Security-related literature on acoustic communication
|Hanspach, M., & Goetz, M. (2014). On covert acoustical mesh networks in air. arXiv preprint arXiv:1406.1213.||Covert channels can be used to circumvent system and network policies by establishing communications that have not been considered in the design of the computing system. We construct a covert channel between different computing systems that utilizes audio modulation/demodulation to exchange data between the computing systems over the air medium. The underlying network stack is based on a communication system that was originally designed for robust underwater communication. We adapt the communication system to implement covert and stealthy communications by utilizing the ultrasonic frequency range. We further demonstrate how the scenario of covert acoustical communication over the air medium can be extended to multi-hop communications and even to wireless mesh networks. A covert acoustical mesh network can be conceived as a meshed botnet or malnet that is accessible via inaudible audio transmissions. Different applications of covert acoustical mesh networks are presented, including the use for remote keylogging over multiple hops. It is shown that the concept of a covert acoustical mesh network renders many conventional security concepts useless, as acoustical communications are usually not considered. Finally, countermeasures against covert acoustical mesh networks are discussed, including the use of lowpass filtering in computing systems and a host-based intrusion detection system for analyzing audio input and output in order to detect any irregularities.||The authors show that acoustic information exchange is a security threat. They build an acoustic bot-net-like network to transfer information over several local devices to some internet connected device. As a protection against exploits via the ultrasonic information they recommend lowpass filtering.
They state: „A more advanced approach might be to implement an audio intrusion detection system (IDS) as an operating system guard that does not only filter along predefined settings but supports methods for detection of modulated audio signals and handling input and output based on the signal characteristics.” This is what the SoniControl Project is trying to realize!
|Carrara, B., & Adams, C. (2016). Out-of-Band Covert Channels—A Survey. ACM Computing Surveys (CSUR), 49(2), 23.|| A novel class of covert channel, out-of-band covert channels, is presented by extending Simmons’
prisoners’ problem . This new class of covert channel is established by surveying the existing covert channel, device- pairing, and side-channel research. Terminology as well as a taxonomy for out-of-band covert channels is also given. Additionally, a more comprehensive adversarial model based on a knowledgeable passive adversary and a capable active adversary is proposed in place of the current adversarial model, which relies on an oblivious passive adversary. Last, general protection mechanisms are presented, and an argument for a general measure of “covertness” to effectively compare covert channels is given.
| A broad high-quality survey of covert signals in general (audio, light, vibration, magnetic, RF, temperature). Good survey of related work on ultrasound communication and using ultrasound as a covert signal. They further present a taxonomy of covert channels
Concerning detection of modulated signals they state: "Carrara and Adams [2015b] that wideband techniques can be employed by a passive device to easily detect “covert” signals by checking the spectrum for abnormally high peaks of energy in areas of the spectrum where the energy is typically lower (e.g., in the ultrasonic spectrum)."
And further: Other defence mechanisms that should be further explored include wideband and narrowband jamming, depending on the modulation scheme used by the covertly communicating partners [Proakis 2008].
