The one thing you’ve always been certain of is that a computer that’s not connected to a network, doesn’t munch data from any USB sticks, and doesn’t accept any kind of electronic connection requests is reasonably safe against hackers and crackers breaking into its electronic vaults.
Not so much, anymore.
Above: The Xbox One allows sound input and control …
Image Credit: Microsoft
Scientists in Wachtberg, Germany have developed a proof of concept that could allow the bad guys to infect computers and other digital devices via sound waves alone, using a SONAR-like concept that was initially developed to enable underwater communication
“Covert channels can be used to circumvent system and network policies by establishing communications that have not been considered in the design of the computing system,” Michael Hanspach and Michael Goetz say. “We construct a covert channel between different computing systems that utilizes audio modulation/demodulation to exchange data between the computing systems over the air medium.”
In other words, an air modem.
The researchers go on to say that “the concept of a covert acoustical mesh network renders many conventional security concepts useless, as acoustical communications are usually not considered.”
Scientists … always opening Pandora’s box.
This is a relevant and topical development, because phones (mobile computers) and laptops are increasingly being shipped with the ability to hear, understand, and operate based on vocally-delivered instructions. Apple’s Siri allows you to communicate with and control your phone, and iPhone is not the first computer that Apple gave voice control to — the company has had it in limited forms for years. Android, of course, also responds to your voice, and new devices like Microsoft’s Xbox One responds to gestures (another attack vector, someday?) and voice commands.
All of which means that your computer is listening. And, theoretically, at some point audio control of your computer could become sophisticated enough for attackers to do meaningful and dangerous things without any electronic connection to your PC, phone, or gaming system. Currently, target computers must be within 65 feet, Ars Technica says. However, the researchers have harnessed the concept of a mesh network to expand attackers potential range.
Right now, there is of course no exploit in the wild. This is simply a theoretical paper.
However, it’s often the case that once it’s known that something can be done, others feel the pressing and urgent need to actually do it. Fortunately, the report authors have already considered that, and are working on countermeasures.
“Countermeasures against covert acoustical mesh networks are discussed, including the use of lowpass filtering in computing systems and a host-based intrusion detection system for analyzing audio input and output in order to detect any irregularities,” their paper reads.
Unfortunately, that means that computer and consumer electronics manufacturers now have an entirely new class of attack vectors to consider.