virus over audio?

[Raj]

I smell bull$#!t 
2013-11-badbios-malware-microphone-speakers.html

and there are tons of other articles if you google "microphone virus"
it seems like even the most techey  people bought into it.

reasons for my disbelief-
First of all, soundcards aren't capable of generating ultrasounds,
second, ultrasound is unidirectional
third, most probably mic circuitry is turned off and will ignore it

why don't they hook up a freaking oscilloscope to check it out?

what do you guys think?

pro advice needed

[BobsURuncle]

That is a bad link.

[Raj]

Sorry
 
http://www.newstatesman.com/future-proof/2013/12/researchers-prove-pc-viruses-can-spread-microphones

[Len]

It turns out that the reported computer virus did not exist. Here is a follow-up article:
http://arstechnica.com/security/2013/11/researcher-skepticism-grows-over-badbios-malware-claims/

As for ultrasonic communication between PCs, that's the part of the story that is possible. As noted in the article you linked, it was demonstrated by researchers at the Fraunhofer Institute. That's where MP3 was developed, so they know something about PC audio.

[Ian.M]

The initial infection vector still has to get executable code into memory and jump to it.  Virus-to-virus ultrasonic comms is obviously possible, but that's not a possible route for infection, as there's nothing on a clean machine that would decode AND execute the recieved ultrasound.

[sarepairman2]

Unless you use a method of entry into a computer that allows you to "choose" drivers (i.e. a "hail" signal like on USB that identifies the device) then its extremely unlikely it can be used as a infection route without some kind of malicious firmware on the computer.

if there is a hail signal then there are exploits relating to buffer overflow I believe... I am not sure how low level it is, i.e. microsoft or motherboard firmware.

[Len]

I don't think anyone ever claimed that this hypothetical virus used sound to infect a "clean" PC. Supposedly it would use sound to communicate between infected computers. (But it turned out there was no such virus anyway.)

[Pack34]

Missing Mazzie... Mazzie is missing...

http://www.imdb.com/title/tt1226681/

Very good movie.

[vk6zgo]

The scungy little speakers & mics on most computers barely make the audio spectrum.

We are supposed to believe that they can communicate at ultrasonic frequencies,& not only that,have sufficient bandwidth to pass  a complex virus signal.

As the OP says,why didn't they test the hypothesis with an oscillator?

The most likely answer is,that as IT people,they are laypersons as far as Electronics are concerned.
They probably wouldn't know how to connect up an oscillator to a PC speaker.

After all,they didn't do the most obvious test------gaffer tape over the speakers/mics,or just disconnect them!

[MrSlack]

This is feasible but most likely a complete pile of steaming bollocks. Absolutely no malware could be transmitted via this vector to start with and there's no reason to do it afterwards with ubiquitous network connectivity and the sheer amount of hole-ridden average low grade software engineering out there.

[SL4P]

Oh well, all those infrasound whingers now have something else to complain about.
Sick leave, compensation, sue the boss - whatever it takes to do less work.

[Marco]

With continuously running voice recognition this is actually becoming a realistic threat on some platforms.

PS. surprised no one said this yet : virus over audio, you mean like religion?

[cloudscapes]

First of all, soundcards aren't capable of generating ultrasounds,

Disagreed, they are often very capable of generating ultrasounds. If ultrasound is anything above the audible range, then it's anything above 18-20khz. My soundcard is capable of 96khz, which has been what's expected of good soundcards for a few years. I'm not saying the sound is accurate at that range, just that it's capable of greater than human audible range.

Though this is all still likely bullshit. As people in the thread are saying, desktop speakers and cheap mics people hook up will be the bottleneck, more than the soundcard. Unless you're using studio reference monitors as desktop speakers, I doubt they go above 15khz.

EDIT: Just performed a test.

Test 1: Got Audible to generate higher and higher frequency sine tones from my soundcard into my studio reference monitors (better than desktop speakers). I use a Zoom H6 recorder's microphones to record the audio. It's a great recorder I use al lthe time, and I completely trust it's specs to record high def audio. I also made sure my soundcard's settings were set to enable 96khz output.

In this test, the recorder could no longer "hear" the sine tone at around 22-23khz. I opened up the recording, and it was relatively clean as it fades out at 22khz. Had these been ordinary desktop speakers, it would have been much lower.

