DiskFiltration: Data Exfiltration from Speakerless Air-Gapped Computers via Covert Hard Drive Noise (1608.03431v1)

Abstract: Air-gapped computers are disconnected from the Internet physically and logically. This measure is taken in order to prevent the leakage of sensitive data from secured networks. In the past, it has been shown that malware can exfiltrate data from air-gapped computers by transmitting ultrasonic signals via the computer's speakers. However, such acoustic communication relies on the availability of speakers on a computer. In this paper, we present 'DiskFiltration,' a covert channel which facilitates the leakage of data from an air-gapped compute via acoustic signals emitted from its hard disk drive (HDD). Our method is unique in that, unlike other acoustic covert channels, it doesn't require the presence of speakers or audio hardware in the air-gapped computer. A malware installed on a compromised machine can generate acoustic emissions at specific audio frequencies by controlling the movements of the HDD's actuator arm. Digital Information can be modulated over the acoustic signals and then be picked up by a nearby receiver (e.g., smartphone, smartwatch, laptop, etc.). We examine the HDD anatomy and analyze its acoustical characteristics. We also present signal generation and detection, and data modulation and demodulation algorithms. Based on our proposed method, we developed a transmitter on a personal computer and a receiver on a smartphone, and we provide the design and implementation details. We also evaluate our covert channel on various types of internal and external HDDs in different computer chassis and at various distances. With DiskFiltration we were able to covertly transmit data (e.g., passwords, encryption keys, and keylogging data) between air-gapped computers to a smartphone at an effective bit rate of 180 bits/minute (10,800 bits/hour) and a distance of up to two meters (six feet).

Analysis of DiskFiltration: A Novel Acoustic Covert Channel

The paper "DiskFiltration: Data Exfiltration from Speakerless Air-Gapped Computers via Covert Hard Drive Noise" authored by Mordechai Guri, Yosef Solewicz, Andrey Daidakulov, and Yuval Elovici presents an innovative approach to data exfiltration from air-gapped computer systems. The authors introduce a covert channel that cleverly utilizes the acoustic signals generated by the hard disk drive (HDD) actuator to transmit sensitive information without the need for conventional audio hardware.

Overview

Air-gapped networks are an established security measure used by critical infrastructures to isolate computer systems from public networks. Traditionally considered secure, these systems are vulnerable to data exfiltration through unconventional covert channels. While existing acoustic covert channels typically assume the presence of speakers and microphones for data transmission, DiskFiltration departs from this assumption by harnessing intrinsic HDD noise emissions for the same purpose.

The technique manipulates the seek operations of the HDD actuator arm, which generates acoustic emissions at specific audio frequencies. These acoustic signals are then modulated with digital information, captured by microphones on nearby devices such as smartphones or laptops, enabling the data transfer across an air-gap. The modulation scheme employed is simple, leveraging on-off keying (OOK) to represent binary data via acoustic signal presence and absence.

Implementations and Evaluation

The authors have constructed a transmitter capable of producing controlled HDD seek noise and an Android app-based receiver for signal detection and demodulation. Evaluation across various HDD models reveals that data can be transmitted at a rate of 180 bits per minute over distances of up to two meters—significant given the inherent noise level and computational processing required for demodulation. Specifically, the paper details the spectral analysis revealing an informative frequency region around 2050 to 2100 Hz, crucial for optimizing the signal-to-noise ratio (SNR) and thereby enhancing data integrity during transfer.

Implications and Countermeasures

DiskFiltration's implications are twofold, particularly in scenarios involving cyber-physical systems with restricted connectivity and monitored network channels. This research emphasizes the potential for novel attack vectors in ostensibly secure environments, iterating the need for robust countermeasures. Practical hardware-based countermeasures mentioned include using SSDs to counteract mechanical noise-based attacks or deploying noise detectors to monitor frequency bands for unauthorized signals.

Theoretical and Practical Contributions

From a theoretical standpoint, the paper extends the spectrum of potential data exfiltration techniques using non-traditional channels. The method underlines the dynamics of acoustic signals in HDDs, broadening the understanding of how mechanical movements can be repurposed for covert communication. Practically, the research findings necessitate further exploration into security protocols that address such unconventional threat vectors. This work also suggests refinement of existing intrusion detection systems to adaptively mitigate attacks leveraging sub-sonic hardware emissions.

Speculations on Future Developments

Future research may focus on exploring additional non-conventional hardware components' noise as potential vectors for covert channels, enhancing modulation techniques to increase data transmission rates and range, and developing advanced detection methods capable of preemptively identifying and neutralizing such threats in real-time.

In conclusion, DiskFiltration introduces an innovative technique for data exfiltration that bypasses typical hardware dependence, illustrating a significant stride in the domain of security research related to air-gapped systems. This work not only challenges existing assumptions about isolated network security but also serves as a catalyst for future explorations into hardware acoustics as a cryptic medium for illicit data transfer.