back to article Air gapping PCs won't stop data sharing thanks to sneaky speakers

Computer speakers and headphones make passable microphones and can be used to receive data via ultrasound and send signals back, making the practice of air gapping sensitive computer systems less secure. In an academic paper published on Friday through preprint service ArXiv, researchers from Israel's Ben-Gurion University of …

  1. Paul Crawford Silver badge
    Windows

    Of course slapping a 15kHz analogue filter on all audio ports would also work.

    Grumpy old man who cant hear beyond that now =>

    1. Andrew Commons

      An appreciation of a good bass player is useful as you get older :)

    2. redpawn

      I just blow a dog whistle the whole time the computer is on.

    3. Christian Berger

      "Of course slapping a 15kHz analogue filter on all audio ports would also work."

      Actually no. You could still use lower frequencies. Thanks to spread spectrum technologies you can make that less silent than the fans. All you would hear is a very soft noise from your speakers. You couldn't even be sure if that actually came from the speakers or some fan running at low speed.

      What you can do is of course to install an amplifyer between the sound chip and your speakers/headphones so information can only travel one way and turn off your microphones when you don't need them.

      Also don't run malware and don't allow Javascript to access the sound devices.

  2. Anonymous Coward
    Anonymous Coward

    Before I even clicked the article I knew exactly where this "research" was from. Do tell? How do you get the malware on the air gapped pc in the first place? The point of air gapping a pc is that it never touches the internet, ever. I can't wait till the next exciting episode where they use the mouse laser to send morse code or detect passwords by key sounds.

    1. My other car WAS an IAV Stryker

      "Before I even clicked the article I knew exactly where this "research" was from."

      Yeah, weren't they the ones who tested offloading data optically from hard drive LED flashes?

      1. Anonymous Coward
        Anonymous Coward

        Yep and also power supply hums to steal encryption keys along with the monitor frequency hack that allowed you to extract jpegs using nothing but a camera.

        I'm not sure if I'm projecting my sarcasm properly here, it's difficult when posting anonymously.

        1. ratfox
          Meh

          Probably their next paper will be about extracting data from an air-gapped PC by training a camera at the screen while it displays information.

          1. Andrew Commons

            Re: training a camera at the screen while it displays information

            Just make the screen flicker a bit.

          2. Anonymous Coward
            Anonymous Coward

            Shhh, don't give them ideas, they are master hackers after all.

    2. Petey

      The keyboard sounds one has already been done 8 years ago - https://www.inf.ed.ac.uk/publications/thesis/online/IM100855.pdf

    3. jake Silver badge

      Be nice!

      BGU was ranked between 101st and 150th overall in computer science for four consecutive years!

      (According to The Shanghai Ranking Consultancy's 2015 Academic Ranking of World Universities in Computer Science, whatever the hell that means.)

    4. big_D Silver badge

      The other thing is, most air-gapped PCs don't have speakers attached either, at least in my experience.

      They are there to control some industrial equipment, so they don't generally need speakers (and a majority of late have also been fanless, which knocks out the 2nd attack form)...

      But, yes, the question is, how do you infect the air-gapped PC in the first place? If you have properly air-gapped it, it can't be infected...

      1. Christian Berger

        "But, yes, the question is, how do you infect the air-gapped PC in the first place? If you have properly air-gapped it, it can't be infected..."

        License key update via USB.

    5. Anonymous Coward
      Anonymous Coward

      "How do you get the malware on the air gapped pc in the first place?"

      Quite. And if they've managed that its game over anyway. Also if its a laptop you have full control of you might just as well use the built in microphone to receive data instead of fannying about with the speakers. Thats assuming for some reason the malware can't switch on the built in wifi!

      This research is interesting from a technical point of view but virtually irrelevant from a security one.

    6. Anonymous Coward
      Anonymous Coward

      It's easy to get the malware on these days.

      In the middle of the night, one PC says "Hey Cortana, download https://dodgy.site.com/malware.msi"

    7. This post has been deleted by its author

    8. Stuart Castle Silver badge

      "How do you get the malware on the air gapped pc in the first place? The point of air gapping a pc is that it never touches the internet, ever"

      The problem with that is it only takes one person to make a mistake, and the Malware is in the system. Stuxnet got into a secure Nuclear facility. From what I understand, all it took was for a Siemens engineer to open an infected document on his laptop at home, then plug the laptop into the secure network. Even just plugging a USB into an infected computer, then into an airgapped computer is entirely possible.

