Air gap breached by disk drive noise

Attack still needs malware, can be defeated by silent solid state disks

41 Reg comments Got Tips?

Video Researchers from Israel's Ben-Gurion University of the Negev Cyber Security Research Center have found a way to exfiltrate information from a PC using the noise created by hard disk drives.

In work detailed here (PDF) at ArXiv, the researchers explain how they've created malware that “can generate acoustic emissions at specific audio frequencies by controlling the movements of the HDD's actuator arm.”

Acoustic attacks on air-gapped computers are nothing new: researchers have found ways to use speakers and microphones to exfiltrate data. Other work has even used a PC's fan to exfiltrate data, either with fan noise or by vibrating a PC's chassis. Security wonks have cottoned on to that and decently air-gapped machines now omit fans, speakers and microphones. Paranoid users will deploy such machines alongside electro-magnetic defences so that computers' and monitors' fugitive emissions can't be read.

Just how attackers can install malware on such machines isn't addressed in the paper. But as Stuxnet shows, where there's a will …

So let's just assume that someone manages to get this malware, dubbed “DiskFiltration”, onto a machine. The authors of the paper envisage that the malware will be coded to seek out data like passwords, encryption keys or key-logging data. When it finds the data it wants, the malware will instruct a disk's actuator arm to perform fake “seek” operations that produce “noise patterns at a certain frequency range.”

Many hard disks now include a feature called automatic acoustic management (AAM) that deliberately dampen seek noise to prevent attacks like these. The researchers say their tests were run with AAM on its default settings.

Once the disk-swinging malware is running a nearby smartphone or other recording device will then listen in to those frequencies and should be able to transcribe the binary output at “180 bits/minute (10,800 bits/hour) and a distance of up to two meters (six feet).”

You're not going to download a movie at that speed, but for a password or key you don't need to.

The good news is that there are simple countermeasures that can stop this attack. The first is to use solid state disks. Another is to tweak AAM settings. Or you could ban smartphones from getting anywhere near air-gapped PCs, which is standard practice in lots of secure areas. ®

Youtube Video

Biting the hand that feeds IT © 1998–2020