New Air Gap Strike Uses MEMS Gyroscope Ultrasonic Stealth Channel to Spoof Data

MEMS Gyroscope Ultrasonic Covert Channel
Written by admin

MEMS Gyroscope Ultrasonic Hidden Channel

A new data-spoofing technique has been found to take advantage of a secret ultrasonic channel to leak sensitive information to a nearby smartphone that doesn’t even require a microphone to pick up sound waves from isolated, air-gapped computers.

dubbed GYROSCOPEThe contentious model is the latest to be added to a long list. acoustic, electromagnetic, optical and thermal approaches designed by Dr. Mordechai GuriHead of R&D at the Cybersecurity Research Center at Ben Gurion University of the Negev in Israel.

“Our malware generates ultrasonic tones at the resonant frequencies of the device. MEMS gyroscope”said Dr. guri new paper published this week. “These inaudible frequencies produce tiny mechanical oscillations within the smartphone’s gyroscope that can be converted into binary information.”

Cyber ​​security

air gap, a basic security measure This includes isolating a computer or network and preventing it from establishing an external connection, creating an insurmountable barrier between a digital asset and threat actors trying to create a pathway for espionage attacks.

Like other attacks on air-gapped networks, GAIROSCOPE is no different in that it relies on an adversary’s ability to breach the target environment through tricks such as infected USB sticks, watering holes, or supply chain compromises to distribute malware.

What’s new this time around is that it entails infecting the smartphones of employees working in the victim organization with a rogue app that is distributed through attack vectors such as social engineering, malicious advertisements, or compromised websites, among others. .

In the next stage of the kill chain, the attacker abuses the built-in basis to collect sensitive data (i.e. encryption keys, credentials, etc.), encodes the information and broadcasts it in the form of hidden acoustic sound waves through the machine’s loudspeaker.

The transmission is then detected by an infected smartphone that is physically close and listening to the gyroscope sensor built into the device, after which the data is demodulated, decoded and transmitted over Wi-Fi to the attacker over the Internet.

This is made possible by a phenomenon called ultrasonic perturbation, which simultaneously affects MEMS gyroscopes. resonant frequencies. “When this inaudible sound is played near the gyroscope, it creates an internal distortion in the signal output,” says Dr. Gur explained. “Errors in the output can be used to encode and decode information.”

Experimental results show that the hidden channel can be used to transmit data at bit rates of 1-8 bit/s at distances of 0 – 600 cm, while the transmitter reaches a distance of 800 cm in narrow rooms.

If employees place their mobile phones on their desks near their workstations, the method can be used to exchange data, including short texts, encryption keys, passwords or keystrokes.

The data theft method is notable in that it does not require the malicious app on the receiving smartphone (in this case, the One Plus 7, Samsung Galaxy S9 and Samsung Galaxy S10) to have microphone access, thereby tricking users into confirming. they can access it without any doubt.

Cyber ​​security

The hidden channel from the speaker to the gyroscope is also advantageous from an oppositional point of view. Besides the lack of visual cues on Android and iOS when an application uses the gyroscope (as in the case of location or microphone), the sensor is also accessible from HTML via standard JavaScript.

This also means that the bad actor does not need to install an application to achieve its intended goals and can instead inject backdoor JavaScript code into a legitimate website that samples the gyroscope, receives stealth signals and leaks information over the Internet.

Reducing GAIROSCOPE requires organizations to apply separation policies to keep smartphones at least 800cm or more from secure areas, remove speakers and audio drivers from endpoints, and filter ultrasonic signals using firewalls. SilverDog and Sony Controland compress the hidden channel by adding background noises to the acoustic spectrum.

Study, Dr. guri showed satinA mechanism to jump over air gaps and extract information using Serial Advanced Technology Link (SATA) cables.

About the author


Leave a Comment