|Do, Q., Martini, B., & Choo, K. K. R. (2015). Exfiltrating data from Android devices. Computers & Security, 48, 74-91.||Modern mobile devices have security capabilities built into the native operating system, which are generally designed to ensure the security of personal or corporate data stored on the device, both at rest and in transit. In recent times, there has been interest from researchers and governments in securing as well as exfiltrating data stored on such devices (e.g. the high profile PRISM program involving the US Government). In this paper, we propose an adversary model for Android covert data exfiltration, and demonstrate how it can be used to construct a mobile data exfiltration technique (MDET) to covertly exfiltrate data from Android devices. Two proof-of-concepts were implemented to demonstrate the feasibility of exfiltrating data via SMS and inaudible audio transmission using standard mobile devices.||Data exfiltration from Android devices via ultrasonic channel||http://www.sciencedirect.com/science/article/pii/S016740481400162X|
|Carrara, B., & Adams, C. (2014, November). On acoustic covert channels between air-gapped systems. In International Symposium on Foundations and Practice of Security (pp. 3-16). Springer International Publishing.||In this work, we study the ability for malware to leak sensitive information from an air-gapped high-security system to systems on a low-security network, using ultrasonic and audible audio covert channels in two different environments: an open-concept office and a closed-door office. Our results show that malware installed on unmodified commodity hardware can leak data from an air-gapped system using the ultrasonic frequency range from 20 kHz to 20.5 kHz at a rate of 140 bps and at a rate of 6.7 kbps using the audible spectrum from 500 Hz to 18 kHz. Additionally, we show that data can be communicated using ultrasonic communication at distances up to 11 m with bit rates over 230 bps and a bit error rate of 2 %. Given our results, our attacks are able to leak captured keystrokes in real-time using ultrasonic signals and, using audible signals when nobody is present in the environment - the overnight attack, both keystrokes and recorded audio.||The authors demonstrate how to leak information via ultrasonic sound transmission
Data transmission up to 11m with 230bps
|Hanspach, M., & Keller, J. (2014). On the implications, the identification and the mitigation of covert physical channels. 9th Future Security, 563-570.||Covert physical channels use physical means like optical emissions or acoustic wave propagation to connect isolated operating system compartments within the same computing system and independent devices that are physically separated by air gaps. We extensively discuss the implications, the identification and the mitigation of these covert physical channels. For the purpose of identifying covert physical channels during the ...||The authors present an overview of different covert channels (acoustic, ultrasonic, visual) and characterize them||http://www.fernuni-hagen.de/imperia/md/content/fakultaetfuermathematikundinformatik/pv/urn_nbn_de_0011-n-3073834.pdf|
|Deshotels, L. (2014). Inaudible sound as a covert channel in mobile devices. In 8th USENIX Workshop on Offensive Technologies (WOOT 14).||Mobile devices can be protected by a variety of information flow control systems. These systems can prevent Trojans from leaking secrets over network connections. As mobile devices become more secure, attackerswill begin to use unconventional methods for exfiltratingdata. We propose two sound-based covert channels, ultrasonic and isolated sound. Speakers on mobile devicescan produce frequencies too high for most humans to hear. This ultrasonic sound can be received by a microphone on the same device or on another device. We implemented an ultrasonic modem for Android and found that it could send signals up to 100 feet away. We also determined that this attack is practical with the transmitter inside of a pocket. Android devices with vibratorscan produce short vibrations which create isolated sound. These vibrations can be detected by the accelerometer, but they are not loud enough for humans to hear. If performed while the user is not holding the device, the vibrations will not be noticed. Both covert channels can stealthily bypass many information flow control mechanisms. We propose several simple solutions to these vulnerabilities. In order toguarantee information flow control, sound-based channels must be regulated.||Ultrasound transmission up to 100feet
Successful attack with the transmitter inside a pocket
They also use the vibrator of the phone to generate vibrations which can be detected by the mic or the accelerometer
Modulation: frequency shift keying
|Farshteindiker, B., Hasidim, N., Grosz, A., & Oren, Y. (2016). How to Phone Home with Someone Else’s Phone: Information Exfiltration Using Intentional Sound Noise on Gyroscopic Sensors. In Workshop on Offensive Technologies–WOOT.||We show how a low-power device, such as a surveillance bug, can take advantage of a nearby mobile phone to exfiltrate arbitrary secrets across the Internet at a data rate of hundreds to thousands of bits per second, all without the phone owner’s awareness or permission. All the attack requires is for the phone to browse to an attacker-controlled website. This feat is carried out by exploiting a particular characteristic of the phone’s gyroscope which was discovered by Son et al. in . We discuss the theoretical principles behind our attack, evaluate it on several different mobile devices, and discuss potential countermeasures and mitigations. Finally, we suggest how this attack vector can be used benevolently for the purpose of safer and easier two-factor authentication.||They do it the other way round: Ultrasonic information is used to stimulate the Gyroscope sensor. The sensor starts vibrating. This vibration can be read out by any app/webpage on the phone without asking for permissions (no permissions for Gyroscope necessary). With this audio-based induction, information can be sent to the phone. A webypace that accesses the gyroscope can read out the bit sequence and decode the information and pass it on to a website.||https://www.usenix.org/system/files/conference/woot16/woot16-paper-farshteindiker.pdf|
|Sun, D., Wei, D., Zhang, N., Lv, Z., & Yin, X. (2016, May). Network transmission of hidden data using smartphones based on compromising emanations. In Electromagnetic Compatibility (APEMC), 2016 Asia-Pacific International Symposium on (Vol. 1, pp. 190-193). IEEE.||In this paper, we proposes a method to obtain the stored in the air-gapped computer with the help of nearby smartphones by intentionally generating loud physical emanations. We can construct a big transmission network connecting a computer and many cell phones by using different kinds of physical emanations. We further demonstrate the scenario by implementing a system using electromagnetic waves and acoustical signals. In this system, convert transmission channels are established between the computer and the cell phones. The microphone and FM receiver of the mobile phone are used to obtain the information. This kind of hidden data transmission method has the characteristics of strong concealment.||Exploit using acoustic transmission
Carrier frequencies: 18-18.5kHz
Modulation: frequency modulation
They transmit data via Radio (FM) at 87Mhz to a smartphone (cable of headset is the antenna). From there they send the data over an ad-hoc network of phones by ultrasound.
|Brent C. Carrara and Carlisle Adams. 2015b. On characterizing and measuring out-of-band covert channels. In Proceedings of the 3rd ACM Workshop on Information Hiding and Multimedia Security (IH&MMSec’15). ACM, New York, NY, 43–54||A methodology for characterizing and measuring out-of-band covert channels (OOB-CCs) is proposed and used to evaluate covert-acoustic channels (i.e., covert channels established using speakers and microphones). OOB-CCs are low-probability of detection/low-probability of interception channels established using commodity devices that are not traditionally used for communication (e.g., speaker and microphone, display and FM radio, etc.). To date, OOB-CCs have been declared "covert" if the signals used to establish these channels could not be perceived by a human adversary. This work examines OOB-CCs from the perspective of a passive adversary and argues that a different methodology is required in order to effectively assess OOB-CCs. Traditional communication systems are measured by their capacity and bit error rate; while important parameters, they do not capture the key measures of OOB-CCs: namely, the probability of an adversary detecting the channel and the amount of data that two covertly communicating parties can exchange without being detected. As a result, the adoption of the measure steganographic capacity is proposed and used to measure the amount of data (in bits) that can be transferred through an OOB-CC before a passive adversary's probability of detecting the channel reaches a given threshold. The theoretical steganographic capacity for discrete memoryless channels as well as additive white Gaussian noise channels is calculated in this paper and a case study is performed to measure the steganographic capacity of OOB covert-acoustic channels, when a passive adversary uses an energy detector to detect the covert communication. The case study reveals the conditions under which the covertly communicating parties can achieve perfect steganography (i.e., conditions under which data can be communicated without risk of detection).||They state that noise over 20kHz can be considered as additibe white noise (AWN)
They discuss in detail an energy-based detector for modulated signals. Prerequisite: the frequency channel must be known.
|Zhou, Z., Diao, W., Liu, X., & Zhang, K. (2014). sc (pp. 429–440). ACM Press.||The popularity of mobile devices has made people's lives more convenient, but threatened people's privacy at the same time. As end users are becoming more and more concerned on the protection of their private information, it is even harder for hackers to track a specific user by using conventional technologies. For example, cookies might be cleared by users regularly. Besides, OS designers have developed a series of measures to cope with tracker. Apple has stopped apps accessing UDIDs, and Android phones use some special permissions to protect IMEI code. However, some recent studies showed that attackers are able to find new ways to get around those limitations, even though these new methods should be improved in order to be practically deployed in large scale. For example, attackers can trace smart phones by using the hardware features resulting from the imperfect manufacturing process of accelerometers. In this paper, we will present another new and more practical method for the adversaries to generate stable and unique device ID stealthily for the smartphone by exploiting the frequency response of the speaker. With carefully selected audio frequencies and special sound wave patterns, we can reduce the impact of non-linear effects and noises, and keep our feature extraction process un-noticeable to phone owners. The extracted feature is not only very stable for a given smart phone, but also unique to that phone. The feature contains rich information, which is even enough to differentiate millions of smart phones of the same model. We have built a prototype to evaluate our method, and the results show that the generated device ID can be used to track users practically.||The authors present a method for identifying smartphones by the unique characteristics of their speakers
First a special type of audio must be played on the smartphone (does not need any permission)
Next: sound is recorded, analyzed and sent to a server.
