Data Exfiltration from Air-Gapped Computers Using HDD Sounds

HardOCP News

[H] News
Joined
Dec 31, 1969
Messages
0
If I am reading this right, malware installed on an air-gapped computer uses the actuator arm in the hard drive to send acoustic signals to a smartphone that acts as a receiver. While this seems kinda neat and all, how are they getting the malware onto the air-gapped computer in the first place? What about ambient noise interfering with recording the hard drive sounds?
 

Bandalo

2[H]4U
Joined
Dec 15, 2010
Messages
2,660
I have some serious doubts you could ever employ this in a real world situation.

1. You need access to the target machine to install malware. If you have that already, there's probably a dozen better ways to exfiltrate data. Most air-gapped machine still have anti-virus/anti-malware scanners, so you'd also have to avoid that.

2. Your microphone would need to be tuned for the specific environment. You could probably tune out some of the other noise, but outside of a very controlled situation I doubt you'd get anything useful. What if someone bumped the PC out of position? Or turned on a desk fan?

3. Everywhere I've ever worked with secure machines has a strict no-personal-electronics policy. So sitting a cellphone next to the machine isn't going to happen either.

If you have enough access to load malware AND put a covert cellphone into the machine, why use hard drive noise? Just install the malware and send everything directly to the phone.
 

lcpiper

[H]F Junkie
Joined
Jul 16, 2008
Messages
10,611
I suppose there are two faces to the subject. Practicality and theory.

For the most part, it's impractical in any real world scenario involving government facilities and such. Take where I work, too many problems.
Steve's first issue, you have to get the malware onto a machine.
The article says there is a 6' range.
In my building, you can't bring any phone or smartwatch or ipod in the door without it becoming a real problem fast.
Yes, Steve's second point, ambient noise interfering with reception.

But then there is theory and what theory allows for is easy modification of security policy so that even someone who is capable, determined, and has refined the concept would still have problems making it happen.

But you might could get the details one who's getting a raise this year or what your boss is going to say on your performance review.
 

heatlesssun

Extremely [H]
Joined
Nov 5, 2005
Messages
44,154
Yeah, you can much more easily inject conventional and effective malware than this technique.
 
Last edited:

lcpiper

[H]F Junkie
Joined
Jul 16, 2008
Messages
10,611
I have some serious doubts you could ever employ this in a real world situation.

1. You need access to the target machine to install malware. If you have that already, there's probably a dozen better ways to exfiltrate data. Most air-gapped machine still have anti-virus/anti-malware scanners, so you'd also have to avoid that.

2. Your microphone would need to be tuned for the specific environment. You could probably tune out some of the other noise, but outside of a very controlled situation I doubt you'd get anything useful. What if someone bumped the PC out of position? Or turned on a desk fan?

3. Everywhere I've ever worked with secure machines has a strict no-personal-electronics policy. So sitting a cellphone next to the machine isn't going to happen either.

If you have enough access to load malware AND put a covert cellphone into the machine, why use hard drive noise? Just install the malware and send everything directly to the phone.


Actually I think the noise issue is not so big. It's a digital world, ones and zeroes, you need two separate tones within a quiet frequency range. But if you are really going to move data, frequency is an issue. The higher the frequency the more data you can move but the shorter the range between transmitter and receiver so that's part of the problem.
 

lcpiper

[H]F Junkie
Joined
Jul 16, 2008
Messages
10,611
Yeah, you can much more easily conventional inject much more effective malware than this technique.

Sure, just have your malware add your favorite email address to all outgoing unclassified email. You are bound to get something of worth given a little time.
 

ob1

2[H]4U
Joined
Apr 17, 2000
Messages
2,274
Getting the malware on the system isn't too difficult, well, relatively speaking I guess. Just infect various parts that are known to go into those machines and let the place install them or whatever. Like, lets say you know this place orders a lot of hard drives, or specific video cards or motherboard replacements or whatever. Just infiltrate those places, infect everything. Or intercept the packages and infect. Not impossible. But then, if you got that far, you could tune your malware to have the hard drive make certain noises or do certain actions that make certain noises and set your audio receiver to filter out all but those noises, like a packet header almost. Or maybe I'm crazy and/or ignorant...
 

lcpiper

[H]F Junkie
Joined
Jul 16, 2008
Messages
10,611
Easier to compromise the people IMO.

RE: this theory - neat, but completely impractical. Also defeated with a SSD but w/e, maybe they'll go back to stealing data by listening to the fans instead (Clever Attack Uses the Sound of a Computer’s Fan to Steal Data)

This ^

In truth, the people are always the weakest link.

But I suppose this paper works for someone who just needs to get published or has requirements for their thesis.

ob1, what you are saying isn't wrong but it does depend a lot on the target. Some would be much harder than others.
 

ob1

2[H]4U
Joined
Apr 17, 2000
Messages
2,274
Plus you get the bonus fun factor of compromising people, which I do enjoy...
 

CaptNumbNutz

Fully [H]
Joined
Apr 11, 2007
Messages
23,570
If I'm understanding this right, they are using the sounds of the actuator arm to determine how often it's writing and how far the actuator arm is moving.

Problems I see:
1. How do they know how far the arm is moving if they don't know the HDD manufacturer?
2. The write itself is completely done magnetically. How could the actual moment the 1 or 0 is written be heard?
 
  • Like
Reactions: Nenu
like this

ob1

2[H]4U
Joined
Apr 17, 2000
Messages
2,274
I would tell you that is true. I would also say the problem of infection is much smaller than retrieval in air gaps. I don't think it would work either, however I do think the inherent problem of retrieving any information from your infection would require weird out-of-the-box ideas.
 

melteye

[H]ard|Gawd
Joined
Sep 29, 2000
Messages
1,851
If I'm understanding this right, they are using the sounds of the actuator arm to determine how often it's writing and how far the actuator arm is moving.

Problems I see:
1. How do they know how far the arm is moving if they don't know the HDD manufacturer?
2. The write itself is completely done magnetically. How could the actual moment the 1 or 0 is written be heard?

Simpler. They analyze different brands and models and find under what behavior they make audible noise (and often it's similar between drives) and create a database that detects and works with most drives... or since you have to have physical access to install malware and be within range anyways you can test and customize before implementation. Once the software knows what behavior to perform to make that sound it can use it as a single bit.
 

lcpiper

[H]F Junkie
Joined
Jul 16, 2008
Messages
10,611
If I'm understanding this right, they are using the sounds of the actuator arm to determine how often it's writing and how far the actuator arm is moving.

Problems I see:
1. How do they know how far the arm is moving if they don't know the HDD manufacturer?
2. The write itself is completely done magnetically. How could the actual moment the 1 or 0 is written be heard?


No I don't think so. I think they are using the mechanism to send digital data, not to try and capture what's being written to disk. I don't think I would want to try to capture all the silly log file data and image file data just to try and get something important. Not over such a limited effective bandwidth method. I would want my malware to target very specific things and limit the transfers to those.
 
Top