A new attack dubbed ‘SmartAttack’ uses smartwatches as a covert ultrasonic signal receiver to exfiltrate sensitive data from isolated systems. These air-gapped systems are commonly deployed in mission-critical environments such as various government facilities and nuclear power plants. Despite this physical isolation, they remain vulnerable to compromise through various insider threats like rogue employees using USB drives. Once infiltrated, malware can operate covertly, using stealthy techniques to modulate the physical characteristics of internal hardware components. This allows it to transmit sensitive data to a nearby receiver without interfering with the system’s normal daily operations.
The SmartAttack method requires malware to somehow infect an air-gapped computer to first gather sensitive information such as keystrokes.
It can then use the computer’s built-in speaker to emit special ultrasonic signals into the immediate surrounding environment. By using a binary frequency shift keying modulation, the audio signal frequencies can then represent binary data. A frequency of 18.5 kHz represents “0,” while 19.5 kHz denotes a “1,” allowing for data encoding in the signal. Frequencies at this range are inaudible to humans but can still be caught by a smartwatch microphone worn by a nearby person.
The researchers who developed this attack note that smartwatches use small, lower-SNR microphones compared to typical modern smartphones. This makes the signal demodulation process quite challenging, especially at higher frequencies and also at much lower signal intensities. Even the orientation of the wearer’s wrist was found to play a crucial role in the overall feasibility of this attack. It was found to work best when the watch has a direct “line-of-sight” with the computer speaker that is emitting the signal.
The maximum transmission range is between six and nine meters, and the data transmission rate ranges from 5 to 50 bits per second.
The security researchers say the best way to counter the SmartAttack is to prohibit the use of smartwatches in secure environments. Another effective defensive measure would be to completely remove the in-built speakers from all of the air-gapped computer machines. This particular step would effectively eliminate the entire attack surface for all possible acoustic covert channels, not just this SmartAttack. If none of these security measures are feasible for an organization, then ultrasonic jamming through the emission of broadband noise. Software-based firewalls and a technique known as audio-gapping could still prove to be very effective at mitigating this threat.
Reference:
