“DiskFiltration” siphons data even when computers are disconnected from the Internet. Researchers have devised a new way to siphon data out of an infected computer even when it has been physically disconnected from the Internet to prevent the leakage of sensitive information it stores.
The method has been dubbed “DiskFiltration” by its creators because it uses acoustic signals emitted from the hard drive of the air-gapped computer being targeted. It works by manipulating the movements of the hard drive’s actuator, which is the mechanical arm that accesses specific parts of a disk platter so heads attached to the actuator can read or write data. By using so-called seek operations that move the actuator in very specific ways, it can generate sounds that transfer passwords, cryptographic keys, and other sensitive data stored on the computer to a nearby microphone. The technique has a range of six feet and a speed of 180 bits per minute, fast enough to steal a 4,096-bit key in about 25 minutes.
“An air-gap isolation is considered to be a hermetic security measure which can prevent data leakage,” Mordechai Guri, a security researcher and the head of research and development in the cyber security labs at Israel’s Ben-Gurion University, told Ars. “Confidential data, personal information, financial records and other type of sensitive information is stored within isolated networks. We show that despite the degree of isolation, the data can be exfiltrated (for example, to a nearby smart phone).”
Besides working against air-gapped computers, the covert channel can also be used to steal data from Internet-connected machines whose network traffic is intensively monitored by intrusion prevention devices, data loss prevention systems, and similar security measures. The technique is documented in a technical paper titled DiskFiltration: Data Exfiltration from Speakerless Air-Gapped Computers via Covert Hard Drive Noise, which was published Thursday night. Guri and the other Ben-Gurion University researchers who devised the covert channel created the video demonstration below.
Receiving data transmitted by sound generated from a hard drive is generally not efficient. DiskFiltration improves the signal-to-noise ratio by focusing on a narrow range of acoustic frequencies, a feature that effectively strips out background noise. DiskFiltration works even when a hard drive’s automatic acoustic management, which reduces acoustic noise, is at its default setting. Still, casual noise emissions from other running processes can sometimes interfere or interrupt the DiskFiltration transmissions.
The most effective way to prevent DiskFiltration-style data exfiltration is to replace hard drives with solid-state drives, since the latter aren’t mechanical and generate virtually no noise. Using particularly quiet types of hard drives or installing special types of hard drive enclosures that muffle sound can also be an effective countermeasure. It may also be possible to jam hard-drive signals by generating static noise. Intrusion prevention systems may also be programmed to detect suspicious hard-drive seek patterns used to create the transmissions. Yet another solution is to isolate air-gapped computers from smart phones and other devices with a microphone.
Working as a cyber security solutions architect, Alisa focuses on application and network security. Before joining us she held a cyber security researcher positions within a variety of cyber security start-ups. She also experience in different industry domains like finance, healthcare and consumer products.