Test 2: Plugged the soundcard output direct into the H6 recorder and performed the same test of increasing the tone frequency. I could crank it up past 40khz! Due to the recording frequency approaching a small multiple of the playback frequency, the shape of the sine was more of a triangle than a sine, (a limitation I can't really get around, with the H6's max sampling frquency of 96khz). Past 42-44khz I get nasty beat frequencies. This was all visual inspection of the recording, obviously, since it's all ultrasonic.

So yeah, can I get clean ultrasonic out of my sound card? No, not clean/precise probably. But it is capable of it. As expected, the main bottleneck is the cheapness of desktop speakers and microphones. I'm sure ultrasonic 'information' could be transfered from one soundcard to another via direct cable and as long as the signal itself is simple (like squarewaves), but over the air from one desktop speaker to a microhpone? Doubt it. Not unless they're very high quality monitors and mics. And the tone/signal integrety breaks down only a couple of 10s of khz in the ultrasonic. Can't get around those sampling/nyquist hard limits.

[Ian.M]

A typical PC microphone can have quite good frequency response above 20KHz, e.g a typical electret capsule is likely to have an upper frequency limit somewhere between 30 and 50 KHz.  Even if all the sound card can do is 44.1KHz sample rate, that's still good enough to detect modulated 22KHz ultrasound if it doesn't have good analog anti-aliasing filtering in front of the ADC.

There's also the issue of generating 22KHz ultrasound with usable amplitude. Physically small internal speakers and HiFi grade external speakers may have enough bandwidth. One odd-ball idea is to modulate the CPU load and rely on magnetostriction in the inductors of the CPU's Vcore switching supply.

Who's going to bother writing a virus to exploit this?   Possibly a three letter agency trying to crack a high value target. Gain transient physical access or drop infected media and one could compromise a PC in a way that the opposing agency would  be very unlikely to detect.   The existence of the Stuxnet worm shows that  agencies exist that have a significant budget for offensive cyper-warfare. 

[Len]

We are supposed to believe that they can communicate at ultrasonic frequencies,& not only that,have sufficient bandwidth to pass  a complex virus signal.

Yes, because people have actually done it. Here's the paper describing the experiments done at the Fraunhofer Institute:
http://www.jocm.us/uploadfile/2013/1125/20131125103803901.pdf
They did not make an actual virus but they did send & receive data. The data rate was low, but fast enough for, say, a keylogger.

(Geez people, it took like half a minute to find this stuff out starting from the first linked article.)

[zapta]

This is not a virus, but according to Computer World sound communication is pretty common these days for various applications.

http://www.computerworld.com/article/2861717/the-hottest-wireless-technology-is-now-sound.html

If devices monitor microphone input and act on it, there is a theoretical possibility that a malicious signal will trigger a malicious action. Same goes for a malicious agent that is installed on an otherwise isolated computer and can interact with the external world via the audio channel.

[Marco]

The recent ImageMagick vulnerability which hit countless webservers is a good example why always on microphone input/processing is a bad idea unless the processing software is well contained (user/process isolation not being nearly good enough, local root exploits abound).

[Simon]

This reminds me of a program called computer clear that was supposed to generate healthy frequencies to prevent fatigue due to using a computer. I asked the seller who forwarded my coments to the developer how the "signal" was being emitted by the program as no hardware was supplied, needless to say no reply ensued. People will make up the most fantasdtic things and other so called intelligent people will beleive them.

[botcrusher]

I think the real problem with this isn't as an attack vector, but as a way for infected machines to potentially communicate. A virus could communicate with others undetected, obviously not very fast, but this could be crippling in an office / lab environment where lots of machines are packed in an area. They could relay instructions in an unmonitored manner, which has plenty of issues that I'm not going to go indepth about right nowm

[Simon]

Yes granted it does allow undetectable communication but gee it's a little far fetched. It's like when they made headlines over hacking a car and bringing to a stop on a 70mph motorway by getting into the car stereo, what they failed to point out was the shear tiny probability it could even be pulled off granted technically feaseable.

[CatalinaWOW]

So all you have to do is come up with scenarios where multiple infected machines have no better way to communicate than through ultrasound.  It seems to me that if you have the ingenuity to get the infections in place you can certainly figure ways to use bluetooth, wifi, infrared, wired ethernet or any number of other paths for communications.  Even if there are firewalls and they are being monitored.

