New world of cyber threats – sounds like trouble

18 August 2017

In his work to identify new cyber threats to organisations, Matt Wixey, who leads the research function in PwC’s Threat and Vulnerability Management team in the UK, has developed proof-of-concept malware which uses near-ultrasonic audio, transmitted and received with standard laptop soundcards, to receive commands and exfiltrate data.

Air-gaps are often used to isolate workstations containing information which is particularly sensitive or protectively-marked. By having a physical distance between such machines and any untrusted networks, the risk of attack, infection, and data loss, is significantly reduced.

However, a lot of research has been conducted into methods and techniques to bypass air-gaps, essentially by using a computer’s by-products (heat, sound, light, and electromagnetic emanations) to communicate information.

Humans can generally only hear sounds in the range of about 20Hz to 20KHz. To give you an idea of scale, the lowest note on a concert grand piano would be around 27Hz, and many species of bats communicate with each other at around 45KHz. However, most adult humans can only hear up to about 15KHz or so. Anything above 20KHz is called “ultrasonic”; sounds between 15KHz and 20KHz are called “near-ultrasonic”.

As shown in previous research, most standard soundcards (the components in computers which allow them to transmit and receive audio) are actually capable of receiving and transmitting near-ultrasonic sounds, and even slightly above. Assuming microphones and speakers are present and enabled on an air-gapped workstation, it is possible to use custom malware to communicate commands, and exfiltrate data, by transmitting near-ultrasonic sounds, and parsing received audio for certain sequences of tones, which are then interpreted as commands.

This means that an infected workstation could be controlled without touching it, and without initiating any kind of network activity. Data could then be stolen from the workstation, without having to plug anything in or upload the data anywhere. And because the sounds are near-ultrasonic, no-one would even know that the attack is occurring.

Whether your organisation employs air-gaps or not, you should be aware that there are other methods to control malware and exfiltrate data, other than network protocols and removable storage devices. This can include methods which utilise audio – and it might not always be feasible to disable all speakers and microphones on all users’ computers. But awareness is a key part of the battle.

Ultimately, it’s important to remember that organisations can never be 100% safe from a malicious insider, no matter how isolated your machines are and however many monitoring solutions you employ. The mere fact that computers emanate heat, noise, radiation and light as a by-product of their intended operations is enough for an attacker, if those by-products can be influenced.

More technical details about this research are available here.

Matt Wixey

Matt Wixey | PwC Threat and Vulnerability Management Team
Profile | Email | +44 (0)7841 468 795


More articles by Matt Wixey



Verify your Comment

Previewing your Comment

This is only a preview. Your comment has not yet been posted.

Your comment could not be posted. Error type:
Your comment has been saved. Comments are moderated and will not appear until approved by the author. Post another comment

The letters and numbers you entered did not match the image. Please try again.

As a final step before posting your comment, enter the letters and numbers you see in the image below. This prevents automated programs from posting comments.

Having trouble reading this image? View an alternate.


Post a comment

Comments are moderated and will not appear until the author has approved them.