There has been a lot of internet buzz this week about malware that can communicate over PC speakers – without a network connection. This has been hyped into a lot of fear about totally isolated machines and the ability of hackers to attack them.
I don’t want to get into the hard-core technical details here. If you want, you can look at the paper about the mechanism, and the one about the original idea which dealt with underwater communication. I’m warning you, though, they’re loaded with mathematics and presume some data communication background. And before we go any further, this is a communication scheme, the authors of the paper (Hanspach and Goetz) never claimed to create any malware, not even a test version.
What the paper describes is a method of communicating over high frequency sound waves using PCs. The sound would be in the near-ultrasound and too high for most humans to hear. Because of the mechanism they use, if one could hear it, it would likely sound like noise or high-pitched static. The communication’s not fast – we are talking in the range of 20 bits per second. Contrast that with the billion bits per second of most Ethernet today, and you’ll see how slow that really is. While slow, it could be used to send a password or other credential information. A twelve character password would take roughly six seconds to send under very good conditions (not too noisy a room, computers near each other, etc.). There would be a bit of overhead, too, so it might take a while longer.
The fear is that this scheme could be used to extract information from computers not connected to any network – a so-called air gap. In order for this to be a security threat, there would need to be a computer infected with the malware to send data (e.g. passwords) and another computer infected with malware to receive the data and send it out over the internet. It may also be necessary to have some intermediate computers infected with malware to relay the information from the first to the second computer. That could be a bit of a stretch if none of these computers are connected to the internet (except the second one above). Somehow, the malware would have to be installed undetected on all these computers.
I’m not sure this is a real threat now, and it may never be. The authors of the paper suggest limiting access to the computer’s speakers to trusted applications. Another author of this blog, Bob Cromwell, suggested having a dog around to detect the high frequency noises. Maybe I’ll download some test code and see if my black Lab hears it…