A research team from Israel’s Ben-Gurion University of the Negev ‘s cybersecurity research center has discovered a new way of data extraction from air-gapped computers via using passive devices like earbuds, earphones, headphones, and speakers.

Now, the same research center has claimed to be able to use computer speakers and headphones to act as microphones and receive data. The devices can be used to send back the signals and make the otherwise safe practice of air-gapping less secure.

As per the new technique [PDF], data is extracted in the form of inaudible ultrasonic sound waves and transmission occurs between two computers installed in the same room while data is shared without using microphones.

The research team created a custom protocol to carry out data transmission between two computers. One of them would be air-gapped while the other is connected to the internet and used to further relay the data. Through the attack, researchers claim to carry out speaker-to-headphone, headphone-to-headphone, and speaker-to-speaker data exfiltration.

Findings of this research were published by ArXiv on Friday in an academic paper titled “MOSQUITO: Covert Ultrasonic Transmissions between Two Air-Gapped Computers using Speaker-to-Speaker Communication.” Researchers explained that their research shows how speakers can secretly be used to carry out data transmission between unconnected computers located within a distance of 9 meters.

The reason why they used speakers is that these can be considered microphones working in reverse order; speakers convert electronic signals into acoustic signals whereas microphones convert acoustic signals into electric. The conversion is assisted by a diaphragm in each of these devices, which can be used to reverse the process. This process of reversing the mechanism of a device like a speaker is called jack retasking.

A majority of new audio chipsets can be used for jack retasking (like those from Realtek) because these offer an option of altering the audio port function through software. Malware can be used to reconfigure a speaker or headphone so that it acts like a microphone given that the device is unpowered and passive. The paper reads:

“The fact that loudspeakers, headphones, earphones, and earbuds are physically built like microphones, coupled with the fact that an audio port’s role in the PC can be altered programmatically, changing it from output to input, creates a vulnerability which can be abused by attackers.”

In the MOSQUITO attack, the malware researchers used infected an air-gapped computer and could also be used to modulate or transform locally stored documents into audio signals. These signals could easily be relayed to another computer using headphones, earbuds or speakers.

The receiving computer would also be infected with malware and will convert connected speakers or headphones using jack retasking technique to make them serve as a microphone. The catch is that most of the PCs now have passive speakers while these have active, powered headphones, earbuds, and speakers.

“The main problem involves headphones, earphones, and earbuds since they are reversible and can become a good pair of microphones (even when they don’t have an integrated mic at all),” stated head of R&D at Ben-Gurion University’s research center and co-author of the paper Mordechai Guri.

Researchers could achieve data transmission successfully at the rate of 166 bit/sec using frequencies ranging between 18 to 24 kHz. There was just a 1% error rate when data was transmitted to a 1kb binary file within a distance of 3meters. If the distance is increased to up to 9 meters, a 10 bit/sec transmission rate was achieved with the same error rate.

The authors also provided various mitigation techniques but admitted that all had their limitations. These techniques included designing speakers and headphones equipped with onboard amplifiers to prevent their use as a microphone.

Alternately, an ultrasonic jammer can be used and ultrasonic transmissions can be scanned. The software can be developed for preventing jack retasking and using UEFI/BIOS to fully disable audio hardware. Although there is another more practical solution for disconnecting the headphones or speakers it is not a very feasible method. While Guri believes that monitoring ultrasonic band is a much more practical and reliable solution but when applied, it is bound to raise false alarms.

At the moment, the attack method is being further assessed and is only in its experimental stages. But, there is every potential that it could be used in the wild at some point in the future. Remember, Ben-Gurion University is home to some creative hacks that led to data extraction such as the USBee hack, AirHopper, and BitWhisper, etc.