A well-established research team from the Ben-Gurion University of the Negev in Israel has detailed today a new method of extracting data from air-gapped computers using speakers, headphones, earphones, or earbuds.
The attack is only experimental at this point, has not been seen in the real world, but has been proven to work and researchers have also created a custom protocol for transmitting data between two computers —one air-gapped and one Internet-connected that can relay the data further.
Attack scenarios include speaker-to-speaker exfiltration, speaker-to-headphones, and headphones-to-headphones.
The attack —nicknamed MOSQUITO— is possible because of a technique called "jack retasking" that reverses output audio jacks to input jacks, effectively turning speakers into (unconventional) microphones.
The same research team explored jack retasking in a previous research project last year, called Speake(a)r, which researchers used to turn headphones into microphones and record nearby audio and conversations.
For the current experiment, researchers argue that malware that managed to infect an air-gapped computer can transform and modulate locally stored files into audio signals and relay them to another nearby computer via connected speakers, headphones, earphones, or earbuds.
The receiving computer, also infected with malware, uses jack retasking to convert connected speakers, headphones, earphones, or earbuds into a makeshift microphone, receive the modulated audio, and convert back into a data file.
Researchers created a custom data protocol that modulates binary data into audio signals, and they tested their attack for distances between 1 and 9 meters (3.2 to 29.5 feet).
Researchers said they managed to transfer data between two computers with speeds varying from 1800 bits/s and 1200 bits/s for speakers facing each other and emitting sound in audible frequency bands (lower than 18kHz).
Transfer speeds decreased if the speakers weren't facing each other, the distance between speakers increased, or audio frequency changed (towards low or high frequency). While the first two factors are self-explanatory, the last needs an additional explanation.
"The reason for that is that loudspeakers, and particularly home grade PC loudspeakers, were projected and optimized for human auditory characteristics, and therefore they are more responsive to the audible frequency ranges," said researchers.
Transfer speeds also decreased when using earphones or earbuds (varied between 600 bits/s and 300 bits/s) and went even lower for headphones (around 250 bits/s). The reason was that headphones directed their sound waves in one particular direction, limiting efficient exfiltration cases to very small distances when headphones were close to each other, and when they emitted sound in audible frequencies only.
Other factors that decreased data transfer speeds included environment noise such as music and speech, but researchers said this could be mitigated by moving the data exfiltration frequency above 18kHz.
The research team discusses various mitigation and countermeasures in their research paper entitled "MOSQUITO: Covert Ultrasonic Transmissions between Two Air-Gapped Computers using Speaker-to-SpeakerCommunication." They also released the following demos to showcase their work.
The research center from the Ben-Gurion University of the Negev who came up with this new data exfiltration technique has a long history of innovative and sometimes weird hacks, all listed below: