Security-related literature on acoustic communication

From SoniWiki
Revision as of 09:26, 20 March 2017 by Sonicontrol (talk | contribs) (Created page with "{| class="wikitable" |- ! Name !! Description !! Comment !! Links |- | Hanspach, M., & Goetz, M. (2014). On covert acoustical mesh networks in air. arXiv preprint arXiv:1406.1...")
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
Jump to: navigation, search
Name Description Comment Links
Hanspach, M., & Goetz, M. (2014). On covert acoustical mesh networks in air. arXiv preprint arXiv:1406.1213. Covert channels can be used to circumvent system and network policies by establishing communications that have not been considered in the design of the computing system. We construct a covert channel between different computing systems that utilizes audio modulation/demodulation to exchange data between the computing systems over the air medium. The underlying network stack is based on a communication system that was originally designed for robust underwater communication. We adapt the communication system to implement covert and stealthy communications by utilizing the ultrasonic frequency range. We further demonstrate how the scenario of covert acoustical communication over the air medium can be extended to multi-hop communications and even to wireless mesh networks. A covert acoustical mesh network can be conceived as a meshed botnet or malnet that is accessible via inaudible audio transmissions. Different applications of covert acoustical mesh networks are presented, including the use for remote keylogging over multiple hops. It is shown that the concept of a covert acoustical mesh network renders many conventional security concepts useless, as acoustical communications are usually not considered. Finally, countermeasures against covert acoustical mesh networks are discussed, including the use of lowpass filtering in computing systems and a host-based intrusion detection system for analyzing audio input and output in order to detect any irregularities. The authors show that acoustic information exchange is a security threat. They build an acoustic bot-net-like network to transfer information over several local devices to some internet connected device. As a protection against exploits via the ultrasonic information they recommend lowpass filtering.

They state: „A more advanced approach might be to implement an audio intrusion detection system (IDS) as an operating system guard that does not only filter along predefined settings but supports methods for detection of modulated audio signals and handling input and output based on the signal characteristics.” This is what the SoniControl Project is trying to realize!

https://arxiv.org/abs/1406.1213
Carrara, B., & Adams, C. (2016). Out-of-Band Covert Channels—A Survey. ACM Computing Surveys (CSUR), 49(2), 23. A novel class of covert channel, out-of-band covert channels, is presented by extending Simmons’

prisoners’ problem . This new class of covert channel is established by surveying the existing covert channel, device- pairing, and side-channel research. Terminology as well as a taxonomy for out-of-band covert channels is also given. Additionally, a more comprehensive adversarial model based on a knowledgeable passive adversary and a capable active adversary is proposed in place of the current adversarial model, which relies on an oblivious passive adversary. Last, general protection mechanisms are presented, and an argument for a general measure of “covertness” to effectively compare covert channels is given.

A broad high-quality survey of covert signals in general (audio, light, vibration, magnetic, RF, temperature). Good survey of related work on ultrasound communication and using ultrasound as a covert signal. They further present a taxonomy of covert channels

Concerning detection of modulated signals they state: "Carrara and Adams [2015b] that wideband techniques can be employed by a passive device to easily detect “covert” signals by checking the spectrum for abnormally high peaks of energy in areas of the spectrum where the energy is typically lower (e.g., in the ultrasonic spectrum)."

And further: Other defence mechanisms that should be further explored include wideband and narrowband jamming, depending on the modulation scheme used by the covertly communicating partners [Proakis 2008].

http://dl.acm.org/citation.cfm?id=2938370
Do, Q., Martini, B., & Choo, K. K. R. (2015). Exfiltrating data from Android devices. Computers & Security, 48, 74-91. Modern mobile devices have security capabilities built into the native operating system, which are generally designed to ensure the security of personal or corporate data stored on the device, both at rest and in transit. In recent times, there has been interest from researchers and governments in securing as well as exfiltrating data stored on such devices (e.g. the high profile PRISM program involving the US Government). In this paper, we propose an adversary model for Android covert data exfiltration, and demonstrate how it can be used to construct a mobile data exfiltration technique (MDET) to covertly exfiltrate data from Android devices. Two proof-of-concepts were implemented to demonstrate the feasibility of exfiltrating data via SMS and inaudible audio transmission using standard mobile devices. Data exfiltration from Android devices via ultrasonic channel http://www.sciencedirect.com/science/article/pii/S016740481400162X
Carrara, B., & Adams, C. (2014, November). On acoustic covert channels between air-gapped systems. In International Symposium on Foundations and Practice of Security (pp. 3-16). Springer International Publishing. In this work, we study the ability for malware to leak sensitive information from an air-gapped high-security system to systems on a low-security network, using ultrasonic and audible audio covert channels in two different environments: an open-concept office and a closed-door office. Our results show that malware installed on unmodified commodity hardware can leak data from an air-gapped system using the ultrasonic frequency range from 20 kHz to 20.5 kHz at a rate of 140 bps and at a rate of 6.7 kbps using the audible spectrum from 500 Hz to 18 kHz. Additionally, we show that data can be communicated using ultrasonic communication at distances up to 11 m with bit rates over 230 bps and a bit error rate of 2 %. Given our results, our attacks are able to leak captured keystrokes in real-time using ultrasonic signals and, using audible signals when nobody is present in the environment - the overnight attack, both keystrokes and recorded audio. The authors demonstrate how to leak information via ultrasonic sound transmission

