OFFICIAL SECURITY BLOG

We’ve moved! You can now read the latest and greatest on Mac adware and malware at Malwarebytes.

Misinformation about “acoustical infections”

Published December 5th, 2013 at 2:13 PM EDT , modified December 5th, 2013 at 2:13 PM EDT

There has been much ado in the tech media lately about new malware that can infect another computer through nothing but sound. In other words, an infected computer could use nothing more than sounds played through the computer’s speaker to infect another computer that has a microphone (as most laptops do these days). Here’s the thing, though… it’s all crap! (Pardon the harsh language.) No such thing is actually possible.

Coverage of this claim began with the announcement by security researcher Dragos Ruiu of something that he has called badBIOS. This malware, which nobody has yet managed to independently verify and many believe doesn’t actually exist, features all manner of powerful capabilities. One of those is a purported ability to communicate across an “air gap” with another nearby computer. (An “air gap” between two computers refers to a situation where there is absolutely no connection between the two, with one or both disconnected from any network.)

Many people misinterpreted Dragos as saying that the malware could infect another computer using nothing but sound, which Dragos was quick to point out was not accurate. His claims were simply that infected computers could communicate with each other despite having no connections to each other, and that they were using inaudible sound frequencies to do so.

E. Kaspersky errorNow, there’s a rash of new articles about findings published by the Fraunhofer Institute for Communication. This paper, titled “On Covert Acoustical Mesh Networks in Air,” has been said to show that sound can be used to infect computers. Examples of this coverage include an article by Betsy Isaacson in the Huffington Post, titled “Your Computer Could Be Hacked Using Only Sound, Study Says,” and one by Michael Mimoso of ThreatPost, titled “Acoustical Mesh Network Used to Infect Air-Gapped Computers.” The latter has even been referenced on Twitter by Eugene Kaspersky, chairman and CEO of the security firm Kaspersky Lab.

Sounds like there’s a lot of weight and credibility behind these claims, right? Here’s the problem… these reports are completely fictional! The only explanation I can give for any of it is that these folks simply haven’t read the paper in question, basing their reporting on nothing more than an inaccurate reading of the paper’s abstract. If you read the paper, it becomes clear that this is not what is claimed at all. The research simply shows how it would be possible for two computers to communicate over an air gap, using sound as the transmission medium. Nowhere does it make any claims about infecting computers using sound. In fact, near the top of the left column on the third page of the PDF (page 760 in the journal), it very clearly says:

All participants must have installed a compatible acoustic communication system, either by infection of a malware or actively installed (on the attacker).

“Participants” here refers to the computers that are participating in the mesh network. The scenario it describes involves a victim (the machine data is being transmitted from), an attacker (the machine the data should be transmitted to) and a number of drones (responsible for propagating the data through space and forming the bulk of the mesh network). However, all these machines, as is stated by the excerpt above, must be infected with the mesh network malware through conventional means.

The coverage of this story is the worst kind of reactionary carelessness. Worse is the fact that the CEO of a major security firm is participating in spreading this FUD! (Shame on you, Mr. Kaspersky!) This is the kind of thing that responsible security professionals have to fight every day. There are plenty of people in the Mac community who believe that anti-virus companies use lies and FUD to sell software that is unnecessary. Although that is not generally the case, this kind of behavior from Kaspersky certainly does nothing to help dispel this myth!

Although it’s a real shame that we can’t trust these reports, this is really nothing new. News media of all kinds make mistakes all the time, as do individuals. Remember, before blindly trusting a report that sounds unbelievable, always do your research. For example, when someone reports about published research, seek out and read the research for yourself. Make no exceptions… as I have said before, I fully expect my readers to exercise skepticism, even with my own reporting. So, rather than take my word for it, go read that research paper and evaluate the truth of the reports for yourself!

Tags: , , ,

3 Comments

  • Al says:

    ESET also blogged about this yesterday in ‘Ultrasonic cyber-attack can “steal information” even from high-security systems, researchers warn’ http://preview.tinyurl.com/kvahfda that further referenced articles in the The Telegraph (UK) and c|net.

    • Thomas says:

      Looks like none of those reports make any claims about infecting computers through sound. However, some of them have some vague statements that could be interpreted that way. Language needs to be kept very precise in cases like this. Otherwise, there’s a very slippery slope here, leading straight down into the pit of paranoid mythology. I’m quite sure we’ll soon be seeing people claiming their machines have been infected across an air gap by sound, and providing some of these articles as “proof.”

  • Al says:

    This is what the SANS NewsBites Vol. 15 Num. 096 published in more balanced coverage about it today:

    –Proof-of-Concept Malware Jumps Air Gap
    (December 5, 2013)
    Computer scientists in Germany have developed proof-of-concept malware
    that can infect computers that are not connected to networks by using
    audio signals that are inaudible to humans. The attack uses built in
    microphones and speakers on standard computers to initiate
    “communications that have not been considered in the design of the
    computing system.” Several weeks ago, a different security researcher
    said that three years before, his computers became infected with malware
    that used high-frequency transmissions to jump the air gap.
    http://arstechnica.com/security/2013/12/scientist-developed-malware-covertly-jumps-air-gaps-using-inaudible-sound/
    http://news.cnet.com/8301-1009_3-57614442-83/malware-jumps-air-gap-between-non-networked-devices/
    http://www.theregister.co.uk/2013/12/05/airgap_chatting_malware/
    Researchers’ Paper:
    http://www.jocm.us/index.php?m=content&c=index&a=show&catid=124&id=600
    [Editor’s Note (Pescatore): There are a few scenarios where this attack
    might make a top ten risk list, such as when a single user has to use
    multiple PCs at one desktop, each connected to a network at a different
    security level. So, it is a good idea to default to microphones off.
    But, this is much more likely to remain an academic attack – and much
    more likely that insecure Bluetooth or USB ports will be used to jump
    that air gap.
    (Murray): Like every other security mechanism, “air gaps” must be
    evaluated in the context of the application and environment. Similarly,
    attacks must be evaluated in terms of their cost, including work, access
    required, indifference to detection, special knowledge, and time to
    detection and remediation. That said, communication requires a listener
    as well as a transmitter. In this case the “receiver” is “malware;” if
    one can install it, one does not need the channel to install more
    malware.]

This post is more than 90 days old and has been locked. No further comments are allowed.