Maybe this story was propagated by someone who hates the use of company resources to play .mp3s or to stream music off the net and was trying to justify disabling all of the sound cards.

[botcrusher]

They can't do that anyways, accessibility lawsuits would ensue.

[R005T3r]

Alright, interesting:

https://en.wikipedia.org/wiki/Air_gap_malware
http://arstechnica.com/security/2013/12/scientist-developed-malware-covertly-jumps-air-gaps-using-inaudible-sound/

 I hardly doubt that this will be the next attack method of the following years for hackers, but still interesting. At this point you use a RF jammer: cheap to build and definitely you can isolate your pc.

[botcrusher]

I'd be more curious to see if it could be used decently for half duplex serial connection.

Fire up some python with pyserial, get an audio manipulation library, fire away!

[timb]

With continuously running voice recognition this is actually becoming a realistic threat on some platforms.

PS. surprised no one said this yet : virus over audio, you mean like religion?

Fortunately for us, the Sumerian god Enki used his silver tongue to coded up some verbal anti-virus software to protect Humanity from linguistic viruses. Unfortunately, this "nam-shub" had the side effect of splitting the world up into many distinct languages. So long as nobody figures out how to pull an Asherah with the original, base tongue, we're safe. (Though if that *did* happen, I'm sure a Hiro would come along and save us...)

[CatalinaWOW]

Snow Crash was a pretty extravagant extrapolation from the computer technology of the time.  But if you look into the minds of writers you find that they see the world much differently than engineers.  Amusement parks are real to them, not just entertaining.

[R005T3r]

Just thinking: If you have a microphone or loudspeaker (especially the small laptop ones that are bloody low quality) and you make a malware that uses them both OVER the audiable range, it simply won't work. Here's why:

Any noise you make (even something that falls to the ground) will have some low end frequency and some high end frequencies. At low end, well, there's nothing to speak about: the malware uses high frequencies. When ever you produce a sound, the sound's spectrum goes well over the audiable range because it contains some ultrasound frequencies and some infra-sound frequencies as well as some low end ones and all the audiable. So, practically speaking this system will not work because it gets jammed by all sorts of noises over the inaudiable range. Same thing as you cannot use a pci bus as an antenna: it's simply too noisy.  But, let's go ahead and let's say that it works anyway: it won't work because you will get a very low gain: because the audio equipment is well over 22Hkz starts having natural brickwalls or someting high db slopes because it's not developed to work like that, as a result the signal is so weak that reaching the outside is impossible: one thing is for certain, wireless technology works best when there are no obstacles between the source and the destination, but whenever you put a shelf or some furnitures near the antenna, the signals gets faded.

For anyone that don't know why you are sampling sounds over 44.1Khz when you can only hear 22Khz, it's a matter of filters: making a brickwall physical filter is very hard, as a result, in order to attenuate everything that goes up to the non audiable range (aka ultrasonic range) you will have to compromise on the high frequencies of the audible range. This is not acceptable in a studio-like environment, so you sample at higher frequencies, BUT this does not mean that the microphone or the loudspeaker is able to produce correctly the sound becasue it's not intended for that use(yep, another problem for the malware-makers).

I think it's an hoax...

[Ian.M]

Depends on your definition of hoax - Actual audio virus found 'in the wild' was either a hoax or a very confused researcher.  However covert ultrasonic mesh networks are practical in a real-world environment: 

Yes, because people have actually done it. Here's the paper describing the experiments done at the Fraunhofer Institute:
http://www.jocm.us/uploadfile/2013/1125/20131125103803901.pdf
They did not make an actual virus but they did send & receive data. The data rate was low, but fast enough for, say, a keylogger.

So, in the future, if a PC *MUST* remain airgapped, best practice will be remove or hardware disable soundcards or insert dummy plugs to disable built in speakers and microphones (in addition to EM shielding the whole PC including input devices and display).

[borjam]

Just thinking: If you have a microphone or loudspeaker (especially the small laptop ones that are bloody low quality) and you make a malware that uses them both OVER the audiable range, it simply won't work. Here's why:

There are techniques for data transmission over extremely nasty communication paths.

So, despite the limited utility beyond a proof of concept, I wouldn't discard the ability to transmit audio from one computer to another.

Now, the real stupidity of the news reports is the hippotethical ability to "infect" a computer using this mechanism, and that is complete bullshit.

