no network connection.

The proof-of-concept software—or malicious trojans that adoptthe same high-frequency communication methods—could prove especially adept in penetrating highly sensitive environments that routinely place an "air gap" between computers and the outside world. Using nothing more than the built-in microphones ands peakers of standard computers, the researchers were able to transmit passwords and other small amounts of data from distances of almost 65feet. The software can transfer data at much greater distances by employing an acoustical mesh network made up of attacker-controlleddevices that repeat the audio signals.

The researchers, from Germany's FraunhoferInstitute for Communication, Information Processing, and Ergonomics,recently disclosed their findings in a paperpublished in the Journal of Communications. It came a few weeksafter a security researcher said his computers were infectedwith a mysterious piece of malware that used high-frequencytransmissions to jump air gaps. The new research neither confirmsnor disproves Dragos Ruiu's claims of the so-called bad BIOS infections, but it does show that high-frequency networking is easily within the grasp of today's malware.

"In our article, we describe how the complete concept of air gaps can be considered obsolete as commonly available laptops cancommunicate over their internal speakers and microphones and evenform a covert acoustical mesh network," one of the authors,Michael Hanspach, wrote in an e-mail. "Over this covert network,information can travel over multiple hops of infected nodes,connecting completely isolated computing systems and networks (e.g.the internet) to each other. We also propose some counter measures against participation in a covert network."

The researchers developed several ways to use inaudible sounds totransmit data between two Lenovo T400 laptops using only theirbuilt-in microphones and speakers. The most effective technique re lied on software originally developed to acoustically transmit dataunder water. Created by the Research Department for Under water Acoustics and Geophysics in Germany, the so-called adaptive communication system (ACS) modem was able to transmit data betweenlaptops as much as 19.7 meters (64.6 feet) apart. By chaining additional devices that pick up the signal and repeat it to other nearby devices, the mesh network can overcome much greater distances.

The ACS modem provided better reliability than other techniques that were also able to use only the laptops' speakers and microphonesto communicate. Still, it came with one significant drawback—atransmission rate of about 20 bits per second, a tiny fraction ofstandard network connections. The paltry bandwidth forecloses theability of transmitting video or any other kinds of data with largefile sizes. The researchers said attackers could overcome thatshortcoming by equipping the trojan with functions that transmit onlycertain types of data, such as login credentials captured from akeylogger or a memory dumper.

"This small bandwidth might actually be enough to transfer critical information (such as keystrokes)," Hanspach wrote. "Youdon't even have to think about all keystrokes. If you have a key logger that is able to recognize authentication materials, it mayonly occasionally forward these detected passwords over the network,leading to a very stealthy state of the network. And you could forward any small-sized information such as private encryption keysor maybe malicious commands to an infected piece of construction."

Remember Flame?

The hurdles of implementing covert acoustical networking are highenough that few malware developers are likely to add it to theirofferings anytime soon. Still, the requirements are modest when measured against the capabilities of Stuxnet, Flame, and otherstate-sponsored malware discovered in the past 18 months. And that means that engineers in military organizations, nuclear power plants,and other truly high-security environments should no longer assumethat computers isolated from an Ethernet or Wi-Fi connection are offlimits.

The research paper suggests several countermeasures that potential targets can adopt. One approach is simply switching off audio inputand output devices, although few hardware designs available today make this most obvious countermeasure easy. A second approach is toemploy audio filtering that blocks high-frequency ranges used tocovertly transmit data. Devices running Linux can do this by usingthe advanced Linux Sound Architecture in combination with the LinuxAudio Developer's Simple Plugin API. Similar approaches are probably available for Windows and Mac OS X computers as well. The researchers also proposed the use of an audio intrusion detection guard, a device that would "forward audio input and output signals to their destination and simultaneously store them inside the guard's internal state, where they are subject to further analyses."

http://arstechnica.com/security/2013/12/scientist-developed-malware-covertly-jumps-air-gaps-using-inaudible-sound/