The gold standard for protecting computer systems—as everyone from the U.S. military to Osama Bin Laden’s ghost well knows—is disconnecting them from the Internet. Called an “air gap,” because prior to wireless networking it literally meant making sure there was no cable physically connecting a computer to the public Internet, this is one of the most drastic, inconvenient, and difficult-to-maintain computer security measures out there. It’s usually reserved for systems that require the very highest levels of security, because it leaves you with a computer system that may be limited in what it can do, but at least it’s absolutely safe. But according to a recent paper by researchers at the Fraunhofer Institute for Communication, Information Processing, and Ergonomics, that gap can be bridged by high-frequency audio signals.
The researchers, Michael Hanspach and Michael Goetz, were able to transmit data between air-gapped laptops up to 19.7 meters (more than 60 feet) apart at a rate of approximately 20 bits per second by using acoustic methods originally developed for underwater communications. In other words, the computers communicated via their built-in speakers and microphones by transmitting inaudible acoustic waves. The paper announcing this prototype comes just weeks after security consultant Dragos Ruiu hypothesized that the “badBIOS” malware he was studying was able to penetrate air-gapped machines in the same manner. Even without Hanspach and Goetz’s confirmation of its feasibility, Ruiu’s claim was enough to unsettle some. At the Defense One conference last month, United States Naval Academy cyber security professor and retired Navy captain Mark Hagerott said the discovery of air-gap jumping technology would “disrupt the world balance of power.”
The basic idea underlying an air gap is that we want to cut off all access to a computer system to the outside world but, as it turns out, there are lots of ways to access computers even through the air. The name itself is deeply misleading, and it reflects a certain kind of misguided thinking about computer security that comes from carelessly applying the language of physical security to the virtual world. It’s not just that the things we can’t see—the electromagnetic and acoustic waves—can serve as access points for attackers. It’s that we don’t yet have any thorough understanding of what all the possible access points to computer systems are, or what their complete “attack surface” looks like.
Hanspach and Goetz’s research, and Ruiu’s warning, will likely mean that the definition of “air-gapped” is extended yet again—this time so that its implementation includes shutting off audio input and output devices. In the long tradition of mixing archaic physical security metaphors with modern cybersecurity efforts, you can think of it as a sort of modern-day version of Odysseus telling his sailors to plug their ears as they sail past the sirens. Hanspach and Goetz also suggest as possible defenses against acoustic malware high-frequency audio filtering and audio intrusion detection systems, but these solutions are more complicated to implement and may be less effective.
This isn’t the first time we’ve discovered that the machines we thought were protected by an impermeable air gap were, in fact, vulnerable. Stuxnet made headlines in 2010 when it was spread to the air-gapped machines in the Iranian Natanz nuclear facilities using infected USB drives. The realization (or reminder, really) that USB drives could carry malware meant that the notion of air-gapping computer systems was extended to include banning removable media, or filling USB ports with superglue.
Of course, with each such addition to the protocol for thorough air gapping, the practice becomes more and more difficult to maintain. This summer, for instance, it was revealed that Edward Snowden used a flash drive to copy the classified materials he later leaked to the press. Turns out the Department of Defense may have granted thousands of exceptions to its nominal ban on removable media devices. A mandate to shut off all computer audio input and output devices could meet a similar fate, with organizations finding that these tools are necessary for certain important tasks—or employees finding safety measures to be a hassle. More stringent requirements for air-gapping almost inevitably lead to less rigorous implementation and, as the new acoustic malware prototype suggests, we don’t even know yet all of the possible attack vectors for computer systems, or what other basic functions they will mean shutting off and deactivating in the name of greater security.
Trends in social engineering and phishing attacks show that the human users of computer systems are often crucial (and very vulnerable) attack vectors, while research in side-channel attacks on cryptosystems has shown that the power used by computers, as well as the sounds they make, can be used to target encrypted information. In short, audio input and output devices are only the latest in a long list of computer features that turn out to be vulnerable to attack—that doesn’t make the researchers’ discovery any less important or significant, but it does mean that it’s probably far from the final word in air-gap-jumping technology. New attacks will continue to emerge alongside technological improvements—dark reflections of our ingenuity. The security vulnerabilities of computers extend across every dimension, including several we likely haven’t thought of yet, and it would be unwise to rely too heavily on the wax in your ears, or the glue in your computer ports—or the protective cushion of the air.