We’ve all heard a really annoying song on the radio on the way to the supermarket and then are shocked and ashamed to find ourselves humming the tune while perusing the frozen foods isle. All it takes then is for a fellow shopper to overhear your rendition of that eighties rock classic and before you know it the tune has infected their brain, and so on and so on. All this sounds very much like a virus, spreading from one computer/human to another leaving infection as it travels, if only Symantec did an anti-Irritating eighties rock product!
All joking aside, malware that can spread or receive commands through sound seems like something out of a far-fetched sci-fi movie right? Not according to researchers at the University of Alabama at Birmingham (UAB) who have recently released a paper entitled Sensing-Enabled Channels for Hard-to-Detect Command and Control of Mobile Devices. The paper examines how malware on mobile devices can be activated and controlled using non-Internet channels such as sound, light, magnetic fields, and vibration. Traditional means of controlling malware rely on network-based channels, such as a TCP/IP based channel, that are easily detected and blocked by firewalls and antimalware products, whereas the methods put forward by the UAB researchers would be extremely difficult, if not impossible, to detect.
Mobile devices, such as smartphones and tablets, now include an array of sensors including cameras, microphones, accelerometers, and magnetic field sensors. While these tools were originally included for obvious reasons, like taking pictures and recording your voice, they have since been adopted by application developers to achieve many more things beyond their original function. For example, there are apps that can use the camera on your phone to measure your pulse and others that can use the accelerometer to help detect earthquakes. The ubiquitous nature of mobile devices and their built-in sensors creates plenty of opportunities for attackers according to the UAB researchers, and it is these opportunities that they discuss in detail in their report, going as far as building a proof-of-concept Android app to demonstrate some of their ideas.
The researchers placed their malware, which was designed to remain dormant until activated by certain signals, on an Android phone. They then activated the malware in a busy hallway using music coming from a source 55 feet away. They also successfully activated the malware using music videos, lighting from a television and also an overhead light, magnetic fields, and vibrations from a subwoofer.
This attack method would enable attackers to carry out localized targeted attacks including:
- Distributed denial-of-service (DDoS) attacks – e.g. using devices at a specific location to bring down a WiFi network
- Annoyance attacks – e.g. causing all devices at a conference to start playing music or call each other
- Embarrassment attacks – e.g. displaying embarrassing content on devices
- Safety hazards – e.g. devices being activated while users are driving
- Interference attacks – e.g. devices being activated in a hospital in order to interfere with medical equipment
- Distraction attacks – e.g. devices playing music or ringing in order to distract users from certain actions
While the researchers admit that this type of attack is highly sophisticated and difficult to carry out at present, it will only become easier to accomplish as technology improves. It is for this reason that they believe this type of research is important as it will help the security industry and device manufacturers to stay one step ahead of the bad guys.
The type of hypothetical attack discussed by the researchers relies on the malware getting onto the device through conventional methods, and it is the way in which the attackers communicate with the threat that is different i.e. using unconventional channels. While this research is indeed interesting, embedding hidden signals inside sounds or other broadcasts is just another form of steganography. Regardless, devices running Symantec products would detect the presence and behavior of the malware, irrespective of the means in which it receives its communication.