This is accomplished by utilizing a computer’s covert features—most notably, its ability to broadcast ultrasonic frequencies inaudibly. The speakers of these infected computers are responsible for the transmission of information, while nodes within close proximity capture it. The result is a “mesh network” in which standard security efforts are challenged and often thwarted.
Hence, the idea of “covert acoustical mesh networks” in which malware is capable of jumping distances, or “air-gaps,” is made possible. A similar, platform dependent threat which impacts the basic input and output system (BIOS) of an operating system is issued via BadBIOS exploits.
The concept of an acoustical infection was first introduced in 2013 by computer scientists Michael Hanspach and Michael Goetz of the Fraunhofer Institute for Communication, Information Processing and Ergonomics in Wachtberg, Germany. Their report On Covert Acoustical Mesh Networks in Air (2014) shortly followed. Though the acoustical infection prototype was implemented successfully, its process of acoustic transmission was limited to lines of sight and either faltered or failed in cases of obstruction.
Hanspach and Goetz handled this by adopting the transmission process for underwater acoustic communication, in which transmissions are resent if they go unacknowledged.
By extending this frequency from 4200 Hz to 21 kHz, they discovered that data can be transported more than 60 feet and at a rate of approximately 20 bits per second.
Finally, by implementing a practice known as key logging, keystrokes on the infected machine were monitored and encoded for acoustic transmission. The data was then passed among a number of nodes, described as “infected drones,” until it finally reached the machine of the attacker. In a real acoustical infection use case, the data might then be transported to email or storage device, or possibly even to some distant computer. For an implementation lacking overt healing and integrity properties, this acoustical infection, if properly executed, could certainly prove troublesome.
While the experiment was conducted with five laptop computers, it is conceivable that any number of laptops, desktops or workstations compromised by malware and within the same vicinity would be susceptible to acoustical infections. The main requirements of this exploit involves sound cards and built-in speakers—common components in personal computers.
The fact that network connectivity is not required for an acoustical infection to be implemented makes it that more of threat. Disabling your computer’s microphone and speakers is an obvious but archaic solution for a world where modern technology relies heavily on the human senses. Filtering the ultrasonic frequencies, or perhaps even converting them to audible signals, are also options but leave more to be desired for the average consumer. If nothing else, the acoustical infection exhibits the ongoing challenges of information security and the importance of researching all channels and countermeasures.