Stealthy Data Exfiltration Possible via Headphones, Speakers

A team of researchers has demonstrated how air-gapped computers can stealthily communicate with each other using speakers or headphones over ultrasonic waves.

Experts from the Cyber-Security Research Center at the Ben-Gurion University of the Negev in Israel combined previous research on communications through ultrasonic waves with a technique that can be used to turn a device’s speakers into a microphone in an effort to create a covert data exfiltration channel.

Researchers demonstrated several years ago that audio modulation and demodulation can be used to exchange data between computers over the air via the ultrasonic frequency range. The method requires that the devices communicating with each other are equipped with both microphones and speakers.

However, it’s possible to turn speakers, headphones or earphones into microphones using only software, which Ben-Gurion University researchers demonstrated back in 2016 in an attack they dubbed SPEAKE(a)R.

Experts have now combined the two methods to show that a piece of malware installed on an air-gapped system fitted with speakers, headphones or earphones can transmit bits of data to one or more nearby devices running malware designed to capture the data via an audio output system turned into a microphone. These types of attacks, which they have dubbed MOSQUITO, can be launched in scenarios involving desktop computers that don’t have a microphone, or when the microphone on a laptop or desktop system has been disabled or taped.

The data exchange can take place over inaudible sound waves at frequencies of 18kHz or higher, which can be captured by regular headphones or speakers. The data can be modulated through audio frequency-shift keying (AFSK), which uses one frequency to transmit “0” bits and a different frequency to transmit “1” bits.


Tests conducted by researchers showed that a transfer rate ranging between 1200 bits/sec and 1800 bits/sec can be obtained for up to 8 meters (26 feet) for audible frequencies transmitted and captured using loudspeakers. The transfer rate drops to between 300 bits/sec and 600 bits/sec for inaudible frequencies.

Experiments conducted using headphones and earphones as recipients showed that they are not much worse than speakers, with transfer rates ranging between 300 bits/sec and 600 bits/sec over distances of 1m (3ft), 5m (16ft) and 8m (26ft). However, performance is significantly degraded when headphones are used both by the sender and the recipient — it only works over a distance of up to 3m (10ft) at a maximum of 250 bits/sec.

It’s worth noting that these are upper theoretical transmission rates. In practice, the transfer rate is influenced by environmental noise, the position of the transmitter and receiver, and bit error rates.

“Our experiments shows that at a distance of three meters between two speakers, a transmission rate of 166 bit/sec results in a 1% bit error rate, during the exfiltration of a 1Kbit binary file,” researchers explained in their paper. “However, at distances of 4-9 meters, the 1% bit error rate is only achieved at transmission rates of 10 bit/sec. Our waveform analysis shows that the signal quality is degraded at distances greater than four meters mainly due to the environmental noise, which results in a lower SNR.”

Researchers at the Ben-Gurion University of the Negev previously demonstrated that stealthy data exfiltration is also possible via magnetic fieldsinfrared camerasrouter LEDsscannersHDD activity LEDs, USB devices, the noise emitted by hard drives and fans, and heat emissions.

Related: Dell Launches Endpoint Security Product for Air-Gapped Systems

Related: Hackers Can Steal Data From Air-Gapped Industrial Networks via PLCs

view counter

Eduard Kovacs is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Previous Columns by Eduard Kovacs: