New Air-Gap Attack Uses MEMS Gyroscope Ultrasonic Covert Channel to Leak Data

A novel data exfiltration technique has been found to leverage a covert ultrasonic channel to leak sensitive information from isolated, air-gapped computers to a nearby smartphone that doesn’t even require a microphone to pick up the sound waves.

Dubbed GAIROSCOPE, the adversarial model is the latest addition to a long list of acoustic, electromagnetic, optical, and thermal approaches devised by Dr. Mordechai Guri, the head of R&D in the Cyber Security Research Center in the Ben Gurion University of the Negev in Israel.

“Our malware generates ultrasonic tones in the resonance frequencies of the MEMS gyroscope,” Dr. Guri said in a new paper published this week. “These inaudible frequencies produce tiny mechanical oscillations within the smartphone’s gyroscope, which can be demodulated into binary information.”

Air-gapping is seen as an essential security countermeasure that involves isolating a computer or network and preventing it from establishing an external connection, effectively creating an impenetrable barrier between a digital asset and threat actors who try to forge a path for espionage attacks.

Like other attacks against air-gapped networks, GAIROSCOPE is no different in that it banks on the ability of an adversary to breach a target environment via ploys such as infected USB sticks, watering holes, or supply chain compromises to deliver the malware.

What’s new this time around is that it also requires infecting the smartphones of employees working in the victim organization with a rogue app that, for its part, is deployed by means of attack vectors like social engineering, malicious ads, or compromised websites, among others.

In the next phase of the kill chain, the attacker abuses the established foothold to harvest sensitive data (i.e., encryption keys, credentials etc.), encodes, and broadcasts the information in the form of stealthy acoustic sound waves via the machine’s loudspeaker.

The transmission is then detected by an infected smartphone that’s in close physical proximity and which listens through the gyroscope sensor built into the device, following which the data is demodulated, decoded, and transferred to the attacker via the Internet over Wi-Fi.

This is made possible due to a phenomenon called ultrasonic corruption that affects MEMS gyroscopes at resonance frequencies. “When this inaudible sound is played near the gyroscope, it creates an internal disruption to the signal output,” Dr. Guri explained. “The errors in the output can be used to encode and decode information.”

Experimental results show that the covert channel can be used to transfer data with bit rates of 1-8 bit/sec at distances of 0 – 600 cm, with the transmitter reaching a distance of 800 cm in narrow rooms.

Should employees place their mobile phones close to their workstations on the desk, the method could be used to exchange data, including short texts, encryption keys, passwords, or keystrokes.

The data exfiltration method is notable for the fact that it doesn’t require the malicious app in the receiving smartphone (in this case, One Plus 7, Samsung Galaxy S9, and Samsung Galaxy S10) to have microphone access, thus tricking users into approving their access without suspicion.

The speakers-to-gyroscope covert channel is also advantageous from an adversarial point of view. Not only are there no visual cues on Android and iOS when an app uses the gyroscope (like in the case of location or microphone), the sensor is also accessible from HTML via standard JavaScript.

This also means that the bad actor doesn’t have to install an app to achieve the intended goals, and can instead inject backdoor JavaScript code on a legitimate website that samples the gyroscope, receives the covert signals, and exfiltrates the information via the Internet.

Mitigating GAIROSCOPE requires organizations to enforce separation policies to keep smartphones at least 800 cm away or more from secured areas, remove loudspeakers and audio drivers from endpoints, filter out ultrasonic signals using firewalls SilverDog and SoniControl, and jam the covert channel by adding background noises to the acoustic spectrum.

The study arrives a little over a month after Dr. Guri demonstrated SATAn, a mechanism to jump over air-gaps and extract information by taking advantage of Serial Advanced Technology Attachment (SATA) cables.