Hard drive noises could betray sensitive data, says BGU team

Malware to manipulate the clicks and clacks of disk drives is the latest example of how hackers could steal information from a computer, even one unconnected to the internet

Hard disk drive (Pixabay)
Hard disk drive (Pixabay)

First it was video screens sending out electromagnetic waves that could be picked up by a cellphone; then it was Radio Shack-type equipment hidden inside something the size of a pita bread that could be used to “read” the electromagnetic pulses emanating from a standard laptop’s keyboard. Now, Ben Gurion University researchers have discovered a new take on air-gapped network hacks – malware that reads sensitive data and sends it out to a waiting device.

It’s another example of how malefactors could pull off a hack on some of the most secure networks and individual computers in the world – networks and computers that are not connected to the internet. Hackers generally practice their craft on connected systems, using long-distance network and wifi connections to reach into troves of sensitive data. Ostensibly, though, systems that are not connected to the internet are not within reach of hackers.

Not quite. New research led by the Ben Gurion University team, led by security researcher Mordechai Guri, shows that even unconnected systems are vulnerable. All a hacker has to do is implant the right kind of malware into a system (usually accomplished by connecting a USB drive or other peripheral to a computer) and get a cellphone within range of the computer. This peripheral manipulates the computer’s hard drive to broadcast data to a waiting cellphone or other device, which then stores it and can later upload it to hackers.

This is known as an air-gap attack. In the past, researchers at Ben Gurion and Tel Aviv universities have discovered several other applications of this kind of attack – like PITA, the Portable Instrument for Trace Acquisition attack, which uses electromagnetic wave detection equipment (available at any computer hardware store) that could “read” the electromagnetic pulses emanating from a standard laptop’s keyboard, including the keystrokes used to de-encrypt secure documents.

The new attack, called DiskFiltration, does something similar using the acoustic signals emitted from the movement of a computer’s hard disk drive (HDD). Malware on the computer seeks out data like text files, logins and passwords, databases, and other useful information. Once the preferred data is discovered, the malware manipulates the hard driver’s actuator (a device that controls the hard drive head arm, which reads data off the disk) to create specific sound patterns – the clicks and whirrs of the movement of the drive.

Those patterns are recorded by a device like a smartphone, smartwatch, or other Internet of Things (IoT) device that could either transmit the sound patterns to a remote computer (via the cellphone network connection of the device) or keep it intact, awaiting the retrieval of the device by a hacker or their agent.

It sounds implausible, if not impossible, but air-gap attacks are nothing new. According to many experts, the Stuxnet attack on Iran’s nuclear system – in which a virus infected the servers controlling the Iranian nuclear program’s centrifuges, “choking” them until they ground to a halt – was an air-gapped one, as the computers were not connected to the internet.

One way to beat air-gap attacks, according to the researchers, is to switch to solid-state drives (SSDs), which have no moving parts and therefore emit no noise. However, according to the researchers, “despite the increased rate of adoption of SSDs, HDDs are still the most sold storage devices, mainly due to their low cost. In 2015, 416 million HDD units were sold worldwide, compared to 154 million SSD units. Currently, HDDs still dominate the storage wars, and most PCs, servers, legacy systems, and laptops are installed with HDD drives,” so there are still many vulnerable systems out there.

Other than that, say the researchers, the best bet is to keep devices away from secure computers. “Procedural countermeasures involve a physical separation of emanating equipment from potential receivers,” says the team. “Smartphone and other types of recording devices should not be permitted in close proximity of the computer.”

read more:
Never miss breaking news on Israel
Get notifications to stay updated
You're subscribed