Data transmission up to 11m with 230bps

http://link.springer.com/chapter/10.1007/978-3-319-17040-4_1
Hanspach, M., & Keller, J. (2014). On the implications, the identification and the mitigation of covert physical channels. 9th Future Security, 563-570. Covert physical channels use physical means like optical emissions or acoustic wave propagation to connect isolated operating system compartments within the same computing system and independent devices that are physically separated by air gaps. We extensively discuss the implications, the identification and the mitigation of these covert physical channels. For the purpose of identifying covert physical channels during the ... The authors present an overview of different covert channels (acoustic, ultrasonic, visual) and characterize them http://www.fernuni-hagen.de/imperia/md/content/fakultaetfuermathematikundinformatik/pv/urn_nbn_de_0011-n-3073834.pdf
Deshotels, L. (2014). Inaudible sound as a covert channel in mobile devices. In 8th USENIX Workshop on Offensive Technologies (WOOT 14). Mobile devices can be protected by a variety of information flow control systems. These systems can prevent Trojans from leaking secrets over network connections. As mobile devices become more secure, attackerswill begin to use unconventional methods for exfiltratingdata. We propose two sound-based covert channels, ultrasonic and isolated sound. Speakers on mobile devicescan produce frequencies too high for most humans to hear. This ultrasonic sound can be received by a microphone on the same device or on another device. We implemented an ultrasonic modem for Android and found that it could send signals up to 100 feet away. We also determined that this attack is practical with the transmitter inside of a pocket. Android devices with vibratorscan produce short vibrations which create isolated sound. These vibrations can be detected by the accelerometer, but they are not loud enough for humans to hear. If performed while the user is not holding the device, the vibrations will not be noticed. Both covert channels can stealthily bypass many information flow control mechanisms. We propose several simple solutions to these vulnerabilities. In order toguarantee information flow control, sound-based channels must be regulated. Ultrasound transmission up to 100feet

Successful attack with the transmitter inside a pocket

They also use the vibrator of the phone to generate vibrations which can be detected by the mic or the accelerometer

Modulation: frequency shift keying

https://www.usenix.org/system/files/conference/woot14/woot14-deshotels.pdf
Farshteindiker, B., Hasidim, N., Grosz, A., & Oren, Y. (2016). How to Phone Home with Someone Else’s Phone: Information Exfiltration Using Intentional Sound Noise on Gyroscopic Sensors. In Workshop on Offensive Technologies–WOOT. We show how a low-power device, such as a surveillance bug, can take advantage of a nearby mobile phone to exfiltrate arbitrary secrets across the Internet at a data rate of hundreds to thousands of bits per second, all without the phone owner’s awareness or permission. All the attack requires is for the phone to browse to an attacker-controlled website. This feat is carried out by exploiting a particular characteristic of the phone’s gyroscope which was discovered by Son et al. in [11]. We discuss the theoretical principles behind our attack, evaluate it on several different mobile devices, and discuss potential countermeasures and mitigations. Finally, we suggest how this attack vector can be used benevolently for the purpose of safer and easier two-factor authentication. They do it the other way round: Ultrasonic information is used to stimulate the Gyroscope sensor. The sensor starts vibrating. This vibration can be read out by any app/webpage on the phone without asking for permissions (no permissions for Gyroscope necessary). With this audio-based induction, information can be sent to the phone. A webypace that accesses the gyroscope can read out the bit sequence and decode the information and pass it on to a website. https://www.usenix.org/system/files/conference/woot16/woot16-paper-farshteindiker.pdf
Sun, D., Wei, D., Zhang, N., Lv, Z., & Yin, X. (2016, May). Network transmission of hidden data using smartphones based on compromising emanations. In Electromagnetic Compatibility (APEMC), 2016 Asia-Pacific International Symposium on (Vol. 1, pp. 190-193). IEEE. In this paper, we proposes a method to obtain the stored in the air-gapped computer with the help of nearby smartphones by intentionally generating loud physical emanations. We can construct a big transmission network connecting a computer and many cell phones by using different kinds of physical emanations. We further demonstrate the scenario by implementing a system using electromagnetic waves and acoustical signals. In this system, convert transmission channels are established between the computer and the cell phones. The microphone and FM receiver of the mobile phone are used to obtain the information. This kind of hidden data transmission method has the characteristics of strong concealment. Exploit using acoustic transmission

Carrier frequencies: 18-18.5kHz

Modulation: frequency modulation

They transmit data via Radio (FM) at 87Mhz to a smartphone (cable of headset is the antenna). From there they send the data over an ad-hoc network of phones by ultrasound.

http://ieeexplore.ieee.org/abstract/document/7523005/