I’ve been drowned in the world of tech over this holiday season. It is, after all, my lifeblood, as well as my hobby — it’s how I pay the bills and help keep this family afloat. So time has been in short supply for anything but work, and I’ve been choosing (as I mentioned recently) to spend most of my free time either playing Starbound (an absolutely incredible space sandbox game that’s still in pre-release — I’m going to write up a review ASAP), or working on learning Java and creating a procedurally generated platform game that will probably never see market because I suck at art.
Being drowned in tech as I am, the things I’ve been reading are mostly technology-related as of late. That doesn’t mean I’ve stopped being a skeptic or atheist — just that they haven’t been topics on my must-read list.
This particular piece in All Tech Considered made my skeptical and security-minded tech parts of my brain flip the hell out, and I figured I should share that feeling with you. The piece starts appropriately doomsday, extrapolating from the actual information at hand in a manner that makes me think the piece was written by a very experienced science journalist:
If your computer is infected with a virus or other forms of malware, disconnecting the machine from the Internet is one of the first steps security experts say you should take. But someday, even physically separating your laptop from a network may not be enough to protect it from cyber evildoers.
Yes, and someday, Skynet may happen. Someday, computer viruses may cross the computer-human barrier. Someday, computers may be using you as a PDA.
The piece describes the common security procedure of creating an air-gap between your computer and the internet — that is, if you have important secure files, you never let those files exist on a computer that has any visibility on the internet. You wouldn’t want the software running your traffic lights to be internet-aware, would you? So you keep them the hell separate, thus “air-gap”.
But researchers have figured out a way to pass information at ultrasonic frequencies using a computer’s speakers and another computer’s microphone, breaching that gap between networked computers by creating a secondary channel through which info can pass.
Sounds good, right? Like, Mission-Impossible level stuff here. You can steal info from a computer that isn’t even attached to your computer! One particular story sounds like something out of the mind of Neal Stephenson. It’s so good a tale, in fact, that security experts are certain it’s all bullshit.
The main reason I think this story is bullshit is that any such exploit is defeated by the simple expedient of removing your super-secure computer’s sound card, speakers and microphone.
If it can’t make or receive noise, it can’t send anything over the ultrasonic frequency range. Additionally, no part of the computer is designed to listen to your microphone by default under normal circumstances, much less execute code from it — though if there was such a program on your computer designed to listen at all times, it might be exploited via buffer overflows or the likes if it was poorly (or maliciously) designed. And if sound can travel loudly enough that your microphone on your computer can pick it up, then you have a malicious user right there in your datacentre to begin with, and you better damn well look at your physical security first.
The main technological problem with this story is that the plausibility of it depends entirely on software being installed on your computer that means your computer is already compromised. If you have this software on your computer, if such software even exists, then YOU WERE ALREADY HACKED.
And yet, like with stories about exploits being used to smuggle weapons and bombs onto airplanes, even the attempt will result in a ratcheting-up of security theatre. I anxiously await the time that my bosses ask me to remove the sound cards from all our servers, even though a basic sound card is installed on most motherboards by default now, and I’ve only ever seen a set of speakers attached to a server on exactly one occasion — on call-recording software. It didn’t have a microphone to receive the instructions, though. And all such a microphone would pick up is the airplane-decibel “quiet drone” of the servers on that rack.
I call bullshit on the whole “advanced persistent threat” narrative presented in this piece in specific, and the ongoing race to find new bugaboos to be afraid of in the computer world in general. Instead of starting at ghosts invented by cross-classed computer techs – slash – horror story authors, these journalists should be focusing on the real threats. Threats like corporations storing your credit card PINs in a way that they can be stolen by hackers that just need to brute-force one 3DES key at an effective bit-strength of 80 bits to open a treasure-trove of credit card data.