Researchers from the School of Cyber Security at Korea University have invented a new attack vector dubbed Casper that can steal data from air-gapped computers and transfer it to a nearby smartphone at 20 bits per second using soundwaves from the computer’s internal speakers.
The attack uses the target computer’s internal speakers to transmit high-frequency audio between 17kHz to 20kHz, which is also inaudible to humans. This audio is transmitted in either binary or Morse code and can be picked up by a microphone up to 1.5 meters away.
Researchers Hyeongjun Choi, Ji Hyuk Jung and Ji Won Yoon tested this model using a computer running Ubuntu 20.04 as the target and a Galaxy Z Flip 3 as the receiving microphone. The phone used a basic voice recording application with a 20kHz maximum sampling frequency.
Two experiments were run, one using Morse code and the other using binary. The Morse code experiment used a 100ms sound wave to represent a bit and 18kHz and 18kHz for representing the dots and dashes used in Morse code, respectively. In this case, the receiving phone was located 50cm away and successfully decoded the message sent from the target machine.
The binary transmission method works slightly differently. The length per bit was 50ms with 18kHz and 19kHz representing 0s and 1s. Additionally, 17kHz was used as a 50ms start/stop bit to represent the starting and ending of a particular message.
Infecting air-gapped computers is hard
While the data extraction method might be covert, the attack does require an intruder with physical access to the target machine to infect it with malware first, as is always the case with air-gapped computers.
Once installed on the target machine, the malware can read the target’s file system, locate specific files and file types, and start extracting them. It also has keylogging abilities, which play well with the slow data transfer rate, which is also the method’s biggest disadvantage.
To put things in perspective, while the method can transmit an eight-character password in roughly three seconds, a 2048-bit RSA key takes about 100 seconds. The data transfer rate becomes even more of a bottleneck when transferring files. For example, a 10KB file would require an hour to transfer under ideal conditions with no interruptions.
The attack vector can also be easily disabled by removing internal speakers from air-gapped systems. If that’s not possible, defenders can use a high-pass filter to ensure that the internal speaker only emits sounds in the human hearing spectrum, exposing the attack as soon as the data transmission begins.
In the News: Pixel 7a: Specs and design leaked