Acoustic data exfiltration from speakerless air-gapped computers via covert hard-drive noise (‘DiskFiltration’)

Mordechai Guri, Yosef Solewicz, Andrey Daidakulov, Yuval Elovici

Research output: Chapter in Book/Report/Conference proceedingConference contributionpeer-review

37 Scopus citations

Abstract

In the past, it has been shown that malware can exfiltrate data from air-gapped (isolated) networks by transmitting ultrasonic signals via the computer’s speakers. However, such a communication relies on the availability of speakers on a computer. In this paper, we present ‘DiskFiltration’, a method to leak data from speakerless computers via covert acoustic signals emitted from its hard disk drive (HDD) (Video: https://www.youtube.com/watch?v=H7lQXmSLiP8 or http://cyber.bgu.ac.il/advanced-cyber/airgap). Although it is known that HDDs generate acoustical noise, it has never been studied in the context of a malicious covert-channel. Notably, the magnetic HDDs dominate the storage wars, and most PCs, servers, and laptops todays are installed with HDD drive(s). A malware installed on a compromised machine can generate acoustic emissions at specific audio frequencies by controlling the movements of the HDD’s actuator arm. Binary Information can be modulated over the acoustic signals and then be picked up by a nearby receiver (e.g., microphone, smartphone, laptop, etc.). We examine the HDD anatomy and analyze its acoustical characteristics. We also present signal generation and detection, and data modulation and demodulation algorithms. Based on our proposed method, we developed a transmitter and a receiver for PCs and smartphones, and provide the design and implementation details. We examine the channel capacity and evaluate it on various types of internal and external HDDs in different computer chassis and at various distances. With DiskFiltration we were able to covertly transmit data (e.g., passwords, encryption keys, and keylogging data) between air-gapped computers to a nearby receiver at an effective bit rate of 180 bits/min (10,800 bits/h).

Original languageEnglish
Title of host publicationComputer Security – ESORICS 2017 - 22nd European Symposium on Research in Computer Security, Proceedings
EditorsSimon N. Foley, Dieter Gollmann, Einar Snekkenes
PublisherSpringer Verlag
Pages98-115
Number of pages18
ISBN (Print)9783319663982
DOIs
StatePublished - 1 Jan 2017
Event22nd European Symposium on Research in Computer Security, ESORICS 2017 - Oslo, Norway
Duration: 11 Sep 201715 Sep 2017

Publication series

NameLecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)
Volume10493 LNCS
ISSN (Print)0302-9743
ISSN (Electronic)1611-3349

Conference

Conference22nd European Symposium on Research in Computer Security, ESORICS 2017
Country/TerritoryNorway
CityOslo
Period11/09/1715/09/17

Keywords

  • Acoustic
  • Air-gap
  • Covert-channel
  • Exfiltration
  • Hard-disk drive
  • Malware

Fingerprint

Dive into the research topics of 'Acoustic data exfiltration from speakerless air-gapped computers via covert hard-drive noise (‘DiskFiltration’)'. Together they form a unique fingerprint.

Cite this