MEMS Gyroscope Ultrasonic Covert Channel

New air-gap attack uses MEMS gyroscopes to leak data from ultrasonic covert channels

A new data breach technique has been found to use a covert ultrasonic channel to leak sensitive information from an isolated air-gapped computer to a nearby smartphone, even without the need for a microphone to pick up sound waves.

dubbing telescopethe adversarial model is the latest addition to a long list of acoustic, electromagnetic, optical and thermal methods devised by Dr. Mordechai Guri, head of research and development at the Cyber ​​Security Research Center at the Ben-Gurion University of the Negev in Israel.

“Our malware generates ultrasonic waves at the resonant frequency of the MEMS gyroscope,” Dr. Guri said in a new paper published this week. “These inaudible frequencies create tiny mechanical oscillations within the smartphone’s gyroscope that can be demodulated into binary information.”

cyber security

Viewed as a fundamental security countermeasure, air gaps involve isolating a computer or network and preventing it from establishing external connections, effectively creating an insurmountable barrier between digital assets and threat actors trying to open the way for espionage attacks.

Like other attacks against air-gapped networks, GAIROSCOPE is no different in that it relies on the attacker’s ability to compromise the target environment through tactics such as infected USB sticks, watering holes, or supply chain compromises to deliver malware.

What’s new this time around is that it also requires infecting the smartphones of employees working for the victimized organization with a rogue app, which, for its part, is deployed through attack vectors such as social engineering, malvertising, or a compromised website. .

In the next stage of the kill chain, attackers abuse an established foothold to obtain sensitive data (i.e. encryption keys, credentials, etc.), encode and broadcast the information in the form of invisible sound waves through the machine’s speakers.

The infected smartphone then detects the transmission in close physical proximity and listens through the device’s built-in gyro sensor, whereupon the data is demodulated, decoded, and transmitted to the attacker over Wi-Fi over the internet.

This is possible because a phenomenon called ultrasonic damage affects MEMS gyroscopes at resonant frequencies. “When this inaudible sound is played near the gyroscope, it internally interferes with the signal output,” explained Dr. Guri. “Errors in the output can be used to encode and decode information.”

Experimental results show that covert channels can be used to transmit data at bit rates of 1-8 bit/sec over distances of 0 – 600 cm, with transmitters up to 800 cm in narrow rooms.

This method can be used to exchange data, including short texts, encryption keys, passwords or keystrokes, if employees hold their phones close to workstations on their desks.

The data breach method is worth noting that it does not require malicious apps in the receiving smartphone (in this case, the OnePlus 7, Samsung Galaxy S9, and Samsung Galaxy S10) to have microphone access, tricking the user into approving them without permission. Enter suspiciously.

cyber security

From an adversarial standpoint, the covert channel from the speaker to the gyroscope is also advantageous. Not only are there no visual cues on Android and iOS when an application uses a gyroscope (such as in the case of location or microphone), but the sensor can also be accessed from HTML via standard JavaScript.

It also means that bad actors don’t have to install an app to achieve their desired goals, but can inject backdoor JavaScript code on legitimate websites, sample gyroscopes, receive covert signals, and leak information over the Internet.

Mitigating GAIROSCOPE requires organizations to implement isolation policies, keep smartphones at least 800cm or more away from safe areas, remove speakers and audio drivers from endpoints, use firewalls SilverDog and SoniControl to filter out ultrasonic signals, and add background noise to Interfere with the covert channel sound spectrum.

The research was completed more than a month after Dr. Guri demonstrated SATAn, a mechanism for skipping air gaps and extracting information by utilizing Serial Advanced Technology Attachment (SATA) cables.

Leave a Comment

Your email address will not be published.