GAIROSCOPE: An Israeli researcher demonstrated how to exfiltrate data from air-gapped systems using ultrasonic tones and smartphone gyroscopes.

The popular researcher Mordechai Guri from the Ben-Gurion University of the Negev in Israel devise an attack technique, named GAIROSCOPE, to exfiltrate data from air-gapped systems using ultrasonic tones and smartphone gyroscopes.

The attack requires that the threat actor has in advance installed malware on the air-gapped system, as well as on a smartphone which must be located in the proximity of the system.

The malware installed in the air-gapped system generates ultrasonic tones in the resonance frequencies of the MEMS gyroscope which produce tiny mechanical oscillations within the smartphone’s gyroscope.

The frequencies are inaudible and the mechanical oscillations can be demodulated into binary information.

GAIROSCOPE air-gapped systems

The researcher pointed out that the gyroscope in smartphones is considered to be a ’safe’ sensor and can be used legitimately from mobile apps and javascript without specific permissions, unlike other components like the microphone.

The researchers added that in Android and iOS, there may be no visual indication, notification icons, or warning messages to the user that an application is using the gyroscope, like the indications in other sensitive sensors.

“Our experiments show that attackers can exfiltrate sensitive information from air-gapped computers to smartphones located a few meters away via Speakers-toGyroscope covert channel.” reads the research paper.

The malware on the air-gapped system gather sensitive data, including passwords and encryption keys, and encodes it using frequency-shift keying. In frequency-shift keying (FSK), the data are represented by a change in the frequency of a carrier wave.

Then the malware uses the device’s speakers to transmit the sounds at the inaudible frequencies.

On the receiving side, the phone receives the sounds using the device’s gyroscope and the malware running on the phone continuously samples and processes the output of the gyroscope. When the malware detects an exfiltration attempt, which is started using a specific bit sequence, it demodulates and decodes the data. The exfiltrated data can then be sent to the attacker using the phone’s internet connection.

“In the exfiltration phase, the malware encodes the data and broadcast it to the environment, using covert acoustic sound waves in the resonance frequency generated from the computer’s loudspeakers. A nearby infected smartphone ‘listens’ through the gyroscope, detects the transmission, demodulates and decodes the data, and transfers it to the attacker via the Internet (e.g., over Wi-Fi).” continues the paper. “The air-gapped workstation broadcasts data modulated on top of ultrasonic waves in the resonance frequencies that oscillates the nearby MEMS gyroscope. The application in the smartphone samples the gyroscope, demodulates the signal, and transmits the decoded data to the attacker through Wi-Fi.”

The test conducted by the researcher demonstrated that the GAIROSCOPE attack allows for a maximum data transmission rate of 8 bits/sec over a distance of up to 8 meters.

The following table shows the comparison with the existing acoustic covert channels previously devised by the researchers:


The researcher also provide countermeasures to mitigate the GAIROSCOPE attack, such as speakers elimination and blocking, ultrasonic filtering, signal jamming, signal monitoring, implementing sensors security, keping systems in restricted zones defined by a different radius, depending on the zone classification.


[출처 :  SecurityAffairs / 8.25.]