Hackers steal data from Air-Gapped PCs with microphones & speakers

Share this…

A research team from Israel’s Ben-Gurion University of the Negev ‘s cyber security research center has discovered a new way of data extraction from air-gapped computers via using passive devices like earphones, headphones, and speakers.

Now, the same research center has claimed to be able to use computer speakers and headphones to act as microphones and receive data. The devices can be used to send back the signals and make the otherwise safe practice of air-gapping less secure.


As per the new technique by information security training professionals, data is extracted in the form of inaudible ultrasonic sound waves and transmission occurs between two computers installed in the same room while data is shared without using microphones.

The research team created a custom protocol to carry out data transmission between two computers. One of them would be air-gapped while the other is connected to the internet and used to further relay the data. Through the attack, researchers claim to carry out speaker-to-headphone, headphone-to-headphone, and speaker-to-speaker data exfiltration.

Findings of this research were published by ArXiv on Friday in an academic paper titled “MOSQUITO: Covert Ultrasonic Transmissions between Two Air-Gapped Computers using Speaker-to-Speaker Communication.” Information security training analysts explained that their research shows how speakers can secretly be used to carry out data transmission between unconnected computers located within a distance of 9 meters.

The reason why they used speakers is that these can be considered microphones working in reverse order; speakers convert electronic signals into acoustic signals whereas microphones convert acoustic signals into electric. The conversion is assisted by a diaphragm in each of these devices, which can be used to reverse the process. This process of reversing the mechanism of a device like a speaker is called jack retasking.

A majority of new audio chipsets can be used for jack retasking because these offer an option of altering the audio port function through software. Malware can be used to reconfigure a speaker or headphone so that it acts like a microphone given that the device is unpowered and passive. The paper reads:

“The fact that loudspeakers, headphones and earphones are physically built like microphones, coupled with the fact that an audio port’s role in the PC can be altered programmatically, changing it from output to input, creates a vulnerability which can be abused by attackers.”

In the MOSQUITO attack, the information security training researchers used infected an air-gapped computer and could also be used to modulate or transform locally stored documents into audio signals. These signals could easily be relayed to another computer using headphones, earbuds or speakers.

The receiving computer would also be infected with malware and will convert connected speakers or headphones using jack retasking technique to make them serve as a microphone. The catch is that most of the PCs now have passive speakers while these have active, powered headphones, earbuds, and speakers.

Researchers could achieve data transmission successfully at the rate of 166 bit/sec using frequencies ranging between 18 to 24 kHz. There was just 1% error rate when data was transmitted to a 1kb binary file within the distance of 3meters. If the distance is increased to up to 9 meters, a 10 bit/sec transmission rate was achieved with the same error rate.

Authors also provided various mitigation techniques but admitted that all had their limitations. These techniques included designing speakers and headphones equipped with onboard amplifiers to prevent their use as a microphone.

Alternately, an ultrasonic jammer can be used and ultrasonic transmissions can be scanned. The software can be developed for preventing jack retasking and using UEFI/BIOS to fully disable audio hardware. Although there is another more practical solution for disconnecting the headphones or speakers it is not a very feasible method. While information security training analysts believes that monitoring ultrasonic band is a much more practical and reliable solution but when applied, it is bound to raise false alarms.