back to article Air gap breached by disk drive noise

Researchers from Israel's Ben-Gurion University of the Negev Cyber Security Research Center have found a way to exfiltrate information from a PC using the noise created by hard disk drives. In work detailed here (PDF) at ArXiv, the researchers explain how they've created malware that “can generate acoustic emissions at …

  1. Myvekk

    I remember a program called "floppy music", that played the William Tell Overture on a 5.25" drive on the Apple ][ Plus.

    Very different frequencies, and different drives, but the same principle. New applications for old ideas! Technology and sneaky thinking!

    What was that saying about youth & intelligence always falling before old age and treachery? :-p

    1. MrT

      Floppy disk orchestra...

      ... I read recently about a 64-disk setup playing the Star Wars Imperial March, but this 8-disk version is pretty good...

      1. davidp231

        Re: Floppy disk orchestra...

        An excellent choice... I frequent that particular channel often. He's also done the music to E1M1 of DOOM with floppies... sounds pretty good.

      2. Tony Haines

        Re: Floppy disk orchestra...

        In that spirit, attackers could try a psychological attack:

    2. Ken Moorhouse Silver badge

      Re: I remember a program called "floppy music",

      I hope the outcome for your Apple, having played this tune, was more favourable than the subject of William Tell's aim.

  2. Charles 9

    But still, I wouldn't really start worrying until someone found a way to make an airgapped computer exfiltrate data without installing anything in it first, allowing it to work on a pristine or even read-only boot image.

    1. Anonymous Coward
      Anonymous Coward

      "But still, I wouldn't really start worrying until someone found a way to make an airgapped computer exfiltrate data without installing anything in it first, allowing it to work on a pristine or even read-only boot image."

      You mean like compromised BIOS firmware with secret partitions on them, or remote HP ILO features with zero day exploits, or hidden instruction sets in Processors....

      Just because it doesn't have an o/s installed, doesn't mean it can't be compromised.....

  3. Magani

    Security? What security?

    If someone's managed to get physically close enough to install malware on an air-gappped PC, your security is already compromised.

    1. Anonymous Coward
      Anonymous Coward

      Re: Security? What security?

      Air gapped doesn't mean that no data goes in. It's normally the case that your interested simply stopping stuff leaking back out. So if one can smuggle some malware like this in through one of the user's regular uploads, or free USB stick given out at a trade show, etc.

      I have to say that it's ridiculous how many such things seem to place the low and high side of an air gapped system in the same room, or in the same rack, or even in the same chassis even. Rule 101 - they go in different rooms, one of them preferably RF screened..

      1. John H Woods Silver badge

        Re: Security? What security?

        "they go in different rooms, one of them preferably RF screened" -- AC

        And I think there's probably a good argument for making sure they are on different power supplies. I haven't heard of any malware manipulating the power consumption of a server but I would think that you could probably transmit a low bit rate signal on this channel if you tried hard enough.

  4. Anonymous Coward
    Anonymous Coward

    Easier solution..

    The good news is that there are simple countermeasures that can stop this attack. The first is to use solid state disks. Another is to tweak AAM settings. Or you could ban smartphones from getting anywhere near air-gapped PCs, which is standard practice in lots of secure areas.

    You could also just add a noise generator - even opening the windows and letting in traffic noise is enough to screw up data collection.

    1. Anonymous Coward
      Anonymous Coward

      Re: Easier solution..

      "You could also just add a noise generator - even opening the windows and letting in traffic noise is enough to screw up data collection."

      No, because they can record the traffic itself and mix it back in out of phase to filter it out. Meanwhile, you're allowing the very thing you want to avoid: an opening just waiting for a microphone. You can't have any windows whatsoever (besides that scenario, the window's an ideal surface for a shotgun mic); indeed, the walls should be anechoic so they don't vibrate. The power needs to be isolated so that noise from the mains gets filtered before going outside. Doors need to be airlock style with a guard and a metal detector in between so there's visual or aural access (if you have a metal plate, then I think we have a problem). I mean, doesn't TEMPEST cover a lot of these bases?

