HOME  |  NEWS  |  BLOGS  |  MESSAGES  |  FEATURES  |  VIDEOS  |  WEBINARS  |  INDUSTRIES  |  FOCUS ON FUNDAMENTALS
  |  REGISTER  |  LOGIN  |  HELP
Blogs
Blog

Malware Thatís Transmitted Through Sound

NO RATINGS
View Comments: Threaded|Newest First|Oldest First
Elizabeth M
User Rank
Blogger
New Threat
Elizabeth M   12/18/2013 8:54:56 AM
NO RATINGS
Well this is fascinating technology but we don't really need another way for malware to be transmitted, do we? It's good to know people don't have to worry about this quite yet nor that much data can be transmitted this way. But who knows what can happen if a clever hacker gets ahold of it and messes with the code.

Nancy Golden
User Rank
Platinum
Re: New Threat
Nancy Golden   12/18/2013 9:52:25 AM
NO RATINGS
I agree, Elizabeth. It puzzles me as to so much time, money, and energy being directed at developing something that seems to say - yes - this can be done. As with any malicious software - the nature of the beast must be known in order to institute countermeasures but was it really necessary to conduct all of that research and develop their own algorithm? Now hackers are aware of audio possibilities they may have not considered before.

78RPM
User Rank
Gold
Re: New Threat
78RPM   12/18/2013 12:38:18 PM
NO RATINGS
I'm taking the Digi-Key Design News class this week on SCADA Security. The instructor Clint Bodungen states that by the time a vulnerability goes public, it has already been in circulation. Publicity is important because it lets the "good guys" know about possible attacks from the "bad guys."

Nancy Golden
User Rank
Platinum
Re: New Threat
Nancy Golden   12/18/2013 12:45:37 PM
NO RATINGS
That is a very good point 78RPM - I am just wondering what justified a full blown effort at developing malware when as they have stated, "However, the scientists have divulged several counter measures that can be put into place to nullify acoustical intrusions, with one being simply to shut off the PCs audio input/output devices. Another method is to install audio filters that are capable of blocking certain high frequency ranges that are used to transmit covert data."

It seems to me that developing countermeasures against known audio technology would not require creating malicious code to test it - audio sent at different frequencies could have provided the same stimulus.

Elizabeth M
User Rank
Blogger
Re: New Threat
Elizabeth M   12/19/2013 10:29:34 AM
NO RATINGS
So as another reader pointed out, then, 78RPM, these sound-based malware threats are already out there and being exploited. What can be done now?

marswalker
User Rank
Iron
Re: New Threat
marswalker   12/19/2013 9:35:12 AM
NO RATINGS
Perhaps not so new?  Though there has been a lot of speculation that "it couldn't possibly be real", BadBIOS is reported to use exactly this kind of vulnerability to re-infect machines while they are being "cleaned" by antivirus software, etc.

Elizabeth M
User Rank
Blogger
Re: New Threat
Elizabeth M   12/19/2013 10:10:05 AM
NO RATINGS
Wow, so this threat is already being exploited it seems, if what you say is true, marswalker.

marswalker
User Rank
Iron
Re: New Threat
marswalker   12/19/2013 10:39:04 AM
NO RATINGS
Here is the article I read this about on at the end of summer: http://www.infosecurity-magazine.com/view/35661/badbios-the-god-of-malware/

78RPM
User Rank
Gold
Re: New Threat
78RPM   12/19/2013 1:51:09 PM
NO RATINGS
Here's another possibility for an attack vector. The attack could be launched from an FM radio station or a PA system.

Charles Murray
User Rank
Blogger
More solutions needed
Charles Murray   12/18/2013 6:20:03 PM
NO RATINGS
I have no objection to studies being done on this, I just wish the studies had included more ways of addressing the problem. Shutting down the audio input/output of the computer isn't a solution. I'd like to hear more about the audio filters they mentioned. As it stands now, we've verified that there is a potential problem, thus providing malicious new ideas for hackers who weren't already aware of it, but we're admitting we don't really know much about the solution. This seems wrong. As 78RPM points out, if the vulnerability is public, circulation of the problem can't be far behind.

William K.
User Rank
Platinum
Re: More solutions needed
William K.   12/19/2013 11:35:52 AM
NO RATINGS
The filters mentioned would not be very complex nor that expensive. All that they need to do is cut off within the audible frequenncy range, or someplace below the high end of the audible spectrum. So unless a device is being used to record music, a cutoff frequency of 5 or 6 kilohetz would render the computer insensitive to any frequency high enough to be inaudible.

And I would point out to those who claim that the computer is not "listening" to it's microphone that they are probably wrong. Windows has so many things going on that we never asked it to do, and would not ever ask it to do, if we had a choice, that it probably is waiting for data at the audio inputs all the time. One option micht be to put some heavy duct tape over the computer's microphone, while another could be to plug a dummy microphone connector into the mic jack, which ought to disconnect the internal microphone. I have not verified that it does that on all brands and models, but it does do it on some computers. 

