SmartAttack Utilizes Smartwatch Technology to Compromise Air-Gapped Systems

A new method known as ‘SmartAttack’ leverages smartwatches to act as covert ultrasonic signal receivers, enabling the exfiltration of data from air-gapped systems.

Air-gapped systems, designed for high-security environments like government offices, weapon systems, and nuclear facilities, are intentionally isolated from external networks to mitigate threats from malware and data breaches. However, their physical separation does not render them immune to attacks by insider threats, including malicious employees and state-sponsored supply chain attacks.

Malware can infiltrate these secure systems and operate covertly, utilizing specialized techniques to modulate hardware components for the transmission of sensitive information to a nearby receiver without disrupting normal system functions.

The SmartAttack technique, developed by researchers from an Israeli university, including expert Mordechai Guri, builds upon prior methods of covert data transmission, such as acoustic data leaks using LCD display noise and modulation techniques applied to random-access memory (RAM) and network card indicators.

While the methods developed for attacking air-gapped environments have frequently remained theoretical, they introduce innovative strategies for potential data exfiltration.

Mechanism of SmartAttack

SmartAttack necessitates the presence of malware on an air-gapped computer to extract sensitive data, including keystrokes, encryption keys, and user credentials. The malware can utilize the host computer’s speaker to generate ultrasonic signals that transmit this data.

Employing binary frequency shift keying (B-FSK), the audio frequencies generated are modulated to encode binary data, where a frequency of 18.5 kHz corresponds to “0” and 19.5 kHz to “1.”

Frequencies within this range are inaudible to the human ear but can be detected by smartwatch microphones worn by individuals in proximity.

The smartwatch’s sound monitoring application processes these signals, identifying frequency shifts and demodulating the received messages, which can subsequently be transmitted via Wi-Fi, Bluetooth, or cellular networks.

The smartwatch may either be intentionally equipped with this capability by a malevolent employee or potentially compromised by external actors without the wearer’s awareness.

Performance Considerations and Challenges

The researchers emphasize that the small, lower-signal-to-noise ratio (SNR) microphones in smartwatches pose challenges for effective signal demodulation, particularly at elevated frequencies and weak signal strengths.

The efficiency of the attack is also contingent on the orientation of the smartwatch, with optimal results achieved when the device has a clear line of sight to the computer’s speaker. Maximum transmission distances vary from 6 to 9 meters (approximately 20 to 30 feet), depending on the speaker type used for transmission.

Data transfer rates can fluctuate between 5 bits per second (bps) and 50 bps, indicating a decline in reliability as transmission rate and distance increase.

To mitigate the risks posed by SmartAttack, it is advisable to restrict smartwatches’ usage within secure environments. Another effective countermeasure would involve removing built-in speakers from air-gapped systems, thereby negating the attack surface for all forms of acoustic covert channels, including SmartAttack.

When these options are not viable, alternative defenses, such as ultrasonic jamming through the emission of broadband noise, deploying software-based firewalls, and using audio-coupling techniques can prove beneficial in securing sensitive systems from such attacks.