      1. Anonymous Coward
        Anonymous Coward

        Re: Easier solution..

        No, because they can record the traffic itself and mix it back in out of phase to filter it out

        That only works if you record dual microphone and assumes you have enough microphone resolution to pick up the weak HDD sounds despite a membrane saturated with far louder signals. To do that right needs a very expensive set of mikes, and they tend to be a tad too big to install covertly.

        You can also just push pink noise near the harddisks themselves, or play back hard disk sounds recorded earlier at the same time - it's unlikely you'll be able to separate them out.

        That said, I think you're wasting your time being worried about that sort of stuff - that sort of research will be used to foist some stupidly expensive sound proofing on a company that has more money than sense, I can't see this being practical.

        1. Alan W. Rateliff, II

          Re: Easier solution..

          If an accelerometer can pick up vibrations from typing, I suspect that in some conditions it could pick up vibrations from a hard drive, fan, etc. Sound and vibrations are funny things; indeed, yelling at an array of hard drives is enough to interfere with operations.

    2. 1Rafayal

      Re: Easier solution..

      AC the article mentions using different frequencies. Having the window open may not help, unless the noise leaking through that open window happened to be on the same frequency being recorded.

    3. JeffyPoooh

      Re: Even Easier solution..

      Display the secret password (or whatever) on the screen. Then the nefarious owner of the cellphone can snap a picture of it.

      File this attack vector under 'lame'.

  5. jake Silver badge

    When I was at DEC ...

    ... one of the guys taught the disk drives on a PDP-10 to play music on SA-10 attached IBM Winchesters[0]. Change the input data, and add a non-human listening device and a modem/phone line (or current loop), and presto, same thing as this "new" hack ... from a couple dozen feet away and 1200+ bits per second. In 1979ish.

    Is nobody teaching kids the past anymore? That would be sad, in the old meaning of the word.

    [0] Then he learned to make the washing machine sized disk drives "walk" across the floor ... I had to fire him when he did it in front of Ken Olsen, who was visiting our lab. Was very hard on the hardware ...

    1. Anonymous Coward

      Re: When I was at DEC ...

      ooh, crap. I upvoted jake! I feel so dirty.

      1. allthecoolshortnamesweretaken

        Re: When I was at DEC ... / upvoting jake

        Nothing wrong with a guilty pleasure once in a while, just as long as no-one gets hurt... mine's the one with the - no, ain't gonna tell you.

    2. WolfFan

      Re: When I was at DEC ...

      Feh. The problem with our CDC washtub hard drives wasn't to make them walk across the raised floor in the computer room, it was to get the damn things to not walk. If their little feet weren't set just right they'd go walkies. And it was, indeed, very bad for the hardware. We ended up sticking bits of plywood under them to keep them in place. The boys from Harris (the system vendors) and CDC said that they'd never seen anything like it before. Being unique was an honor we'd rather not have had.

      1. jake Silver badge

        Re: When I was at DEC ...

        Similar problem at SAIL. Got the answer from SLAC: First, ban floor wax[0] from the glass room (that wasn't glass). Pull the floor tiles a few at a time and take them outside. Scuff the Formica with 120 grit on an orbital sander. Dust off tiles with a tack-cloth. Reinstall. No more walkies.

        [0] Yes, kiddies, janitorial staff had the keys to the data center. The stories of cleaning staff unplugging servers (and other critical kit) either on purpose or accidentally aren't apocryphal.

  6. jms222

    You can also get sound out of the fans, the power supply or, wait for it, the dedicated sound-producing hardware and speakers.

    I have heard information can leak from the display, the various LEDs even the NETWORK INTERFACE.

    Why do people fund this nonsense ?

    1. David Nash

      Network interface?

      Er, some of your points are very good ones but isn't the point about an airgapped machine that it doesn't have a network interface?

      1. Tom 7

        Re: Network interface?

        If it hasn't got a network interface what is the method of infection?

