Saturday, June 22, 2024

New CASPER Attack Steals Data from Air-gapped Computers Using Internal Speakers

Researchers from the Korea University School of Cyber Security, Seoul, have recently presented a new covert channel attack known as CASPER, which has been developed as part of a research project that is currently in progress.

In addition to this, it has also been reported that the attack may be able to leak data at a rate of 20 bits per second from air-gapped computers to nearby smartphones.

Defining a covert channel in terms of computer security means that it is a channel through which information is transferred through previously unknown channels.

Therefore, this type of communication can be used not only as a means of conveying information safely but it can also be used as a means of secretly transferring that information by encrypting it.

Research has shown that the CASPER attack takes advantage of the internal speakers in the target computer as a means of transferring data into the target system.

It is here where the attackers use high-frequency audio that a human ear cannot hear so that they can transmit binary or Morse code with a microphone up to 1.5m away in order to send high-frequency audio.

Infecting the target

However, this scenario may sound unfeasible, or even far-fetched, but there have been many instances when such attacks have been successful in the past.

While the Stuxnet worm is an infamous example of a cyberattack of this sort. In addition to targeting Iran’s uranium enrichment facility at Natanz, according to reports, the malware has also been linked to infecting a U.S. military base with the Agent[.]BTZ malware just a few days ago.

Over a five-year period, Remsec was found to be using its modular backdoor to collect information from air-gapped networks of government agencies.

Using the malware, the following information about the target can be auto-enumerated:-

  • Filesystem
  • Locate files
  • File types

It is done when a combination of code matches a hardcoded list and then tries to exfiltrate the data from the target system.

Alternatively, it can log keystrokes on a more realistic level, as this is more suitable for slow transmissions, and therefore, the attackers are using this method more frequently.

Experimental Outcomes

Using a Linux-based computer that is Ubuntu 20.04 as the target, the researchers experimented with the described model. In order to be able to use this system, the experts have used a Samsung Galaxy Z Flip 3 which will have a sampling frequency of up to 20kHz, running the basic recorder application on it.

According to the results of the tests conducted, and assuming a length per bit of 100 milliseconds, one can conclude that the maximum distance of the receiver is 1.5 meters, which is a height of 4.9 feet.

It was concluded from the overall results of the experiment that the length per bit determines the bit error rate and that a length per bit of 50 ms will result in a reliable bit rate of transmission of 20 bits/second.

A common 8-character password could be transmitted in about three seconds by a malware program using this data transfer rate, as well as an RSA key with a length of 2048 bits in about 100 seconds by the malware program.

The research that has been conducted has shown that it is possible to make sounds through internal speakers on computers that lack external speakers.

Recommendation

As a result, it has been suggested that organizations be reminded that they may need to take precautions to prevent data from being transferred in this way in the future.

A number of measures can be taken to protect your company against the CASPER attack. The simplest of these measures is to remove the internal speaker from any computer that is crucial to the operation of your company.

However, there might be some possibility, that the defenders can find a way to block ultrasound transmissions if that is not possible, by creating a high-pass filter that keeps all frequencies generated within the audible range of sound.

Network Security Checklist – Download Free E-Book

Related Read:

Website

Latest articles

PrestaShop Website Under Injection Attack Via Facebook Module

A critical vulnerability has been discovered in the "Facebook" module (pkfacebook) from Promokit.eu for...

Beware Of Illegal OTT Platforms That Exposes Sensitive Personal Information

A recent rise in data breaches from illegal Chinese OTT platforms exposes that user...

Beware Of Zergeca Botnet with Advanced Scanning & Persistence Features

A new botnet named Zergeca has emerged, showcasing advanced capabilities that set it apart...

Mailcow Mail Server Vulnerability Let Attackers Execute Remote Code

Two critical vulnerabilities (CVE-2024-31204 and CVE-2024-30270) affecting Mailcow versions before 2024-04 allow attackers to...

Hackers Attacking Vaults, Buckets, And Secrets To Steal Data

Hackers target vaults, buckets, and secrets to access some of the most classified and...

Hackers Weaponizing Windows Shortcut Files for Phishing

LNK files, a shortcut file type in Windows OS, provide easy access to programs,...

New Highly Evasive SquidLoader Attacking Employees Mimic As Word Document

Researchers discovered a new malware loader named SquidLoader targeting Chinese organizations, which arrives as...
Guru baran
Guru baranhttps://gbhackers.com
Gurubaran is a co-founder of Cyber Security News and GBHackers On Security. He has 10+ years of experience as a Security Consultant, Editor, and Analyst in cybersecurity, technology, and communications.

Free Webinar

API Vulnerability Scanning

71% of the internet traffic comes from APIs so APIs have become soft targets for hackers.Securing APIs is a simple workflow provided you find API specific vulnerabilities and protect them.In the upcoming webinar, join Vivek Gopalan, VP of Products at Indusface as he takes you through the fundamentals of API vulnerability scanning..
Key takeaways include:

  • Scan API endpoints for OWASP API Top 10 vulnerabilities
  • Perform API penetration testing for business logic vulnerabilities
  • Prioritize the most critical vulnerabilities with AcuRisQ
  • Workflow automation for this entire process

Related Articles