New CASPER Attack Steals Data from Air-gapped Computers Using Internal Speakers

Researchers from the Korea University School of Cyber Security, Seoul, have recently presented a new covert channel attack known as CASPER, which has been developed as part of a research project that is currently in progress.

In addition to this, it has also been reported that the attack may be able to leak data at a rate of 20 bits per second from air-gapped computers to nearby smartphones.

Defining a covert channel in terms of computer security means that it is a channel through which information is transferred through previously unknown channels.

Therefore, this type of communication can be used not only as a means of conveying information safely but it can also be used as a means of secretly transferring that information by encrypting it.

Research has shown that the CASPER attack takes advantage of the internal speakers in the target computer as a means of transferring data into the target system.

It is here where the attackers use high-frequency audio that a human ear cannot hear so that they can transmit binary or Morse code with a microphone up to 1.5m away in order to send high-frequency audio.

Infecting the target

However, this scenario may sound unfeasible, or even far-fetched, but there have been many instances when such attacks have been successful in the past.

While the Stuxnet worm is an infamous example of a cyberattack of this sort. In addition to targeting Iran’s uranium enrichment facility at Natanz, according to reports, the malware has also been linked to infecting a U.S. military base with the Agent[.]BTZ malware just a few days ago.

Over a five-year period, Remsec was found to be using its modular backdoor to collect information from air-gapped networks of government agencies.

Using the malware, the following information about the target can be auto-enumerated:-

  • Filesystem
  • Locate files
  • File types

It is done when a combination of code matches a hardcoded list and then tries to exfiltrate the data from the target system.

Alternatively, it can log keystrokes on a more realistic level, as this is more suitable for slow transmissions, and therefore, the attackers are using this method more frequently.

Experimental Outcomes

Using a Linux-based computer that is Ubuntu 20.04 as the target, the researchers experimented with the described model. In order to be able to use this system, the experts have used a Samsung Galaxy Z Flip 3 which will have a sampling frequency of up to 20kHz, running the basic recorder application on it.

According to the results of the tests conducted, and assuming a length per bit of 100 milliseconds, one can conclude that the maximum distance of the receiver is 1.5 meters, which is a height of 4.9 feet.

It was concluded from the overall results of the experiment that the length per bit determines the bit error rate and that a length per bit of 50 ms will result in a reliable bit rate of transmission of 20 bits/second.

A common 8-character password could be transmitted in about three seconds by a malware program using this data transfer rate, as well as an RSA key with a length of 2048 bits in about 100 seconds by the malware program.

The research that has been conducted has shown that it is possible to make sounds through internal speakers on computers that lack external speakers.

Recommendation

As a result, it has been suggested that organizations be reminded that they may need to take precautions to prevent data from being transferred in this way in the future.

A number of measures can be taken to protect your company against the CASPER attack. The simplest of these measures is to remove the internal speaker from any computer that is crucial to the operation of your company.

However, there might be some possibility, that the defenders can find a way to block ultrasound transmissions if that is not possible, by creating a high-pass filter that keeps all frequencies generated within the audible range of sound.

Network Security Checklist – Download Free E-Book

Related Read:

Gurubaran

Gurubaran is a co-founder of Cyber Security News and GBHackers On Security. He has 10+ years of experience as a Security Consultant, Editor, and Analyst in cybersecurity, technology, and communications.

Recent Posts

Evasive Panda Attacking Cloud Services To Steal Data Using New Toolkit

The Evasive Panda group deployed a new C# framework named CloudScout to target a Taiwanese…

1 hour ago

Massive Midnight Blizzard Phishing Attack Using Weaponized RDP Files

Researchers warn of ongoing spear-phishing attacks by Russian threat actor Midnight Blizzard targeting individuals in…

2 hours ago

Sophisticated Phishing Attack Targeting Ukraine Military Sectors

The Ukrainian Cyber Emergency Response Team discovered a targeted phishing campaign launched by UAC-0215 against…

2 hours ago

Chinese Hackers Attacking Microsoft Customers With Sophisticated Password Spray Attacks

Researchers have identified a network of compromised devices, CovertNetwork-1658, used by Chinese threat actors to…

2 hours ago

New Windows Zero-Day Vulnerability Let Attackers Steal Credentials From Victim’s Machine

A security researcher discovered a vulnerability in Windows theme files in the previous year, which…

2 hours ago

SYS01 InfoStealer Malware Attacking Meta Business Page To Steal Logins

The ongoing Meta malvertising campaign, active for over a month, employs an evolving strategy to…

2 hours ago