In order to trigger a security issue, you generally need to write data outside of the intended buffer and, sometimes  cause some uncaught error. The resultant error condition makes the target program behave erratically. And thanks to that data you wrote outside of an intended buffer, you can alter the code execution.

Now, let's look at this particular case. This is audio. ¿How do you write outside of a buffer? A longer than expected transmission will just be discarded. Moreover, assuming that it was possible to somewhat cause the audio sampling to write elsewhere, you wouldn't be able to just guarantee the sample values you write to memory, so the likelyhood of writing some predictable code would be infinitesimal.

There is a possibility, actually. Imagine that you had some kind of voice assistant, and a bogus request could trigger a buffer overflow. For example, imagine a poorly written function that returns the day of the week given a date, which doesn´t check the day of the month. So you say "Hey, Siri, is the 98675438967458673458067856347856348756234789563987568456734857438769458764938567458976458989 of February Saturday?"

But of course that precludes the sneaky ultrasound technique, so, again, bullshit 

The day of the month example looks very silly, but someone told me that cracking a certain games console involved feeding a stupidly large number to some character in a game, like writing it on a blackboard or something. That triggered a buffer overflow.

[timb]

Snow Crash was a pretty extravagant extrapolation from the computer technology of the time.  But if you look into the minds of writers you find that they see the world much differently than engineers.  Amusement parks are real to them, not just entertaining.

Actually, I don't think that's entirely true. I would say it very much depends on the writer.

Most engineers focus on what's *possible* today; whereas Science Fiction authors focus on what's *probable* tomorrow.

Those books inspire future engineers, who inevitably turn fiction into fact.

History is full of just such examples. Communications Satellites, Cell Phones, Tablets, etc.

[rs20]

History is full of just such examples. Communications Satellites, Cell Phones, Tablets, etc.

I'm gonna go out on a limb here and claim that those examples are... cherrypicked, shall we say... 

[CatalinaWOW]

Snow Crash was a pretty extravagant extrapolation from the computer technology of the time.  But if you look into the minds of writers you find that they see the world much differently than engineers.  Amusement parks are real to them, not just entertaining.

Actually, I don't think that's entirely true. I would say it very much depends on the writer.

Most engineers focus on what's *possible* today; whereas Science Fiction authors focus on what's *probable* tomorrow.

Those books inspire future engineers, who inevitably turn fiction into fact.

History is full of just such examples. Communications Satellites, Cell Phones, Tablets, etc.

Not what is probable.  What is possible, or at least credible and supports a good story line.  I agree some author's use more realistic/probable extrapolations than others, but with notable exceptions the ones who do most probable extrapolations write the worst stories.

In any case with hundreds of authors writing thousands of books it is hardly surprising that they get stuff right from time to time.  But for a counterexample, run through your science fiction library and see what the most common date for a moon colony turns out to be.  Or single stage to orbit transport vehicles.  Or ballistic passenger transport.  Or air cars. 

[R005T3r]

Come on guys. There are ways better option for virus-makers to violate a system, and as far as I know there is only one purpose: money. That's why keylogger were created, that's why the bloody CryptoLocker was created, also trojan horses ecc ecc... Doing something like that It's simply not worth the effort. And, if you government plans to come inside your environment, they can arrest and interrogate you and nobody will eventually know, if they found you may have something interesting.

The best way to investigate and prevent this from happening is always make regular backups. If you come into this, well, unplug your hard disk and you will be ok.

Foreign intelligence WON'T do this: remember that 1 million dollars is a reasonable check for any intelligence agency in the world, as a result it's better to buy the intel or maybe infiltrate the agency, but all in all, probably they will cooperate each other to find other things, because a war between them is something they both cannot afford: just imagine the NSA infiltrated and someone speak about it... They will lose their credibility over the government, and as a result no more money for them  ...

I doubt about this "virus" because there are no other clues out there, except one or two cases. This won't prove anything it's a hoax, and also it has been demystified from antivirus companies.

[Ian.M]

Actually it has great potential for triggered sabotage of airgapped computers by three letter agencies.   Activating it in most Muslim countries would simply involve subverting the distribution servers for the most popular free Athan programs as Athan programs on both PCs and Android devices used by practising Muslims are about as pervasive as browser search 'helpers' are on family PCs in the west.     Other target groups/countries could be subverted to play the trigger signal just as easily e.g. by embedding the control signal in music to be played at an international away game.