The School of Cyber Security at the Korean University in Seoul has developed a novel covert channel attack called CASPER that may leak data from air-gapped computers to a nearby smartphone at a pace of 20 bits per second.
What is CASPER?
Casper is a 'recognition tool,' built to characterize its targets and decide whether or not to keep tracking them. Prior to introducing more advanced persistent malware into the targeted systems for espionage, the Casper surveillance virus was employed as a starting point.
Data leak
The target needs to first be infected with malware by a rogue employee or a cunning attacker with physical access, which is the case with nearly all personal channel attacks that target network-isolated systems.
Attacks utilizing external speakers have been created in the past by researchers. External speakers are unlikely to be employed in air-gapped, network-isolated systems used in harsh settings like government networks, energy infrastructure, and weapon control systems.
The malicious software has the ability to search the target's filesystem on its own, find files or data formats that match a hardcoded list, and make an exfiltration attempt.
Keylogging is a more realistic option and is better suited for such a slow data transmission rate. The malware will use binary or Morse code to encrypt the information to be stolen from the target and then transmit it through the internal speaker utilizing frequency modulation to create an undetectable ultrasound between 17 kHz and 20 kHz.
The researchers tested the proposed model using a Samsung Galaxy Z Flip 3 as the receiver and an Ubuntu 20.04-based Linux computer as the target. Both were running a simple recorder application with a sampling frequency of up to 20 kHz.
In the Morse code study, the researchers employed 18 kHz for dots and 19 kHz for dashes, with a length per bit of 100 ms. The smartphone, which was 50 cm away, was able to interpret the word 'covert' that was sent. In the binary data study, each bit had a length of 50 ms and was transferred at a frequency of 18 kHz for zeros and 19 kHz for ones. Nonetheless, the overall experiment findings demonstrate that the length per bit impacts the bit error rate, and a max reliable transmitting bit rate of 20 bits/s is possible when the length per bit is 50 ms.
A standard 8-character password could be transmitted by the malware in around 3 seconds at this data transfer rate, while a 2048-bit RSA key could be transmitted in roughly 100 seconds. Even under ideal conditions and with no interruptions, anything larger than that, such as a little 10 KB file, would take longer than an hour to escape the air-gapped system.
"Because sound can only transmit data at a certain speed, our technology cannot transmit data as quickly as other covert channel technologies using optical or electromagnetic methods." – Korea University.
The attack is limited since internal speakers can only emit sound in a single frequency band. Changing the frequency band for several simultaneous transmissions would be a solution to the slow data rate. The simplest method of defense against the CASPER assault was to turn off the internal speakers in mission-critical computers, which was disclosed by the researchers. The defense team could also use a high-pass filter to keep all created frequencies inside the range of audible sound, preventing ultrasonic transmissions.