Threat Intelligence, Malware, Security Strategy, Plan, Budget

DiskFiltration attack uses acoustics to infiltrate air-gapped computers

A team of researchers from Ben-Gurion University of the Negev in Israel developed a new method, dubbed DiskFiltration, to leak information from air-gapped computers using intrinsic covert noises emitted from the device's hard drive.

Unlike other methods and malware designed to pull data from air-gapped computers that monitor signals given off by the computer's speakers or fans, this method uses sound generated by the computer's hard disk drive (HDD) to transmit the stolen data, according to a white paper published by the researchers.

The attack method developed does require that malware be installed on the target computer in some fashion. After this task is accomplished the malware will then gather information and transmit the data using acoustic signals emitted from the HDD. The malware generates the acoustic emissions at specific audio frequencies by controlling the movements of the HDD's actuator arm to specific audio frequencies that can be picked up by a nearby receiver, such as a smartwatch, laptop, or smartphone, the researchers said in the paper.

“With DiskFiltration we were able to covertly transmit data (e.g., passwords, encryption keys, and keylogging data) between air-gapped computers to a smartphone at an effective bit rate of 180 bits/minute (10,800 bits/hour) and a distance of up to two meters (six feet),” the paper said.

Any computer with one or more hard disk hard drives is vulnerable to the attack, although the attack model is more relevant for highly secured or air-gapped computers, Mordechai Guri, one of the researchers who helped develop the attack, told via emailed comments.

He went on to say the attack is very difficult to replicate and that ordinary users shouldn't care about these kinds of attacks.

“However, some mitigations can be taken,” Guri said. “The first is to ban recording devices from sensitive environments, the second is to move to SSD (solid state drive) storage which virtually make no noise.”

Fortunately, most organizations that have sensitive information which could potentially be pilfered by these sort of attacks, implement countermeasures such as not allowing personal devices, not allowing data storage devices, not allowing software to be loaded on the systems or connections to the internet, Lieberman Software President Philip Lieberman told in an email.

“The idea of using physical noise on a computer to provide a covert channel of “non-connected” transmission has been around a long time,” he said. “If a hacker wished to open such a channel it could be done in many more ways than outlines by the researcher, for example, the load on the computer could be dynamically be modified and listening to the power supply or monitoring the current on the line could be used (hall effect device).”

Lieberman said that theses type of attacks existed for a long time but are more difficult to carry out if the attacker doesn't have a device to capture the information that is leaked.

Even if an attacker were to perform the attack it may result in more a ton of noise and not a whole lot of signal, Lieberman Software VP Jonathan Sander told

“It is a ‘be careful what you wish for' situation for the attacker – they get absolutely everything going on with the hard drive including tons of things that mean nothing, he said. “With luck, perseverance or both, an attacker could perhaps get a peek at an encryption key, password, or other data that may be useful in cracking a whole lot of other good targets.”

Despite the difficulties in pulling the attack off, he said the challenge may be worth it for larger enterprises such as military financial institutions. 

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.