Hacking

GAIROSCOPE attack allows to exfiltrate data from Air-Gapped systems via ultrasonic tones

GAIROSCOPE: An Israeli researcher demonstrated how to exfiltrate data from air-gapped systems using ultrasonic tones and smartphone gyroscopes.

The popular researcher Mordechai Guri from the Ben-Gurion University of the Negev in Israel devise an attack technique, named GAIROSCOPE, to exfiltrate data from air-gapped systems using ultrasonic tones and smartphone gyroscopes.

The attack requires that the threat actor has in advance installed malware on the air-gapped system, as well as on a smartphone which must be located in the proximity of the system.

The malware installed in the air-gapped system generates ultrasonic tones in the resonance frequencies of the MEMS gyroscope which produce tiny mechanical oscillations within the smartphone’s gyroscope.

The frequencies are inaudible and the mechanical oscillations can be demodulated into binary information.

The researcher pointed out that the gyroscope in smartphones is considered to be a ’safe’ sensor and can be used legitimately from mobile apps and javascript without specific permissions, unlike other components like the microphone.

The researchers added that in Android and iOS, there may be no visual indication, notification icons, or warning messages to the user that an application is using the gyroscope, like the indications in other sensitive sensors.

“Our experiments show that attackers can exfiltrate sensitive information from air-gapped computers to smartphones located a few meters away via Speakers-toGyroscope covert channel.” reads the research paper.

The malware on the air-gapped system gather sensitive data, including passwords and encryption keys, and encodes it using frequency-shift keying. In frequency-shift keying (FSK), the data are represented by a change in the frequency of a carrier wave.

Then the malware uses the device’s speakers to transmit the sounds at the inaudible frequencies.

On the receiving side, the phone receives the sounds using the device’s gyroscope and the malware running on the phone continuously samples and processes the output of the gyroscope. When the malware detects an exfiltration attempt, which is started using a specific bit sequence, it demodulates and decodes the data. The exfiltrated data can then be sent to the attacker using the phone’s internet connection.

“In the exfiltration phase, the malware encodes the data and broadcast it to the environment, using covert acoustic sound waves in the resonance frequency generated from the computer’s loudspeakers. A nearby infected smartphone ‘listens’ through the gyroscope, detects the transmission, demodulates and decodes the data, and transfers it to the attacker via the Internet (e.g., over Wi-Fi).” continues the paper. “The air-gapped workstation broadcasts data modulated on top of ultrasonic waves in the resonance frequencies that oscillates the nearby MEMS gyroscope. The application in the smartphone samples the gyroscope, demodulates the signal, and transmits the decoded data to the attacker through Wi-Fi.”

The test conducted by the researcher demonstrated that the GAIROSCOPE attack allows for a maximum data transmission rate of 8 bits/sec over a distance of up to 8 meters.

The following table shows the comparison with the existing acoustic covert channels previously devised by the researchers:

The researcher also provide countermeasures to mitigate the GAIROSCOPE attack, such as speakers elimination and blocking, ultrasonic filtering, signal jamming, signal monitoring, implementing sensors security, keping systems in restricted zones defined by a different radius, depending on the zone classification.

Follow me on Twitter: @securityaffairs and Facebook

[adrotate banner=”9″][adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – hacking, GAIROSCOPE)

[adrotate banner=”5″]

[adrotate banner=”13″]

Pierluigi Paganini

Pierluigi Paganini is member of the ENISA (European Union Agency for Network and Information Security) Threat Landscape Stakeholder Group and Cyber G7 Group, he is also a Security Evangelist, Security Analyst and Freelance Writer. Editor-in-Chief at "Cyber Defense Magazine", Pierluigi is a cyber security expert with over 20 years experience in the field, he is Certified Ethical Hacker at EC Council in London. The passion for writing and a strong belief that security is founded on sharing and awareness led Pierluigi to find the security blog "Security Affairs" recently named a Top National Security Resource for US. Pierluigi is a member of the "The Hacker News" team and he is a writer for some major publications in the field such as Cyber War Zone, ICTTF, Infosec Island, Infosec Institute, The Hacker News Magazine and for many other Security magazines. Author of the Books "The Deep Dark Web" and “Digital Virtual Currency and Bitcoin”.

Recent Posts

Cisco addressed high-severity flaws in IOS and IOS XE software

Cisco addressed multiple vulnerabilities in IOS and IOS XE software that can be exploited to…

12 hours ago

Google: China dominates government exploitation of zero-day vulnerabilities in 2023

Google's Threat Analysis Group (TAG) and Mandiant reported a surge in the number of actively…

18 hours ago

Google addressed 2 Chrome zero-days demonstrated at Pwn2Own 2024

Google addressed two zero-day vulnerabilities in the Chrome web browser that have been demonstrated during…

1 day ago

INC Ransom stole 3TB of data from the National Health Service (NHS) of Scotland

The INC Ransom extortion group hacked the National Health Service (NHS) of Scotland and is threatening…

1 day ago

CISA adds Microsoft SharePoint bug disclosed at Pwn2Own to its Known Exploited Vulnerabilities catalog

U.S. Cybersecurity and Infrastructure Security Agency (CISA) adds a Microsoft SharePoint vulnerability disclosed at the…

2 days ago

The DDR Advantage: Real-Time Data Defense

This is the advantage of Data Detection and Response (DDR) for organizations aiming to build…

2 days ago

This website uses cookies.