Misinformation about “acoustical infections”
Published December 5th, 2013 at 2:13 PM EDT , modified December 5th, 2013 at 2:13 PM EDT
There has been much ado in the tech media lately about new malware that can infect another computer through nothing but sound. In other words, an infected computer could use nothing more than sounds played through the computer’s speaker to infect another computer that has a microphone (as most laptops do these days). Here’s the thing, though… it’s all crap! (Pardon the harsh language.) No such thing is actually possible.
Coverage of this claim began with the announcement by security researcher Dragos Ruiu of something that he has called badBIOS. This malware, which nobody has yet managed to independently verify and many believe doesn’t actually exist, features all manner of powerful capabilities. One of those is a purported ability to communicate across an “air gap” with another nearby computer. (An “air gap” between two computers refers to a situation where there is absolutely no connection between the two, with one or both disconnected from any network.)
Many people misinterpreted Dragos as saying that the malware could infect another computer using nothing but sound, which Dragos was quick to point out was not accurate. His claims were simply that infected computers could communicate with each other despite having no connections to each other, and that they were using inaudible sound frequencies to do so.
Now, there’s a rash of new articles about findings published by the Fraunhofer Institute for Communication. This paper, titled “On Covert Acoustical Mesh Networks in Air,” has been said to show that sound can be used to infect computers. Examples of this coverage include an article by Betsy Isaacson in the Huffington Post, titled “Your Computer Could Be Hacked Using Only Sound, Study Says,” and one by Michael Mimoso of ThreatPost, titled “Acoustical Mesh Network Used to Infect Air-Gapped Computers.” The latter has even been referenced on Twitter by Eugene Kaspersky, chairman and CEO of the security firm Kaspersky Lab.
Sounds like there’s a lot of weight and credibility behind these claims, right? Here’s the problem… these reports are completely fictional! The only explanation I can give for any of it is that these folks simply haven’t read the paper in question, basing their reporting on nothing more than an inaccurate reading of the paper’s abstract. If you read the paper, it becomes clear that this is not what is claimed at all. The research simply shows how it would be possible for two computers to communicate over an air gap, using sound as the transmission medium. Nowhere does it make any claims about infecting computers using sound. In fact, near the top of the left column on the third page of the PDF (page 760 in the journal), it very clearly says:
All participants must have installed a compatible acoustic communication system, either by infection of a malware or actively installed (on the attacker).
“Participants” here refers to the computers that are participating in the mesh network. The scenario it describes involves a victim (the machine data is being transmitted from), an attacker (the machine the data should be transmitted to) and a number of drones (responsible for propagating the data through space and forming the bulk of the mesh network). However, all these machines, as is stated by the excerpt above, must be infected with the mesh network malware through conventional means.
The coverage of this story is the worst kind of reactionary carelessness. Worse is the fact that the CEO of a major security firm is participating in spreading this FUD! (Shame on you, Mr. Kaspersky!) This is the kind of thing that responsible security professionals have to fight every day. There are plenty of people in the Mac community who believe that anti-virus companies use lies and FUD to sell software that is unnecessary. Although that is not generally the case, this kind of behavior from Kaspersky certainly does nothing to help dispel this myth!
Although it’s a real shame that we can’t trust these reports, this is really nothing new. News media of all kinds make mistakes all the time, as do individuals. Remember, before blindly trusting a report that sounds unbelievable, always do your research. For example, when someone reports about published research, seek out and read the research for yourself. Make no exceptions… as I have said before, I fully expect my readers to exercise skepticism, even with my own reporting. So, rather than take my word for it, go read that research paper and evaluate the truth of the reports for yourself!