  3. Anonymous Noel Coward
    Trollface

    I sometimes like to say "I know you're listening." randomly just to fuck with them.

    1. Anonymous Coward
      Anonymous Coward

      You are looking for Diplomatix.

    2. Anonymous Coward
      Anonymous Coward

      I once had to wave and type "I see what you did" on the screen... only to notice I had hit the one laptop shortcut that launches the camera app.

      It was late, there may have been beer, and for 5 seconds I thought the NSA *was* watching.

      1. wyatt

        You'll be fine, you've your camera counter measure in place haven't you...?

  4. elDog

    I suppose someone will tell me next that my LED screen/light-bulb is watching me...

    The reflections off my eyeballs - where I'm looking. Or the bodies in front of the screen moving about a room - infrared included.

    While this seems silly given current consumer technology it certainly seems possible and possibly being actively developed.

    1. This post has been deleted by its author

    2. cortland

      Re: I suppose someone will tell me next that my LED screen/light-bulb is watching me...

      Some years ago, there was an article – I don't recall where – about recovering data off screens by looking at the illumination of window blinds or curtains from a distance.

      This may be easier with low resolution screens, as detection of individual pixels will be easier at the slower pixel rate.

  5. Eddy Ito

    Does anyone else have a sense of deja vu?

    1. Andrew Commons

      Deja vue all over again

      Sure did. And it was also reported on The Register.

      https://www.theregister.co.uk/2013/12/05/airgap_chatting_malware/

    2. JeffyPoooh
      Pint

      Does anyone else have a sense of deja vu?

      Yes.

      Yes.

  6. Doctor Syntax Silver badge

    You're all forgetting the purpose of this research: published papers.

  7. Stuart Halliday

    1 bit per sec? This is a joke right?

    1. Anonymous Coward
      Anonymous Coward

      80000 bits is enough for anyone though.

    2. Andrew Commons

      Fast enough...

      You can get a big cryptyo key out in less than an hour.

  8. adnim

    Theory and in practice?

    Audiophile speakers and professional studio quality microphones, just may be able to communicate in the 18khz to 24khz range. The roll off on professional kit in this range is, I guess between ±3dB and ±6dB, it's been years since I worked in a studio.

    Your average consumer microphone and PC/laptop speakers I believe would need to communicate with each other at a volume and frequency range a human... even an old one like me, could hear.

    1. Grikath

      Re: Theory and in practice?

      yup...

      Especially given the directionality of high frequency sound, and the fact that the speakers would generally not be aimed at each other...

      You'd need to put out some serious volume to get anywhere. Well into hearing range of all but the most disco-deaf.

    2. Anonymous Coward
      Anonymous Coward

      Re: Theory and in practice?

      "...in the 18khz to 24khz range."

      kHz! Das H in Hz ist ein Großbuchstabe.

      Vielen Dank.

      Mit herzlichen Grüßen

      -Heinrich

      1. Anonymous Coward
        Joke

        Re: Theory and in practice?

        khz = kilo-heinz. It measures the ratio between a mixture's liquids to solids where one heinz is approximately the same as a tin of beans.

      2. Adam 1

        Re: Theory and in practice?

        Hz needs an El Reg alternative to avoid all this confusion.

        1. the spectacularly refined chap
          Paris Hilton

          Re: Theory and in practice?

          I nominate the boing. The average rate you'd pound this at --->

        2. Jason Bloomberg Silver badge

          Re: Theory and in practice?

          Hz needs an El Reg alternative to avoid all this confusion.

          I propose the "Ouch".

          1. stephanh

            Re: Theory and in practice?

            I propose the kilometer per second per megaparsec which, as we learned the other day, is used to express the Hubble non-constant. It's about 30 zeptoherz.

      3. Smoking Man

        Re: Theory and in practice?

        He, Heinz, du Rechtschreibeblockwart,

        gratuliere, du hast was gefunden.

        Jetzt troll dich zurück ins Heise-Forum, zum Rest Deinesgleichen.

  9. a_yank_lurker

    Relevance

    The theoretical problem the 'researchers' posed is nonsense. At the distance one has to be for a decent transfer speed, one may as well being sitting at the keyboard. They also miss the point of air-gapping: the computer is isolated from the most dangerous external threats. For an air-gapped computer to be compromised one would need physical access which limits the number of people dramatically to maybe a handful. Exploits with an effective range of a few meters that can easily be blocked (play music in the room) are not worth worrying about.

    1. Andrew Commons

      Re: Relevance

      The people who build them and ship them have physical access so that's one hell of a big handful.

      1. Doctor Syntax Silver badge

        Re: Relevance

        "The people who build them and ship them have physical access so that's one hell of a big handful."

        So what do you do, compromise all of them in hope that you'll eventually find one online that shares a room with an air-gapped one you're interested in? However, just to be on the safe side, if you're installing an air-gapped machine make sure it's a different make to any others in the room.

        1. Andrew Commons

          Re: Relevance

          @Doctor

          With just in time manufacturing you could get quite specific. And if you stuffed something in the BIOS then infecting everything is no big deal. Compromise the machines you are potentially interested in at source. You just need a listening device not another machine in the same room and you can build that into the wall.

    2. Mark 85

      Re: Relevance

      Nah... not nonsense". Someone got a paper published. Someone got a degree. Someone got some funding. It's all good. Now we just need to define "good".

    3. skwdenyer

      Re: Relevance

      Just because in your mind the case does not exist, does not mean the case does not exist.

      In many industries, PCs are tools, with an expected life in decades. Medical equipment, CNC machines, whatever. Air gapping there is all about simply not connecting them to the internet / a network (BSG75 style) - we're not talking national security.

      The threat is therefore not theoretical. Infection vector is an issue, of course, but even those old machines need updating sometimes, with a (potentially infected) USB stick say.

      Fast forward a few steps and find deep learning embedded into malware - searching for the best form of comms... This research is actually useful, because it forces those who need to think about these things for their situations to think further about every part of the machine (not just the ethernet jack).

  10. Anonymous Coward
    Anonymous Coward

    r/badBIOS

    There is a Reddit site that has been up for several years since "BadBios" was first proposed.

    Some users of the site claim to have fallen victim to strange and unusual ongoing attacks.

    It is not for me to say if the commentards are victims from actual malware attacks or victims of a form of mental stress brought on by the never ending "whack-a-mole" that is computer security or adverse reaction to revelations of government surveillance. They are victims nonetheless.

    https://www.reddit.com/r/badBIOS/

  11. Anonymous Coward
    Anonymous Coward

    Alexa

    ME: "Alexa, can my air-gapped PC be compromised by a speaker?"

    Alexa: "Of course not, don't be silly."

    1. Andrew Commons

      Re: Alexa

      You forgot to add the spooky laughing.

      1. Steve Davies 3 Silver badge

        Re: Alexa: spooky laughing

        You forgot to add

        followed by a huge uptick in data sent out to an Amazon controlled IP address as your Alexa device starts a security erase of its onboard storage...

    2. Adam 1

      Re: Alexa

      Siri, can my air-gapped PC be compromised by a speaker?

      Tomorrow's weather in Turkmenistan is cloudy.

      What the, Siri, can my air-gapped PC be compromised by a speaker?

      The best drink to accompany a steak is a red wine.

      Errrrrr, Siri, CAN my air-gapped PC be compromised by a speaker?

      Would you like to hear about my notch?

      Screw it.

  12. teknopaul

    Sniffob

    Not sure it really takes "boffins" to work out out that you can communicate through the air with sound.

    It requires someone who spends too much time on their own in their bedroom "hacking" to forget that.

    1. Tikimon
      Facepalm

      Re: Sniffob

      They didn't forget anything, and you seem to have totally missed the point. The trick is that they are doing it with things not normally used to communicate over a distance, and also being used in ways they were not designed for. It's a bit more involved than "you can communicate through the air with sound."

      It's like using a microwave oven to transmit data to a baby monitor (which natively uses a different frequency of EM). Would that invent microwave communication? Not at all, but it certainly would do it in a new way with things never intended to perform that task. Get it now?

      1. GIRZiM

        Re: Sniffob

        Actually, the use of speakers/headphones as microphones is old news, not new at all.

        I did myself thirty years ago.

        Yeah, the fidelity was so bad that the use of the word 'fidelity' is a bit of a crime against the English language but that's not the point - this is not a new way to do anything.

