Researchers at the School of Cyber Security, Korea University, Seoul, have unveiled a new covert channel attack called CASPER that can leak data from air-gapped computers to a nearby smartphone at a rate of 20 bits/sec.
The CASPER attack exploits the internal speakers inside the target computer as the data transmission channel to transmit high-frequency audio that cannot be heard by the human ear and transmit binary or Morse code to a microphone up to 1.5m away. .
The receiving microphone can be on a smartphone recording sound inside the attacker’s pocket, or on a laptop in the same room.
Researchers have previously developed similar attacks taking advantage of external speakers. However, isolated air-gapped network systems used in critical environments, such as government networks, power infrastructure, and weapons control systems, are unlikely to have external speakers.
On the other hand, internal speakers that provide audio feedback such as boot beeps are still considered necessary, so they are commonly present, making them better candidates.
infecting the target
As is the case with nearly all covert channel attacks targeting computers isolated from the network, a rogue employee or stealthy intruder with physical access to the target must first infect it with malware.
Although this scenario may seem impractical or even far-fetched, there have been multiple instances of such attacks being carried out successfully in the past, with notable examples including the Stuxnet worm, which targeted Iran’s uranium enrichment facility in Natanz, the Agent.BTZ malware. that infected a US military base and the Remsec modular backdoor, which secretly collected information from government air-gapped networks for more than five years.
The malware can autonomously enumerate the target’s file system, locate files or file types that match a hardcoded list, and attempt to exfiltrate them.
More realistically, you can perform keylogging, which is more suitable for such a slow data rate.
The malware will encode the data to be extracted from the target in binary or Morse code and transmit it through the internal speaker using frequency modulation, achieving imperceptible ultrasound in a range between 17 kHz and 20 kHz.
The researchers experimented with the described model using a Linux-based computer (Ubuntu 20.04) as a target and a Samsung Galaxy Z Flip 3 as a receiver, running a basic recording application with a sampling rate of up to 20 kHz.
In the Morse code experiment, the researchers set the length per bit to 100 ms and used 18 kHz for the dots and 19 kHz for the dash. The smartphone was located 50 cm away and was able to decode the “covert” sent word.
In the binary data experiment, the length per bit was set to 50 ms, transferring zeros at a frequency of 18 kHz and 1s at 19 kHz. A start/end bit of 50 ms at 17 kHz was also used to indicate the start of a new message.
Based on tests, the maximum distance from the receiver is 1.5 meters (4.9 feet), using a bit length of 100 ms.
However, the general results of the experiment show that the length per bit affects the bit error rate, and a maximum reliable transmission bit rate of 20 bits/s can be achieved when the length per bit is 50 ms.
At this data transfer rate, the malware could transmit a typical 8-character password in approximately 3 seconds and a 2048-bit RSA key in 100 seconds.
Anything above that, such as a small 10KB file, for example, would take over an hour to leave the system with an air gap, even if conditions are ideal and there are no interruptions during transmission.
A solution to the slow data rate would be to vary the frequency band for multiple simultaneous transmissions; however, the internal speakers can only produce sound in a single frequency band, so the attack is practically limited.
The researchers shared ways to defend against the CASPER attack, the simplest being to remove the internal speaker from mission-critical computers.
If that’s impossible, proponents could implement a high-pass filter to keep all generated frequencies within the audible sound spectrum, blocking ultrasound transmissions.
If you’re interested in other covert channel attacks against air-gapped systems, check out COVID-bit, which uses power supply to generate electromagnetic waves that carry data.
Other examples of similar attacks are ETHERLED, which relies on the LED lights on the target’s network card to transmit Morse code signals, and one called SATAn, which uses SATA cables as wireless antennae.