Security researchers Mordechai Guri, Yosef Solewicz, Andrey Daidakulov and Yuval Elovici of the Negev Cyber Security Research Center at the Ben-Gurion University in Israel have devised new ways of eavesdropping data from air-gapped computers. The mechanism involves infecting the target system with malware that generates specific acoustic emissions that contain the sensitive information. Their method has been named as DiskFiltration.
Eavesdropping on air-gapped computers has always been the pinnacle of criminal activity. These are some of the most advanced espionage and information intelligence attacks that use intricate methods to steal sensitive information. Some of the techniques are infected USB drives, acoustic mesh networks, and even radio frequency emissions. The researchers from the Ben-Gurion University have devised a new method that uses specific acoustic signals.
The limitation of the method is that it requires the installation of malware designed to manipulate the HDD actuator arm. Additionally, the attack doesn’t work on SSD drives as they do not contain moving mechanical parts and cannot be made to emit the signal. The software makes the hard disk emit signals that can be decoded using a receiver. The researchers note that the receiver, which can be installed on a portable device like smart phones, can transmit passwords, security encryption keys, user keystrokes, and other sensitive data. The nearby receiver decodes the transmitted acoustic signals and transfers it over a data connection (such as Wi-Fi or mobile data) to the attacker via the network.
The researchers note that this method can be used against isolated systems which contain confidential information or network servers that are heavily protected by security devices. As this is not a physical or network attack, the measures that defend against intrusions are not effective against this type of attacks.
Possible countermeasures include the use of SSD drives as they do not generate acoustic noise. This is a high-cost option that may not be available for all infrastructure owners. Typical HDD servers are still the type of drives that are used across both consumer and professional grade equipment. Using quiet drives or placing them in special enclosures may reduce the risk of DiskFilitration attacks.
Other types of hardware protection include the use of noise detectors that monitor the background noise at specific frequency ranges. Signal jamming may be used in the areas near the server racks. This, however, is not the best approach as they can disturb the work of other equipment.
Software based countermeasure that can be useful employing automatic acoustic management (AAM) features that manage the seek acoustic noise. However, advanced malware and rootkits can manipulate these operations at a very low level and render them ineffective.
Using secure areas for separation of servers that contain sensitive data and employing strict access requirements is one of the best advises that the researchers give.
The complete paper that introduces and discusses the new method is titled “DiskFiltration: Data Exfiltration from Speakerless Air-Gapped Computers via Covert Hard Drive Noise.”