        Seems a bit daft putting a piece of software to read out data at a millionth the speed you could steal it anyway if you have access to the machine!

        1. David Nash

          Re: Network interface?

          Well exactly.

        2. Anonymous Coward
          Anonymous Coward

          Re: Network interface?

          You can still infect an air gapped machine. One way is if you managed to compromise a USB device that will be plugged into it - that's how the US/Israwel got malware into Natantz in Iran to break their centrifuges.

          Another way would be to compromise software they know will be installed on that machine. If you know the air gapped machine is going to run some particular CAD package, you compromise the CAD vendor's build system to include malware and wait for the air gapped system to get updated. The malware would look for certain things to determine if it is on the right machine so it wouldn't trip malware triggers for the masses but only for your air gapped target.

          Obviously this is well beyond the level of a typical hacker, but well within the realm of what a state level actor like the CIA/NSA or China and Russia's equivalents could handle.

          1. wayne 8

            Re: Network interface?

            You forget Mossad, the source.

            1. Anonymous Coward
              Anonymous Coward

              Re: Network interface?

              Well I didn't want to bother to list them all, as it would also include not only those but North Korea, GCHQ, and probably France, Germany, Australia, South Africa, South Korea, Japan, and I imagine some others who have well developed targeted hacking abilities who stay under the radar.

    2. eclairz

      The point of funding this, is so you can build it in on the point of manufacture, so now as well as all of the above said individuals will need to screen hardware or build it themselves.

  7. Trollslayer

    Pardon me

    While I stand next to a PC for an hour due to 10bits/sec transfer rate from a head positioner then having to retry because someone in the next cubicle sneezed.

  8. Stevie


    This is why you need fan noise.

  9. Leeroy

    Mission impossible

    If only Ethan Hunt had known about these type of attacks. At the very least he could have avoided removing the man sized air vent cover with a standard socket and dangling into the room getting all sweaty etc.

  10. Rod 6

    People have been using disk drives to transmit audio data for ages:

  11. Herby

    180 bits a minute!!!

    This isn't "light speed" people. For a minimum password (lets say 8 characters), you will need at least 21 seconds assuming no error correction. Add in a user name (another 8 characters) and you get another 21 seconds. So, you need to have your "object" computer doing its thing for a good portion of a minute (assuming no framing marks) to get a simple username/password pair. This means you need to stand around waiting for it to happen somehow, or have a recording device that can be left behind (undetected I assume) that will be able to pick up the sounds.

    Seems highly unlikely to me. Of course I'm not in that kind of business. Sometimes when there is a will, there is a way. Sometimes things can take years to develop, so anything is possible.

    Then again, it might already have been done. We'll never know!!

    1. John Brown (no body) Silver badge

      Re: 180 bits a minute!!!

      "This isn't "light speed" people."

      Correct. It's sound speed. :-)

  12. Cynic_999

    I'm sure lots of things can be achieved in a test environment. If not sound, then blinking lights, or generate RF signals by introducing the appropriate instructions that toggle memory or peripheral signals in a suitable manner.

    It is however a far cry from being able to install something that both works and remains undetected in a real-World working system. AFAICS the threat is orders of magnitude less than simply bunging an employee sufficient £££ and getting them to plug in a USB stick, hardware keyboard recorder or install a video bug etc.

  13. M0neysh0tm1ke

    Seems incredibly stupid

    If you can leave a phone next to a PC, why not just plug a USB in it? How does someone get into a Data Center anyway.

  14. normal1

    So,can we use the HDD sound to store data?

    And use mp3 compression on the resulting data storage?

  15. spot

    Line printers

    NCR 315 prior to decommissioning in 1973, A Walk in the Black Forest played on the line printer which managed to survive the abuse despite being audible rooms away.

  16. Paul 129

    You would think they would notice

    When their PCs start sounding like the imperial theme.

    Mind you I'm always amused that the Israelis are always the ones doing the research into exfiltration.

    I think they know something, that we don't.

  17. James 36


    for info on tempest

    try and get an invite to a demo to see its worth :-)

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like