Skip to main content

Scientists prove ultrasound-whispering malware concept

German scientists have successfully designed a form of malware that uses high-frequency sound to transmit information between infected computers that have no connection to the Internet.

The researchers at the Fraunhofer Institute for Communication, Information Processing, and Ergonomics developed several ways to use inaudible sounds to transmit data between two Lenovo T400 laptops using only their built-in microphones and speakers. The technique is capable of transmitting data between machines as much as 19.7m (64.6ft) apart, and could be used by viruses to jump the so-called "air-gap".

The research acts as a proof-of-concept for claims made by security researcher Dragos Ruiu, who is believed to have discovered just such a virus in the wild. Ruiu claimed that the malware he had discovered, dubbed badBIOS, allowed infected machines to "whisper" to one another, and repair the malware while it was being removed.

The paper, entitled "On Covert Acoustical Mesh Networks in Air" also proves that the concept is well within the capability of sophisticated and state-sponsored hackers.

While the transmission rate hovered around a snail's pace of 20 bits per second – much slower than a standard Internet connection – this was easily enough to pass passwords and login credentials between infected machines.

"This small bandwidth might actually be enough to transfer critical information (such as keystrokes)," wrote one of the authors, Michael Hanspach. "You don't even have to think about all keystrokes. If you have a keylogger that is able to recognize authentication materials, it may only occasionally forward these detected passwords over the network, leading to a very stealthy state of the network. And you could forward any small-sized information such as private encryption keys or maybe malicious commands to an infected piece of construction."

While covert acoustical data transfer might be beyond the talents of most hackers and cyber criminals, when compared to the complexity of a state-sponsored worm like Stuxnet or Flame, the demands are pretty modest.

For truly high-security targets like government, nuclear power plants, and intelligence agencies, this ground-breaking piece of malware could be a very viable threat. We can be sure, in fact, that some of the world's nosier government agencies are probably looking into this approach right now, if it's not already in full circulation.

For high-security networks, the researchers advised employing audio filtering that blocks high-frequency ranges that could be used to transmit data. Devices running Linux can do this by using the advanced Linux Sound Architecture in combination with the Linux Audio Developer's Simple Plugin API, and there are similar solutions for Windows and Mac OS X.

The researchers also proposed developing an "audio intrusion detection guard," which would "forward audio input and output signals to their destination and simultaneously store them inside the guard's internal state, where they are subject to further analyses."

While this type of malware has yet to be confirmed in the wild, this is another development in the constant arms race between those seeking to infiltrate networks, and those tasked with keeping them safe.