  13. Pascal Monett Silver badge
    Thumb Down

    "air gapping sensitivite computer systems less secure"

    Okay, let's envision the scenario :

    Sensitive computers, accessing and containing essential company information, used by the few individuals accredited by the company to have access to and manage that information. And you want me to think that those people are going to have the speakers working on those sensitive machines ? Because obviously what they want to do is listen to music all day long. Or some other nonsense explanation.

    Look, either we're talking about a mom & pop operation at which point nobody gives a rat's ass what info is on the computer, or we're talking about a company that has dozens of employees in open-space offices all tasked with seperate things. You know what happens in open-space offices ? People do not allow their computer to make sounds. They mute them because there's already enough noise what with the phone calls, the colleagues dropping by to talk and/or barging in because operational issue, not to mention the meeting down the hall with fifteen participants, all standing in the middle of a hallway.

    In that kind of environment, if you want some music it is to drown out all the rest of the noise and you're going to do it with a portable music player and earphones, none of which will be attached to the "sensitive" computer.

    Kind of reminds me of the spying photocopier drone story, where a drone was theoretically capable of gathering data from a photocopier - at the condition that there was no obstacle between the drone and the photocopier, that everybody at that level was drunk/stoned enough to be oblivious to the drone and that the wind was not strong enough to blow said drone away however briefly.

    Sure, in your theoretical dream world, a sensitive computer could be hacked via its speakers. Just like one day you might finally get laid. Theoretically.

    1. Anonymous Coward
      Anonymous Coward

      Re: "air gapping sensitivite computer systems less secure"

      "...the spying photocopier drone story..."

      I'm scared of the big On-Site Paper Shredding Truck that comes to shred our sensitive documents.

      The big noisy machine vacuums up all the paper from the Secure Bins [speculation follows] and rapidly scans or photographs both sides of each and every page on the way by (rapidly filling up a 1TB drive),[speculation ends], and then shreds the papers to confetti.

      And they get paid for it.

    2. Anonymous Coward
      Anonymous Coward

      "Because obviously what they want to do is listen to music all day long."

      It's funny how people think that speakers are used to listen to music only.... audio is far more than iTunes, Spotify or stolen MP3s from PirateBay. Maybe a sensitive machine is used for sensitive communications? Or to display sensitive audio/video files?

  14. doublelayer Silver badge

    When would an airgapped machine have speakers

    OK. I don't see many airgapped machines, even when you'd want one. When I do see one, it's never in a convenient open place where you would be able to have lots of other machines around to act as bugs. But most importantly, it doesn't have any useful purpose for which you would need audio input or output. If you do have any, it's using any internal speaker the machine has, which, as the article states, is actively powered. The reason for this: the machine doesn't have any audio to play. You can't put music on it because it's airgapped. So how about we just put in the CD that our perspective user was going to listen to, but instead of an audio CD we just put in a blank one and burn some data onto that. It'll be a lot faster. If you have an airgapped machine and you're listening to music with it, you're not using it correctly. If you have another reason for audio, please enlighten me.

    1. Charles 9

      Re: When would an airgapped machine have speakers

      Audio notifications, handy when you're not actively looking at the screen at the time.

      1. doublelayer Silver badge

        Re: When would an airgapped machine have speakers

        But in that case, wouldn't they come through a speaker, rather than headphones? If you're not looking at the screen, you probably aren't tethered to the machine by a wire, either. Some desktops have a basic built-in speaker, which is powered so not a vector, and that would be fine for the alert chimes. If it didn't, most IT offices I've seen have a collection of cheap speakers that are also usually powered, which are attached to computers that don't have a built-in speaker but need audio output. That also requires you to care about the chimes, which can be useful every once in a while, but not all the time.

        1. GIRZiM

          Re: When would an airgapped machine have speakers

          Of course the speaker is powered - if it weren't, it wouldn't 'speak'.

          That doesn't make it active, however, and active is what costs money, so cheap laptops have passive speakers, not active ones.

  15. Anonymous Coward
    Alien

    Whoopse, whoopse, whoopse,

    Next they will tell us that a device placed near a network cable will detect electromagnetic impulses through the cable and can expose the data,

    Oh whoopse.

    Just as it has been shown that by scraping off the outer coating, fibre optic cable can be spied upon without breaking into the fibre itself.

    Whoopse, whoopse,

    Definition: an air-gap is 'between the ears', it reflects nativity in thinking anything electronic is safe in any way at all.

  16. JWLong

    It's the Nineties all over Again

    Has anyone seen my Furby lately?

