Researchers have devised a new way to siphon data out of an infected computer even when it has been physically disconnected from the Internet to prevent the leakage of sensitive information it stores.
The method has been dubbed “DiskFiltration” by its creators because it uses acoustic signals emitted from the hard drive of the air-gapped computer being targeted. It works by manipulating the movements of the hard drive’s actuator, which is the mechanical arm that accesses specific parts of a disk platter so heads attached to the actuator can read or write data. By using so-called seek operations that move the actuator in very specific ways, it can generate sounds that transfer passwords, cryptographic keys, and other sensitive data stored on the computer to a nearby microphone. The technique has a range of six feet and a speed of 180 bits per minute, fast enough to steal a 4,096-bit key in about 25 minutes.
“An air-gap isolation is considered to be a hermetic security measure which can prevent data leakage,” Mordechai Guri, a security researcher and the head of research and development in the cyber security labs at Israel’s Ben-Gurion University, told Ars. “Confidential data, personal information, financial records and other type of sensitive information is stored within isolated networks. We show that despite the degree of isolation, the data can be exfiltrated (for example, to a nearby smart phone).”
Besides working against air-gapped computers, the covert channel can also be used to steal data from Internet-connected machines whose network traffic is intensively monitored by intrusion prevention devices, data loss prevention systems, and similar security measures. The technique is documented in a technical paper titled DiskFiltration: Data Exfiltration from Speakerless Air-Gapped Computers via Covert Hard Drive Noise, which was published Thursday night. Guri and the other Ben-Gurion University researchers who devised the covert channel created the video demonstration below.
DiskFiltration is only the latest method devised by Ben-Gurion University researchers to bridge air gaps. Other techniques include AirHopper, which turns a computer’s video card into an FM transmitter; BitWhisper, which relies on the exchange of heat-induced “thermal pings”; GSMem, which relies on cellular frequencies; and Fansmitter, which uses noise emitted by a computer fan to transmit data. In 2013, researchers with Germany’s Fraunhofer Institute for Communication, Information Processing, and Ergonomics devised a technique that used inaudible audio signals to covertly transmit keystrokes and other sensitive data from air-gapped machines.
The techniques are effective, but their utility in real-world situations is limited. That’s because the computers they target still must be infected by malware. If the computers aren’t connected to the Internet, the compromise is likely to be extremely difficult and would require the help of a malicious insider, who very well may have easier ways to obtain data stored on the machine. Still, the air-gap jumpers could provide a crucial means to bypass otherwise insurmountable defenses when combined with other techniques in a targeted attack.
Receiving data transmitted by sound generated from a hard drive is generally not efficient. DiskFiltration improves the signal-to-noise ratio by focusing on a narrow range of acoustic frequencies, a feature that effectively strips out background noise. DiskFiltration works even when a hard drive’s automatic acoustic management, which reduces acoustic noise, is at its default setting. Still, casual noise emissions from other running processes can sometimes interfere or interrupt the DiskFiltration transmissions.
The most effective way to prevent DiskFiltration-style data exfiltration is to replace hard drives with solid-state drives, since the latter aren’t mechanical and generate virtually no noise. Using particularly quiet types of hard drives or installing special types of hard drive enclosures that muffle sound can also be an effective countermeasure. It may also be possible to jam hard-drive signals by generating static noise. Intrusion prevention systems may also be programmed to detect suspicious hard-drive seek patterns used to create the transmissions. Yet another solution is to isolate air-gapped computers from smart phones and other devices with a microphone.