A recently discovered hacking technique allows adversaries to extract precious data from your computers even if the devices are physically disconnected from any network, including the Internet. This is a must-read for those mandated to protect sensitive organisational data.
Digital MOSQUITO at work
In computing, an ‘air gap is a network security measure which ensures that a sensitive computer network is physically isolated from unsecured local or public networks, such as the Internet. For a long time, this cybersecurity approach was deemed as an unbreakable barrier for outside attackers and is usually used to protect critical systems such as military, government, financial or industrial digital networks and devices. Thus far, bridging an air gap’ was possibly only by deploying insiders such as disgruntled employees or untrustworthy contractors or business partners. For example, a well-known insider executed malware infection allowed for a successful attack on the ‘air-gapped’ Iranian uranium enrichment plant sometime between 2007 and 2010.
A new data access technique, discovered by the researchers from Israel’s Ben-Gurion University Cybersecurity Research Centre (CRC), allows malicious hackers to directly extract precious data from ‘air-gapped’ computer systems. This method, named MOSQUITO, can be executed by using a device’s speakers and headphones- microphones are not required!
The Israeli scientists have discovered and described how data can be transformed and transmitted as a form of inaudible ultrasound audio signals. The method is based on the capability of a malware to exploit a specific audio computer chip feature in order to reverse the connected speakers from output devices into input devices – inconspicuously rendering them microphones.
Switching input-output functionality is possible by exploiting the feature that most contemporary chipsets have. That feature, known as the ‘jack port’ (the headphone connector) can, on demand, make it either a microphone port or headphone port. The exploitation of ‘jack port’ is possible through the capability of microphones and speakers to convert physical air oscillations into an electric voltage or vice versa. This can be used by hackers to use computer’s microphone (if available) or speakers to create a data transmission mechanism.
“The fact that loudspeakers, headphones, earphones and earbuds are physically built like microphones, coupled with the fact that an audio port’s role in the PC can be altered programmatically, changing it from output to input, creates a vulnerability which can be abused by attackers”, describes the CRC report.
Although this vulnerability was published this month (March 2018), the proof of concept of an ‘air gap’ cybersecurity attack has been demonstrated a few years ago. Namely, in January 2014, at the SchmooCon conference, held in Washington D.C., the consulting firm Include Security publicly demonstrated a potential of an attack on the ‘air-gapped’ machine. As reported by the eSecurity Planet, the demonstration team used a pair of commodity Dell notebook computers in an attempt to implement a proof-of-concept air gap type of attack. The idea was to understand if it would be possible to demonstrate a form of high-frequency audio data exfiltration attack. In the demonstration, an audio signal at 22 KHz was sent out of the notebook’s regular speakers. That signal was then picked up by the microphone on the second notebook displaying a sent message, hence proving the validity of the concept.
In one of the Edward Snowden’s disclosures about the NSA activities, it was revealed that the U.S. government has the ability to exfiltrate data over long distances via radio waves but the Ben-Gurion University CRC researchers reported that the MOSQUITO method they used can only work on computers standing up to 9 meters away. Also, it is reported that the data transmission was quite slow. During their experiment, the researchers managed to get a stable 166 bit per second transmission speed with a margin of error of 1%. At the maximum distance of 9 meters, the speed dropped to 10 bit per second but still worked.
While MOSQUITO is only at the proof of concept stage, it presents a number of real implications. This equally applies to sensitive stand-alone computers and large data centres.
Since air gap attacks are theoretically possible, it should no longer be considered safe to physically locate a machine that has strictly controlled access next to a machine that does not have the same access control. In other words, the machines with top secret access privileges should not be located next to those that have lower level access privileges.
Protecting against digital mosquito attack
Unplugging the device’s microphone, as we have described, does not help in the case of the digital MOSQUITO attack as it is done by hacking the computer’s speakers. Updating the antivirus software or the network-based defences such as data loss prevention (DLP) technology might either not be helpful in the case of MOSQUITO strike since the attacked data is being sent as audio over a device’s speaker. Hence, it is advisable to disable speakers and microphones on devices and systems used in sensitive and critical environments.
The ‘inaudible’ part of the MOSQUITO attack is undetectable to a human ear so people cannot audibly detect the attack. In that case, a radical solution of using devices that continuously emit ultrasound and jam the transmission (ultrasonic jammers) can help in susceptible settings and situations – but only in the environments without permanent human presence. A prolonged exposure to ultrasound can damage human health by causing hearing problems, headaches, dizziness or nausea.
Using special equipment for monitoring ultrasound frequencies, which translate these frequencies down into the audible range where they are heard through headphones or observed on a display panel, is yet another method of combating digital MOSQUITO attacks. This method is, however, prone to raising false alarms.
The use of software that can prevent jack port re-tasking or use BIOS to disable audio devices completely can also be helpful. However, turning the machine off and unplugging it from power when it is not in use is good protection habits against digital MOSQUITO and similar attacks. And yes, do not forget to encrypt your data!
For digital MOSQUITO hacking to work, a target computer must be infected with a virus that will convert files to audio format. As the Internet or any other networked access is not possible with the ‘air-gapped’ machines, to gain access to these devices human action is needed. It could be, for example, done by a disgruntled employee who will attach a USB device to a machine to be breached. This is possible in organisations that have weak accountability measures or do not have an insiders’ threat programme and policies in place at all.
Depending upon the nature of the data contained within the ‘air-gapped’ system, human-related protection should be organised by controlling access privileges. In other words, only well-trusted personnel having particular roles should have access to the devices that store, process or transmit sensitive data. Also, the sensitive computers should be locked away in a secured room
In order to prevent your employees’ participation in the digital MOSQUITO attack, lock up USB ports on the ‘air-gapped’ machines. This is, however, not regarded as a bulletproof solution as the legitimate USB mouse port can be used for sticking to the infected flash drive.The Bluetooth keyboard or mouse connection is also insecure as the Bluetooth signals can be hacked.
As with many other things, there is no a perfect solution to the problem but being aware of vulnerabilities and the associated risks, applying some preventative measures can be of great help in avoiding the leakage of organisational or private sensitive data.