New Air Gap-Jumping Attack Uses Ultrasonic Tones and Smartphone Gyroscope

A researcher from the Ben-Gurion University of the Negev in Israel has shown how a threat actor could stealthily exfiltrate data from air-gapped computers using ultrasonic tones and smartphone gyroscopes.

The attack method, named GAIROSCOPE, assumes that the attacker has somehow managed to plant malware on the air-gapped computer from which they want to steal data, as well as on a smartphone that is likely to go near the isolated device.

According to researcher Mordechai Guri, the malware that is on the air-gapped computer can transmit ultrasonic tones using the device’s loudspeakers. These tones are inaudible and on a frequency that is picked up by a gyroscope.

Gairoscope attack setup

Gyroscope sensors in smartphones determine the direction of the device and they enable users to perform various actions by tilting the phone. This includes automatically rotating the screen and moving characters or objects in a game. Unlike the microphone, which is more difficult to access by a malicious application, a phone’s gyroscope can be accessed by iOS and Android malware that does not have as many permissions.

The malware that is on the isolated device collects valuable data such as passwords and encryption keys, and encodes it using audio frequency-shift keying, where one specified frequency represents a ‘0’ bit and a different frequency represents a ‘1’ bit. The malware uses the device’s speakers to transmit inaudible sounds at those frequencies.

On the phone side of the attack, the infected device’s gyroscope picks up those tones when it’s near the air-gapped computer. The method leverages previous research that showed how gyroscopes are vulnerable to acoustic attacks.

The hacker’s mobile malware continuously samples and processes the gyroscope sensor output. When it detects an exfiltration attempt — a specific bit sequence is used to signal the start of data transmission — it demodulates and decodes the data. The exfiltrated data can then be forwarded to the attacker using the phone’s internet connection.

Experiments conducted by Guri showed that the GAIROSCOPE method allows for a maximum data transmission rate of 8 bits/sec over a distance of up to 8 meters (26 feet).

This is not…