Aug. 28, 2016

Air-gapped computers are disconnected from the Internet physically and logically. This measure is taken in order to prevent the leakage of sensitive data from secured networks. In the past, it has been shown that malware can exfiltrate data from air-gapped computers by transmitting ultrasonic signals via the computer’s speakers. However, such acoustic communication relies on the availability of speakers on a computer.

In a new paper, security researcher Mordechai Guri along with Yosef Solewicz (acoustic researcher), Andrey Daidakulov and Prof. Yuval Elovici of the Cyber Security Research Center and the Department of Software and Information Systems Engineering present 'DiskFiltration,' a covert channel which facilitates the leakage of data from an air-gapped computer via acoustic signals emitted from its hard disk drive (HDD). The method, which was introduced by Guri and the team, is unique in that, unlike other acoustic covert channels, it doesn't require the presence of speakers or audio hardware in the air-gapped computer.

A malware installed on a compromised machine can generate acoustic emissions at specific audio frequencies by controlling the movements of the HDD's actuator arm. Digital Information can be modulated over the acoustic signals and then be picked up by a nearby receiver (e.g., smartphone, smartwatch, laptop, etc.).

The researchers examined the HDD anatomy and analyzed its acoustical characteristics determining that they could present signal generation and detection, and data modulation and demodulation algorithms. Based on their proposed method, they developed a transmitter on a personal computer and a receiver on a smartphone, and provided the design and implementation details. They also evaluated the covert channel on various types of internal and external HDDs in different computer chassis and at various distances. With DiskFiltration, they were able to covertly transmit data (e.g., passwords, encryption keys, and keylogging data) between air-gapped computers to a smartphone at an effective bit rate of 180 bits/minute (10,800 bits/hour) and a distance of up to two meters (six feet).

"Air-gap isolation is considered to be a hermetic security measure which can prevent data leakage," Guri told Ars Technica. "Confidential data, personal information, financial records and other types of sensitive information are stored within isolated networks. We show that despite the degree of isolation, the data can be exfiltrated (for example, to a nearby smart phone)."