Crossing the Air Gap

Crossing the Air Gap

badBIOS — It’s a fundamental rule of computer security: The only way to absolutely protect yourself from intruders is to take your computer off the wire. In other words, create an “air gap” between yourself and the Internet. No hardwire. No Wi-Fi. No Bluetooth. Just a computer, a user and maybe an encrypted thumb drive to move data across the “gap.” It’s such a simple concept. What could possibly go wrong?

Fast forward to last month, when security consultant Dragos Ruiu revealed that he has been fighting a firmware virus for the last three years. This virus possesses a very curious characteristic. The infection jumps air gaps and infects systems that are not connected to any network. In one case, a laptop with Wi-Fi and Bluetooth cards removed and running on battery power was infected from a nearby badBIOS-infected computer. Only after removing the microphone and speaker from the infected machine did the communication stop. Could the malware be using sound devices to create network?

Researchers at Germany’s Fraunhofer Institute published a study that confirms the ability for computers to communicate using inaudible audio signals (in the near ultrasonic sound range). As a proof-of-concept, the study demonstrates how air gaps should be considered obsolete. Commercially available laptops communicate over distances of 65 feet using their built-in speakers and microphones. In addition, multiple laptops can form an acoustical network to communicate over a much larger distance.

The research doesn’t substantiate Dragos’ claims of badBIOS, but clearly the capability of bridging air gaps using acoustics is real. Anyone concerned about maintaining a highly secure environment has a couple of choices. Either get rid of the Mac and any other system with integrated acoustics. Or train your dog to detect the latest malware.

What Say You? — Of course, each and every advancement yields an unintended consequence. Computers can communicate using sound; that’s been pretty well established. And now that we know that computers can literally talk to each other, it begs the question, “What do they say?” Well, as it turns out, the researchers from Fraunhofer also conducted observations of their newly talkative machines. Below are the top comments made by the Fraunhofer systems.

10. “Hey, I like your user. He’s cute. How about sending me over his password?”

9. “You’d think they’d be bored with the Miley video by now.”

8. “Why don’t they get it — just doesn’t work!”

7. “Hi. I’m a Mac. And I’m a PC.”

6. “A bitcoin for your thoughts…”

5. “Hey, that’s a great idea! But we have to get it by the proxy first.”

4. “Who says tablets have more fun?”

3. “Did you see the new system in cubicle 3G17? Ah, man, what great peripherals!”

2. “Why do I always get the guy with sweaty palms?”

1. “Yahoo!!!!”


Until next time, I’m off the grid @gregory_a_baker.

Comment Policy