Search This Blog

Powered by Blogger.

Blog Archive

Labels

About Me

Showing posts with label Acoustic Attack. Show all posts

Smartwatches: New Air-Gapped System Assault Vehicle

 

A novel assault identified as 'SmartAttack' leverages smartwatches as a covert ultrasonic signal receiver to extract data from physically isolated (air-gapped) devices.

Air-gapped systems, which are often used in mission-critical environments such as government buildings, weapons platforms, and nuclear power plants, are physically separated from external networks to prevent malware infestations and data theft. Despite their isolation, they are still susceptible to compromise from insider threats like rogue employees utilising USB devices or state-sponsored supply chain attacks. 

Once infiltrated, malware can function silently, modulating the physical features of hardware components to communicate sensitive data to a nearby receiver without interfering with the system's regular operations. 

SmartAttack was developed by Israeli university researchers led by Mordechai Guri, a covert attack channel expert who has previously shown ways for leaking data using LCD screen noise, RAM modulation, network card LEDs, USB drive RF signals, SATA connectors, and power supply. While assaults on air-gapped environments are often theoretical and exceedingly difficult to execute, they do present interesting and unique ways to exfiltrate data. 

Modus operandi

SmartAttack requires malware to infect an air-gapped machine in order to acquire sensitive data such as keystrokes, encryption keys, and credentials. It can then use the computer's built-in speaker to send ultrasonic signals into the environment. The audio signal frequencies can be modified using binary frequency shift keying (B-FSK) to represent binary data, also known as ones and zeros. A frequency of 18.5 kHz symbolises "0," whereas 19.5 kHz represents "1.”

Humans cannot hear frequencies in this range, but they can be picked up by a smartwatch microphone worn by someone close. The smartwatch's sound monitoring app uses signal processing to detect frequency shifts and demodulate encoded signals, as well as integrity tests. The final data exfiltration can occur via Wi-Fi, Bluetooth, or cellular connectivity. 

Performance and limitations 

The researchers point out that smartwatches use smaller, lower-SNR microphones than smartphones, making signal demodulation challenging, particularly at higher frequencies and lower signal intensities. Even wrist position was discovered to be a significant factor in the attack's feasibility, with the watch operating best when it is in "line-of-sight" with the computer speaker. 

The maximum transmission range varies per transmitter (speaker type) and is between 6 and 9 meters (20 - 30 feet). Data transmission rates range from 5 to 50 bits per second (bps), with dependability decreasing as rate and distance rise. Prohibiting smartwatch use in safe settings is the best method to combat the SmartAttack, according to the researchers. 

Eliminating the built-in speakers from air-gapped devices would be an additional step. This would remove the attack surface for not just SmartAttack but all acoustic covert routes. If none of this is practical, ultrasonic jamming using software-based firewalls, audio-gapping, and wideband noise emission may still work.

With 95% Accuracy, New Acoustic Attack can Steal from Keystrokes


UK universities’ researchers have recently developed a deep learning model, designed to extract information from keyboard keystrokes collected using a microphone, with 95% accuracy. 

The prediction accuracy decreased to 93% when Zoom was used to train the sound classification algorithm, still exceedingly good and a record for that medium.

Such an attack has a significantly adverse impact on the users’ data security since it is capable of exposing users' passwords, conversations, messages, and other sensitive information to nefarious outsiders.

When compared to the other side attacks that need specific circumstances and are susceptible to data rate and distance restrictions, these acoustic attacks are easier to operate because of the popularity of devices that are now equipped with high-end microphones. 

This makes sound-based side-channel attacks achievable and far more hazardous than previously thought, especially given the rapid advances in machine learning.

Listening to Keystrokes

The attack is initiated in order to acquire keystrokes on the victim’s keyboard, since the data is required for the prediction algorithm to work. This can be done via a nearby microphone or by accessing the microphone on the target's phone, which may have been compromised by malware.

Additionally, keystrokes can also be recorded via Zoom call, in which, rogue meeting attendee compares the messages entered by the target with the auditory recording of that person.

The researchers acquired training data by pressing 36 keys on a modern MacBook Pro, 25 times each, further recording the sounds produced on each press. 

The spectrogram images were used to train the image classifier "CoAtNet," and it took some trials and errors with the epoch, learning rate, and data splitting parameters to get the best prediction accuracy outcomes.

The same laptop, whose keyboard has been present in all Apple laptops over the past two years, an iPhone 13 mini positioned 17 cm from the target, and Zoom were utilized in the researchers' tests.

The CoatNet classifier gained 95% accuracy in the smartphone recordings and 93% from the content captured via Zoom. Skype, on the other, produced comparatively lower accuracy, i.e. 91.7%.

Possible Security Measures

In order to protect oneself from side-channel attacks, users are advised to try “altering typing styles,” or generating passwords with randomized keys. 

Another safety measure includes utilizing software in order to generate keystroke sounds, white noise, or software-based keystroke audio filters. 

Moreover, since the attack model proved highly efficient even against a very silent keyboard, installing sound dampeners to mechanical keyboards or shifting to membrane-based keyboards is unlikely to help in any way. 

Finally, using password managers to avoid manually entering sensitive information and using biometric authentication whenever possible also serve as mitigating factors.