And it is certain that if there does exist some weakness in the bloated OS there will be some evil hackers exploiting it. That reality has been demonstrated thousands of times.

78RPM
User Rank
Gold
Re: More solutions needed
78RPM   12/19/2013 1:09:01 PM
NO RATINGS
Here's a possible attack vector: Suppose a vendor is working in an area where computers have microphones, e.g., a customer support phone center or a recording studio or a radio station. The vendor is trusted and brings in his laptop to do maintenance.  He turns on an audio file which does some frequency shifting stealth. Most mics' frequency response is 15KHz or even 20KHz but most adults can't hear in that range too well, so a shifting frequency might not be noticed.  A malicious file is transferred into the network where a host has been planted by the malicious vendor to exploit the new file, or the file itself might be wormy enough to be self sufficient.

brhans
User Rank
Iron
Re: More solutions needed
brhans   12/19/2013 3:21:52 PM
NO RATINGS
Are we proposing that windows (or whatever OS) has so much free time that not only is it 'listening' to my microphone, but that it can try all possible demodulation schemes to turn whatever it 'hears' into something resembling data?

Remember that turning data into some sort of waveform to be broadcast out of a speaker needs a modulation scheme. Are we using some sort of simple AM or FM? Something a bit more interesting like one of the many different kinds of QAM or OFDM ? Something else entirely ?

Whatever the scheme is, the receiving end must know what it is before it can even begin to try to demodulate the received 'sounds' back into data.

So if the receiving end is somehow not only 'listening' on the microphone, but also knows exactly what to do what what it 'hears', then you've already been infected with something which can only have arrived over a much less new and exciting vector.

This is not a 'weakness in the bloated OS' waiting to be exploited - it is a functionality which would have to be deliberately added.

All you have to do is actually read the paper linked in Cabe's aticle and you find near the top of the page labeled 760 "All participants must have installed a compatible acoustic communication system, either by infection of a malware or actively installed".

In other words, other than the speaker/microphone hardware, the capability to perform this sort of communication was not already existing and it could there not be used to 'infect' new hosts 'over-the-air' which are not already 'infected'.

William K.
User Rank
Platinum
Re: More solutions needed
William K.   12/19/2013 3:49:56 PM
NO RATINGS
@brhans: do you really believe that you know and are aware of everything that windows is doing all the time? I really do NOT believe that we are privy to that information.

brhans
User Rank
Iron
Re: More solutions needed
brhans   12/19/2013 4:02:03 PM
NO RATINGS
@William K.: just read the research paper which is refered to in the original article.

The scientists had to write and install their own custom-made software before they could do any of this. Their windows was not capable of doing it already.

On the website of the Fraunhofer Institute (where this research was conducted), one of the scientists even says that he is "sceptical that the malware "badBIOS" exists in the manner that was discussed in the technology news articles".

There is no big scary new malware story here. It was hyped out of context. Move on.

 

mrdon
User Rank
Gold
Re: More solutions needed
mrdon   12/19/2013 4:25:26 PM
NO RATINGS
brhans,

 

Although the story could be just a high tech stunt to gain attention for the authors, the potential threat does exist. I'll keep this malware attack on the radar for good measure.

78RPM
User Rank
Gold
Re: More solutions needed
78RPM   12/19/2013 9:14:09 PM
NO RATINGS
@WilliamK and @brhans, From my "handle" you can see that I have a hobby of recording extremely old records as old as the 1890s. I edit the sound files to clean up the scratchy and often terribly noisy -- er noise.  This conversation inspires me to do some experimenting. I'll take a single audio file format -- pick one; wav, aif, mp3, yadda yadda.  I'll take a single high audio frequency and look at the hex file and embed a simple message and see how it affects the audio when I blend it in.  I think it's do-able. The thing to remember is that an attacker knows a lot about his victim, like what radio station he listens to, and what kind of audio files he listens to or records. Any audio file is a binary file; and any binary file can carry a worm. Given that the audio might distort the original, it might take a large number of attempts to get the worm into the target. But persistence succeeds. A worm doesn't need enabling software on the host to do its job.

When you call for product support, remember the voice that says: "This call may be recorded for quality assurance?"  That's your attack vulnerability.  The worm enters the recording and the help desk is attacked.

William K.
User Rank
Platinum
Re: More solutions needed
William K.   12/19/2013 10:40:30 PM
NO RATINGS
78RPM, yes, and thanks for the better explanation of what I had perceived was able to happen. Now we can see at least one mechanism for it to happen.

78RPM
User Rank
Gold
Re: More solutions needed
78RPM   12/20/2013 1:51:39 PM
NO RATINGS
I just got another idea. In the wav file, look for all the zero crossings of the waveform and insert the secret code at each of those points. You would need an exploit program to scan for them. SoundForge offers a way to remove DC component of the sound. So, you ask, if you need exploit software in the target, why not just put the malware there? Well, you might use this as a way of getting a coded message inside the attack target.  Of course, I'm talking about researching this as ethical hacking, not to do mischief.

brhans
User Rank
Iron
Re: More solutions needed
brhans   12/20/2013 8:27:32 AM
NO RATINGS
Sounds like an interesting experiment 78RPM. I would expect that the variability and imprecision in sound playback and recording would make it very difficult  - particularly if it passes through a lossy compression format like mp3. Please keep us posted ...