  17. Anonymous Coward
    Anonymous Coward

    Amateurs

    Yet another incredibly theoretical, inefficient, and unpractical vulnerability. If I was the researchers' peer, I'd be constantly hacking their systems and publishing their papers early to taunt them.

  18. Anonymous Coward
    Anonymous Coward

    Since you have to physically get to the device...

    ...that has been air gapped, why not just plant a listening device on it, or in the same room? Seems far easier. And since no one saw you, and you defeated all the intruder alarms, why not just sit there and listen because you're probably invisible?

  19. Will Godfrey Silver badge
    WTF?

    Is the sky falling yet?

    I have a speaker working all the time I'm working on the pooter... a pair of them actually... attached to a HiFi, home built by me in the 1970s.

    Should I worry?

    P.S. as kids a mate and me used to use speakers as microphones in an intercom we built.

    1. Anonymous Coward
      Anonymous Coward

      Re: speakers as microphones in an intercom we built

      "P.S. as kids a mate and me used to use speakers as microphones in an intercom we built."

      As kids me and a mate had a Philips Electronic Engineer kit to do exactly that, and quite a few other things too.

      Back in the days when AC126 and AC128 didn't primarily signify two anonymous Register Commentards.

  20. TRT Silver badge

    Acronym?

    Covert

    Ultrasonic

    Network

    Transmission

    Between

    Air

    Gapped

    Systems.

  21. Anonymous Coward
    Anonymous Coward

    Countermeasures

    Airgapping? Why don't I the sound of that as a countermeasure to this threat allegation? Try this compact portable hard-to-detect device as a trustworthy countermeasure instead:

    https://www.youtube.com/watch?v=8LAhKkPUo_A

    Or maybe just use DevoPS. It cures everything, just like electricity cured everything for the Victorian merchants of snake oil.

    Wtf?

  22. Michael Habel

    wouldn't the EU just love this?

    including designing headphones and speakers with on-board amplifiers (which prevents use as a mic)

    Considering that pretty much anything you'd care to imagine being sold with-in the EU has been volume caped. ....For your protection­™

  23. CertMan
    WTF?

    WTF

    In my experience 'air-gapped' also means in a secure room with no other computers. Often with thick and very solid walls and no windows.

    But then I may have strange experiences, such as being told in 1985 that computer-to-computer communications using ultrasound and single speaker/microphones was not sufficiently difficult to chose as an HND IT project at Leicester Poly. And yet people publish this tripe now for degrees! And they say that degrees are not being dumbed down!

  24. Chairman of the Bored

    E-field coupling through Faraday cage?

    Think there is an error in the article; no way you are getting electric field coupling through a Faraday cage. Magnetic? Yes. With effort and short range. Im too lazy to check the research myself, but there you go.

    Grumbles something about magnetic coupling from fluorescent light ballasts into instrumentation inside Faraday cage... Screwed up measurements... Perfectly working product stuck in test past deadline fixing what wasn't broke... Feelings of rage... WTF do we have these stupid screw looking bulbs anyways?

  25. Anonymous Coward
    Anonymous Coward

    Disconnect the fucking speakers then!

    That will be £1,000,000 consultancy fees thank you very much!

    1. TRT Silver badge

      Embeds information as a modulation of the 10kHz carrier wave from the "voiceless" PC's HDD. Pwns your £1,000,000 consultancy fee en-route to your bank account.

  26. SiFly

    Physical Access to Computer

    Is Game Over

  27. TrumpSlurp the Troll
    Windows

    Some issues

    I can see that you could have a secure room with two PCs, one connected to the development system and the other connected to the live system. This would allow you to cross check code, log files and the like without having more than an eyeball connecting the two systems. You could test to replicate a fault. You could also have a management centre where secure networks at different levels of security all have a terminal in the same room. Air gapped, but joined in meatspace.

    I can even see that you might be using a standard build of PC to reduce unknowns, and that the secure systems might need audio capability.

    However infecting both PCs with cooperating malware might be a bit of a stretch. Not impossible for an insider to conceal the code on development so that it is eventually shipped as live but very unlikely with code reviews. The software would also have to be permanently active to be able to work on the rare occasions that the secure room was in use. Even then you still have to exfiltrate the data from the less secure system. This also assumes that the bad actor doesn’t have access to the secure terminal.

    So this falls firmly into "am I paranoid enough" territory.

    One more thing to consider when trying to prevent the "one in a million" chance.