The used frequency band is 14-21kHz (cosine frequencies with 100Hz gap)
The frequency resoponse to this soudn is highly different between individual speakers and thus allows recognition of individual smartphones
|D Arp, E Quiring, C Wressnegger, K Rieck||
Device tracking is a serious threat to the privacy of users, as it enables spying on their habits and activities. A recent practice embeds ultrasonic beacons in audio and tracks them using the microphone of mobile devices. This side channel allows an adversary to identify a user’s current location, spy on her TV viewing habits or link together her different mobile devices. In this paper, we explore the capabilities, the current prevalence and technical limitations of this new tracking tech- nique based on three commercial tracking solutions. To this end, we develop detection approaches for ultrasonic beacons and Android applications capable of processing these. Our findings confirm our privacy concerns: We spot ultrasonic beacons in various web media content and detect signals in 4 of 35 stores in two European cities that are used for location tracking. While we do not find ultrasonic beacons in TV streams from 7 countries, we spot 234 Android applications that are constantly listening for ultrasonic beacons in the background without the user’s knowledge.
|Guoming Zhang, Chen Yan, Xiaoyu Ji, Tianchen Zhang, Taimin Zhang, Wenyuan Xu||
Speech recognition (SR) systems such as Siri or Google Now have be- come an increasingly popular human-computer interaction method, and have turned various systems into voice controllable systems (VCS). Prior work on attacking VCS shows that the hidden voice commands that are incomprehensible to people can control the systems. Hidden voice commands, though ‘hidden’, are nonethe- less audible. In this work, we design a completely inaudible attack, DolphinAttack, that modulates voice commands on ultrasonic carriers (e.g.,f > 20 kHz) to achieve inaudibility. By leveraging the nonlinearity of the microphone circuits, the modulated low- frequency audio commands can be successfully demodulated, recov- ered, and more importantly interpreted by the speech recognition systems. We validate DolphinAttack on popular speech recognition systems, including Siri, Google Now, Samsung S Voice, Huawei HiVoice, Cortana and Alexa. By injecting a sequence of inaudible voice commands, we show a few proof-of-concept attacks, which include activating Siri to initiate a FaceTime call on iPhone, activat- ing Google Now to switch the phone to the airplane mode, and even manipulating the navigation system in an Audi automobile. We pro- pose hardware and software defense solutions. We validate that it is feasible to detect DolphinAttack by classifying the audios using supported vector machine (SVM), and suggest to re-design voice controllable systems to be resilient to inaudible voice command attacks.
|Vasilios Mavroudis, Shuang Hao, Yanick Fratantonio, Federico Maggi, Christopher Kruegel, and Giovanni Vigna On the Privacy and Security of the Ultrasound Ecosystem||Nowadays users often possess a variety of electronic devices for communication and entertainment. In particular, smartphones are playing an increasingly central role in users’ lives: Users carry them everywhere they go and often use them to control other devices. This trend provides incentives for the industry to tackle new challenges, such as cross-device authentication, and to develop new monetization schemes. A new technology based on ultrasounds has recently emerged to meet these demands. Ultrasound technology has a number of desirable features: it is easy to deploy, flexible, and inaudible by humans. This technology is already utilized in a number of different real-world applications, such as device pairing, proximity detection, and cross-device tracking.||This paper examines the different facets of ultrasound-based technology. Initially, we discuss how it is already used in the real world, and subsequently examine this emerging technology from the privacy and security perspectives. In particular, we first observe that the lack of OS features results in violations of the principle of least privilege: an app that wants to use this technology currently needs to require full access to the device microphone. We then analyse real-world Android apps and find that tracking techniques based on ultrasounds suffer from a number of vulnerabilities and are susceptible to various attacks. For example, we show that ultrasound cross-device tracking deployments can be abused to perform stealthy deanonymization attacks (e.g., to unmask users who browse the Internet through anonymity networks such as Tor), to inject fake or spoofed audio beacons, and to leak a user’s private information.||https://ubeacsec.org/#Downloads https://doi.org/10.1515/popets-2017-0018|