‘DiskFiltration’ malware steals data from offline computers through sound

Researchers at Israel’s Ben-Gurion University have developed a malware variant that can steal data from a computer that has been air gapped. This is done by sound produced by the hard drive actuator.

The researchers write that this sound can be picked up by, for example, a smartphone or a laptop. This requires that the listening device is within two meters of the target’s computer and that the PC has a mechanical hard drive. An SSD is therefore not vulnerable. In addition, the DiskFiltration malware must be present on the target’s computer, which may be infected, for example, through a USB drive.

As a result, an air gapped computer, which has no connection to the outside world, is also vulnerable to this attack, the scientists say. The listening device may be in the possession of the attacker or may also be infected by malware, which then sends the captured signals via the data connection. Data stealing works because the malware searches the infected system for sensitive data such as passwords and encryption keys.

The malicious software then uses the actuator, i.e. the arm with write and read heads, to generate acoustic signals that can be picked up by the listening device. For example, it is possible to transfer a 4096-bit key in 20 minutes at a rate of 180 bits per minute, Ars Technica writes. While this attack is effective, it remains difficult to execute due to the requirement to infect the target’s computer.

The researchers behind this project often publish these kinds of side channel attacks, for example AirHopper and Fansmitter. The GPU of the computer is respectively used as an FM transmitter and the fan is used to send data via sound.