• Home
  • News
  • Security
  • Data Exfiltration Technique Steals Data From PCs Using Speakers, Headphones

Data Exfiltration Technique Steals Data From PCs Using Speakers, Headphones

  • March 12, 2018
  • 07:52 PM
  • 1


A well-established research team from the Ben-Gurion University of the Negev in Israel has detailed today a new method of extracting data from air-gapped computers using speakers, headphones, earphones, or earbuds.

The attack is only experimental at this point, has not been seen in the real world, but has been proven to work and researchers have also created a custom protocol for transmitting data between two computers  —one air-gapped and one Internet-connected that can relay the data further.

Attack scenarios include speaker-to-speaker exfiltration, speaker-to-headphones, and headphones-to-headphones.

Jack retasking strikes again!

The attack —nicknamed MOSQUITO— is possible because of a technique called "jack retasking" that reverses output audio jacks to input jacks, effectively turning speakers into (unconventional) microphones.

The same research team explored jack retasking in a previous research project last year, called Speake(a)r, which researchers used to turn headphones into microphones and record nearby audio and conversations.

For the current experiment, researchers argue that malware that managed to infect an air-gapped computer can transform and modulate locally stored files into audio signals and relay them to another nearby computer via connected speakers, headphones, earphones, or earbuds.

The receiving computer, also infected with malware, uses jack retasking to convert connected speakers, headphones, earphones, or earbuds into a makeshift microphone, receive the modulated audio, and convert back into a data file.

MOSQUITO attack supports pretty fast transfer speeds

Researchers created a custom data protocol that modulates binary data into audio signals, and they tested their attack for distances between 1 and 9 meters (3.2 to 29.5 feet).

Researchers said they managed to transfer data between two computers with speeds varying from 1800 bits/s and 1200 bits/s for speakers facing each other and emitting sound in audible frequency bands (lower than 18kHz).

Transfer speeds decreased if the speakers weren't facing each other, the distance between speakers increased, or audio frequency changed (towards low or high frequency). While the first two factors are self-explanatory, the last needs an additional explanation.

"The reason for that is that loudspeakers, and particularly home grade PC loudspeakers, were projected and optimized for human auditory characteristics, and therefore they are more responsive to the audible frequency ranges," said researchers.

Transfer speeds also decreased when using earphones or earbuds (varied between 600 bits/s and 300 bits/s) and went even lower for headphones (around 250 bits/s). The reason was that headphones directed their sound waves in one particular direction, limiting efficient exfiltration cases to very small distances when headphones were close to each other, and when they emitted sound in audible frequencies only.

Other factors that decreased data transfer speeds included environment noise such as music and speech, but researchers said this could be mitigated by moving the data exfiltration frequency above 18kHz.

The research team discusses various mitigation and countermeasures in their research paper entitled "MOSQUITO: Covert Ultrasonic Transmissions between Two Air-Gapped Computers using Speaker-to-SpeakerCommunication." They also released the following demos to showcase their work.

The research center from the Ben-Gurion University of the Negev who came up with this new data exfiltration technique has a long history of innovative and sometimes weird hacks, all listed below:

LED-it-Go - exfiltrate data from air-gapped systems via an HDD's activity LED
SPEAKE(a)R - use headphones to record audio and spy on nearby users
9-1-1 DDoS - launch DDoS attacks that can cripple a US state's 911 emergency systems
USBee - make a USB connector's data bus give out electromagnetic emissions that can be used to exfiltrate data
AirHopper - use the local GPU card to emit electromagnetic signals to a nearby mobile phone, also used to steal data
Fansmitter - steal data from air-gapped PCs using sounds emanated by a computer's GPU fan
DiskFiltration - use controlled read/write HDD operations to steal data via sound waves
BitWhisper - exfiltrate data from non-networked computers using heat emanations

Unnamed attack - uses flatbed scanners to relay commands to malware infested PCs or to exfiltrate data from compromised systems
xLED - use router or switch LEDs to exfiltrate data
Shattered Trust - using backdoored replacement parts to take over smartphones
aIR-Jumper - use security camera infrared capabilities to steal data from air-gapped networks
HVACKer - use HVAC systems to control malware on air-gapped systems
MAGNETO & ODINI - steal data from Faraday cage-protected systems
Catalin Cimpanu
Catalin Cimpanu is the Security News Editor for Bleeping Computer, where he covers topics such as malware, breaches, vulnerabilities, exploits, hacking news, the Dark Web, and a few more. Catalin previously covered Web & Security news for Softpedia between May 2015 and October 2016. The easiest way to reach Catalin is via his XMPP/Jabber address at campuscodi@xmpp.is. For other contact methods, please visit Catalin's author page.


  • Occasional Photo
    Occasional - 8 months ago

    One of the more troubling aspects is that such innovations which are exotic today, can become a prepackaged commodity tomorrow (just as those stated transfer rates were once "state of the art" for dialup MODEMs a few decades ago).

Post a Comment Community Rules
You need to login in order to post a comment

Not a member yet? Register Now

You may also like:

Newsletter Sign Up

To receive periodic updates and news from BleepingComputer, please use the form below.


Remember Me
Sign in anonymously


Help us understand the problem. What is going on with this comment?

Learn more about what is not allowed to be posted.