    Could make a good film script, perhaps.

  28. J27

    The major stumbling blocks are you need to infect the air-gapped system first, it needs to be close enough to transmit to an un-airgapped and also infected device AND both need to have speakers. The utility is extremely limited.

    If you are involved in state secrets, now might be the time to take a screwdriver to those audio jacks, it's not like you need them for anything anyway.

  29. Anonymous Coward
    Linux

    Sorted!

    Simple solution, just install Linux. The chance of there being a working driver in the distro for a soundcard produced after 2002 is vanishingly small.

  30. Anonymous Coward
    Boffin

    Pnaaaarp attack!

    Just doing some research to demonstrate that a disaffected BOFH could modulate their flatulence, Le Pétomane style, to transmit Strap 4 information they can see on fetid air-gapped PC to a listening device in the room. The practical application is limited only by the robustness of their trousers and availability of beans in the GCHQ canteen.

  31. StargateSg7

    We did this in the late 1980's and 1990's in various Eastern Bloc countries by putting some of the first audio compressor code into the BIOS of the old Adlib and earliest Soundblaster cards on intercepted 80286/80386 PC's made in the Eastern Bloc countries. The extra high capacity RAM (at the time!) we put in was battery backed and separated from the main PC power supply and would capture various Soviet Ministry conversations and other targeted office audio, and then use high frequency soundwaves for transfer to high-end (at the time) volatile micro-storage systems clandestinely attached to unknowingly bugged functionaries who would come near or into the offices (covered up by typical office noises) on their day to day duties. The sonic data would be captured at 8-bit to 12-bit audio at 4000 to 8000 samples per second (i.e. a really low data rate) which we would need to cleanup with high end analog processing (and some digital processing) circuits to get useable voice or teletype data which was meaningfully interpretable and actionable.

    We even bugged the janitor gear with data storage gear which was used as a clandestine Dead Drop for the audio files which were typically less than one megabyte to 10 megabytes in size (that larger number was a HUGE amount of RAM in those days!) When the janitors were in the various offices under watchful eyes of their security minders, the vacuums would typically cover up the data screech tones which were just within human hearing range used as an over-the-air acoustic modem transfer that sometimes happened as fast as within 5 minutes at 9600 to 19.2k baud bit rates. We could pick up teletype/dot matrix printer output (our primary target) and short bots of audio data from over a 300 offices in various ministries in multiple Soviet countries using this technique. It was the first use of Speech-to-Text Keyword recognition ever! and this was between 1986 to 1993! INGENIOUS. N'est ce pas?

    This is OLD NEWS! Decades Old!

    1. Anonymous Coward
      Anonymous Coward

      You are 'Q' and I claim my £5

  32. sisk

    Meh

    Can anyone think of any reason to have speakers plugged into a system that's airgapped? Because I can't. This isn't really a viable a means of defeating airgap because most airgapped systems are either not going to have speakers or are going to be in server rooms where any kind of audio communication is going to be drowned out by the noise from fans and ACs.

  33. JeffyPoooh
    Pint

    "...can my air-gapped PC be compromised by a speaker?"

    The way things are programmed these days (promiscuous execution of anything not tied down), you could probably infiltrate malware into a PC by merely reading out its source code using your mouth.

    This very comment itself will probably lock-up a fraction of the world's IT devices. Ready?

    10 GOTO 10

    1. jake Silver badge

      Re: "...can my air-gapped PC be compromised by a speaker?"

      While there are a couple folks who use screen readers here amongst us commentards, they seem to all be clued enough for that kind of thing to not become an issue.

  34. Anonymous Coward
    Anonymous Coward

    My employer's PCs are immune to malware.

    They're so old and slow that there aren't any CPU cycles left for malware.

  35. GIRZiM

    Some Smartarse Title I'll Think of After It's Too late To Change This One

    All those people who think an air-gapped machine would only be found in this environment for those rasons.

    I've been into plenty of places with air-gapped machines in environments so loud the speakers were turned up full whack so that the occasional 'bing' might be heard over all the noise on the factory floor.

    They were cheap, nasty laptops with passive speakers and everything from DOS to WinXP as recently as only four years ago - and they almost certainly still run DOS/XP.

    Why were they running DOS/XP? Because the CAD/control software used to control the machines on the factory floor was that old and that bespoke and wouldn't run on anything later than that.

