Vulnerabilities / Threats
8/7/2008
07:00 PM
Connect Directly
Google+
LinkedIn
Twitter
RSS
E-Mail
50%
50%

Black Hat: Windows Jingle Attack Exposed

The latest scheme steals data by encoding a user's password into audio data and concealing that data in the Windows startup tone for decoding later, researchers reveal.

At the Black Hat conference in Las Vegas on Thursday, Eric Filiol, the head scientist at the French Army Signals Academy's Virology and Cryptology Lab, explained how to steal data from a computer without a network connection.

Filiol demonstrated what he called the Windows Jingle Attack, a method for encoding a user's password into audio data and concealing that data into the Windows startup tone, a publicly audible sound that can be read from afar with a local or remote microphone and then decoded.

Filiol's work builds on what's known as Tempest. Filiol said the term stands for Temporary Emanation and Spurious Transmission, though others suggest alternate terms to explain the acronym.

Tempest refers to research done by the NSA into the signals that emanate from electronic devices and how to prevent the interception of those signals. The reason is that those signals may reveal the information being processed by a device or may be altered to do so.

Programmer Eric Thiele has written a demonstration program called Tempest for Eliza that uses a computer monitor to send out AM radio signals.

The Windows Jingle Attack requires malware on the target machine, so in that respect it's not as easy to execute as other attacks that allow remote code execution. Nonetheless, there are certain scenarios when being able to obtain data from a computer without a network connection would be valuable.

There's precedent for related attacks in the intelligence community. In 1987, the National Security Agency found that the Soviet Union's KGB had replaced the circuit boards and power cords in the U.S. Embassy in Moscow in order to covertly siphon message data.

"An isolated computer is quite never really disconnected from the outside," said Filiol. Through social engineering or covert insertion, malware can be introduced to an offline computer. Law enforcement agencies have used this technique to install keylogging hardware for surveillance, which they then have to retrieve to obtain captured data. Filiol's technique saves the need for this second visit.

The Windows Jingle attack requires malware with audio-processing code to encode the information to be stolen. Filiol suggests the open source Scilab program as a starting point. The malware needs to be able to replace the Windows startup tone. And the person receiving the information needs some means to pick up the startup tone -- a microphone that works over long distances or hidden locally, and software to decode the transmitted information.

Filiol said that he called the attack the Windows Jingle attack as a matter of convenience. He said that it would work just as well on a machine running Mac OS X or Linux.

Filiol's technique can be used to create other covert channels of communication. He said that data could be encoded visually on-screen, using hard disk read/write noise or computer fans.

When playing an actual altered Windows startup tone, the results were impressive. He demonstrated a startup tone where the encoded data could be heard, and then he demonstrated an optimized version where the presence of hidden data was undetectable to the human ear.

Filiol said he would post a hidden message in his presentation materials in the Black Hat archives, which should be available in about two weeks. He promised a token prize to the first person to decipher the message.

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
20 Questions to Ask Yourself before Giving a Security Conference Talk
Joshua Goldfarb, Co-founder & Chief Product Officer, IDDRA,  10/16/2017
Printers: The Weak Link in Enterprise Security
Kelly Sheridan, Associate Editor, Dark Reading,  10/16/2017
Hyatt Hit With Another Credit Card Breach
Dark Reading Staff 10/13/2017
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
Security Vulnerabilities: The Next Wave
Just when you thought it was safe, researchers have unveiled a new round of IT security flaws. Is your enterprise ready?
Flash Poll
The State of Ransomware
The State of Ransomware
Ransomware has become one of the most prevalent new cybersecurity threats faced by today's enterprises. This new report from Dark Reading includes feedback from IT and IT security professionals about their organization's ransomware experiences, defense plans, and malware challenges. Find out what they had to say!
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2017-0290
Published: 2017-05-09
NScript in mpengine in Microsoft Malware Protection Engine with Engine Version before 1.1.13704.0, as used in Windows Defender and other products, allows remote attackers to execute arbitrary code or cause a denial of service (type confusion and application crash) via crafted JavaScript code within ...

CVE-2016-10369
Published: 2017-05-08
unixsocket.c in lxterminal through 0.3.0 insecurely uses /tmp for a socket file, allowing a local user to cause a denial of service (preventing terminal launch), or possibly have other impact (bypassing terminal access control).

CVE-2016-8202
Published: 2017-05-08
A privilege escalation vulnerability in Brocade Fibre Channel SAN products running Brocade Fabric OS (FOS) releases earlier than v7.4.1d and v8.0.1b could allow an authenticated attacker to elevate the privileges of user accounts accessing the system via command line interface. With affected version...

CVE-2016-8209
Published: 2017-05-08
Improper checks for unusual or exceptional conditions in Brocade NetIron 05.8.00 and later releases up to and including 06.1.00, when the Management Module is continuously scanned on port 22, may allow attackers to cause a denial of service (crash and reload) of the management module.

CVE-2017-0890
Published: 2017-05-08
Nextcloud Server before 11.0.3 is vulnerable to an inadequate escaping leading to a XSS vulnerability in the search module. To be exploitable a user has to write or paste malicious content into the search dialogue.