Using the microphones and speakers that come standard in many of today's laptop computers and mobile devices, hackers can secretly transmit and receive data using high-frequency audio signals that are mostly inaudible to human ears, a new study shows.
Michael Hanspach and Michael Goetz, researchers at Germany's Fraunhofer Institute for Communication, Information Processing, and Ergonomics, recently performed a proof-of-concept experiment that showed that "covert acoustical networking," a technique which had been hypothesized but considered improbable by most experts, is indeed possible.
Their findings, detailed in a recent issue of the Journal of Communications, could have major implications for electronic security.
"If you have a high demand for information security and assurance, you would need to prepare countermeasures," Hanspach wrote in an email to Inside Science.
In particular, it means "air-gapped" computers — that is, computers that are not connected to the Internet — are vulnerable to malicious software designed to steal or corrupt data.
"This is indeed a newsworthy development," said retired Navy Capt. Mark Hagerott, a cybersecurity professor at the U.S. Naval Academy in Annapolis, Md.
In their experiments, Hanspach and Goetz were able to transmit small packets of data between two air-gapped Lenovo business laptops separated by distances of up to about 65 feet (20 meters). Moreover, by chaining additional devices that picked up the audio signal and repeated it to other nearby devices, the researchers were able to create a "mesh network" that relayed the data across much greater distances. Importantly, the researchers were able to emit and record the ultrasonic and near-ultrasonic frequencies, which cannot be detected by humans, using the sound processor, speakers and microphone that came standard with the laptops.
While not practical for transmitting video or other large files, this low transmission rate is still sufficient for sending and receiving keystrokes and other sensitive data such as private encryption keys or login credentials.