    Why were they air-gapped because the Sysadmins and Network Managers refused to allow them anywhere near the network.

    Why weren't they replaced? Because the downtime required to test new solutions on the floor would have put them out of business.

    Why would anyone want to engage in corporate espionage there? because these are the leaders in their fields, with blueprints worth millions on those very laptops.

    How would you do it? By paying someone who already works there and has every reason to spend time near the machine enough money to tempt them to do exactly that for you.

    This is, of course, the real world I'm talking about here, not some theoretical reality in which the oldest machine in use was bought last week and runs Win 10-point-two-seconds-ago and the only place people use tech is where some of the cosseted commentards here think it ought to be used because they wouldn't use it anywhere else themselves or work for a business that manufactures physical objects rather than software solutions to problems nobody actually has but might make a great IPO if they can get some VCs to invest first.

    </just sayin'>

    1. doublelayer Silver badge

      Re: Some Smartarse Title I'll Think of After It's Too late To Change This One

      That doesn't really make a case for this article. The computers you mention might be vulnerable to the attack, but the ability for that to work is somewhat questionable, given that said machines would be in a noisy manufacturing area, where interference would be severe. That also presumes that there is another networked machine in close proximity to receive and transmit the data.

      However, the more important point is that you don't need this exotic exploit to steal the data from these machines. You need physical access to get the malware onto the machines. Unless they have a really nice tiny code file that you can type in quickly without attracting attention, you need a disk to put the malware on the machine. Anyone with access and a disk could just copy the sensitive data onto that disk and walk off with it. If you want malware that is capable of staying for a while and sending new data, you are already putting things at risk, but certain types of radio emission would be superior. If those XP laptops have WiFi or bluetooth chips (I know, turned off, doesn't matter), malware using those will be easier to write and more resilient in the longterm. Still, if you have physical access, but just right now and you won't have it again, it might be better to try to access the storage of these valuable documents outside the manufacturing facility. I assume these files are stored on design machines that are newer or at least have a backup. If not, the company is asking for disaster. If so, I might be better served going after that.

      1. GIRZiM

        Re: Some Smartarse Title I'll Think of After It's Too late To Change This One

        Heh, you're assuming that the companies in question were run in a manner that left me thinking anything other than "HOW are you even still in business let alone leaders in your field?"

        What I also wonder is what they're gonna do when machines capable of running the necessary OS are no longer available. Try even emulating the VL-Bus of a 486 some time and see how far you get - it'll happen to DOS and even XP eventually. Then they'll be screwed because there was no investment in new software solutions; the hardware was too old, no-one (not even the original manufacturer of that hardware) had the protocols anywhere sensible, if at all - there's no way they're getting away without retooling the plant.

        Is the approach optimal? I don't know - I'm sure there are cases and situations nobody here has encountered that might make it so. Might someone have time to plug a USB key into a laptop briefly, upload an exploit but not be able to risk being there long enough to download all the data as well? Yes. Might they then use a mobile phone/tablet/whatever to exploit it via the speakers? They might. They might not even be interested in stealing information but simply subtly sabotaging the system (or things it's attached to) in some way so as to give someone else a competitive edge or to simply hinder the progress of the victim/target. There are various possible scenarios. Are some/all of them edge cases? Maybe/Yes, but that's not the point - if you're the one who stands to benefit in some way from it then how edge a case is doesn't concern you; it's your case and you're dealing with it in whatever way works.

        My point here wasn't really about the ins and outs of the exploit but about the comments that "this is nonsense because the only place you'll see an air-gapped machine is <wherever> and the only reason for air-gapping it is <whatever> so it would never happen". They can only come from those with no/limited real world experience. We've all been guilty of it early on in our careers; when I was at university, we were given a task to code a solution to import data from one database and populate a new one with it, accounting for and handling corrupt/incomplete data and my response was irritation at being given such an unrealistic task, that I'd refuse to work with any organisation that couldn't keep on top of its data and keep it straight in the first place and anybody with their head screwed on would do the same as me, so the task was a complete waste of time - it would never happen. Then I went to to work irl and found out how real people work there, what they really do and why.

        So, maybe you're right about there being better ways to steal data but maybe not everyone wants to use the exploit to steal data any more than Stuxnet was designed to or, if they do, maybe there are some real world cases in which this is the least worst (possibly even only) way to do it. That was really my point, not how good a solution it might be compared to alternative approaches.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like