78RPM
User Rank
Gold
Re: More solutions needed
78RPM   12/20/2013 1:42:45 PM
NO RATINGS
Last night I created a 1575 Hz sine wave (because it's in the audible range and divides evenly into 44,100/sec sample rate. It's a .wav file.  I used a hex editor and selected a particular repeating sequence and changed those bytes to "HELLO WORLD." Then I played the file back through a mic into SoundForge Pro 11.  I looked at the waveform of the original HELLO WORLD file and the recording.  I could see similar peaks but they were a bit distorted after traveling through two transducers (speaker and mic).  It is clear that for any chance of this working, I would have to insert periodic markers (e.g., a series of "HHHHH") so that an exploit software would be able to calibrate the rest of the file (Normalize the volume) to get the coded message to appear.  I haven't gotten that far and I can see that the task would not be trivial but it would make a great research project.

Charles Murray
User Rank
Blogger
Re: More solutions needed
Charles Murray   1/7/2014 6:49:28 PM
NO RATINGS
Good points, William K. A weak OS is the source of a lot of malware/virus problems. Windows XP was far more susceptible to malware than Windows 7, for example. The OS has a lot to do with susceptibility.

brhans
User Rank
Iron
Its all hype
brhans   12/19/2013 9:37:17 AM
I can't imagine how this could ever be a serious vulnerability. In order for the receiving device to be even the tiniest bit succeptible to infection it first needs to be actually listening (which most devices are not) and then even if it were listening, it would need to be doing so in such a way as to make the sound 'information' received executable as code.

The only way this would ever work is if the receiving device already has some sort of software (malware) installed and running to allow this - and if this is already pre-installed, then you've already been infected by more conventional means.

All these 'researchers' have really done is build themselves an acoustic modem which annoys dogs. Acoustic modems in various forms have been around for decades. Whether or not it can successfuly be used to transmit 'malware' is entirely dependant on what is on the receiving end listening. Even the most virulent malware will hit a dead end if it falls on deaf ears.

Its just a communications medium, not a particularly novel or useful one, and doesn't deserve the hype from trying to associate it with malware.

marswalker
User Rank
Iron
Re: Its all hype
marswalker   12/19/2013 2:47:12 PM
NO RATINGS
On the one hand you have a good point - the underlying point is that most computers don't have the ability to "record" or transmit audio-based packets.  But the flip side is most laptops today come with speakers and microphones that are perfectly suited for this kind of exchange, so all that is needed is malware that can use the existing resources.  This is the interesting part of the BadBIOS assertion - computers that were already infected seemed to be able to re-infect affected files while the computer was being "cleaned", even when the wireless cards had been removed and they weren't plugged in via ethernet.  By using subaudible sounds the infected computers were able to retransimt malware between each-other - using "network" packets - that were sent via laptop speakers.

Partner Zone
More Blogs
MITís Senseable City Lab recently announced the programís next big project: ďLocal Warming.Ē The concept involves saving on energy by heating the occupants within a room, not the room itself.
The fun factor continues to draw developers to Linux. This open-source system continues to succeed in the market and in the hearts and minds of developers. Design News will delve into this territory with next week's Continuing Education Class titled, ďIntroduction to Linux Device Drivers.Ē
The new draw-it-on-a-napkin is the CAD program. As CAD programs become more ubiquitous and easier to use, they have replaced 2D sketching for early concepting.
A University of Chicago graduate has invented a compact elliptical trainer that lets people work out at their desk while they work.
New developments in sensors span a wide range of applications in all areas of manufacturing and plant automation.
Design News Webinar Series
7/23/2014 11:00 a.m. California / 2:00 p.m. New York
7/17/2014 11:00 a.m. California / 2:00 p.m. New York
6/25/2014 11:00 a.m. California / 2:00 p.m. New York
5/13/2014 10:00 a.m. California / 1:00 p.m. New York / 6:00 p.m. London
Quick Poll
The Continuing Education Center offers engineers an entirely new way to get the education they need to formulate next-generation solutions.
Aug 4 - 8, Introduction to Linux Device Drivers
SEMESTERS: 1  |  2  |  3  |  4  |  5  |  6


Focus on Fundamentals consists of 45-minute on-line classes that cover a host of technologies. You learn without leaving the comfort of your desk. All classes are taught by subject-matter experts and all are archived. So if you can't attend live, attend at your convenience.
Next Class: August 12 - 14
Sponsored by igus
Learn More   |   Login   |   Archived Classes
Twitter Feed
Design News Twitter Feed
Like Us on Facebook

Sponsored Content

Technology Marketplace

Copyright © 2014 UBM Canon, A UBM company, All rights reserved. Privacy Policy | Terms of Service