![\"Air-gapped\"](\"https:\/\/www.europesays.com\/uk\/wp-content\/uploads\/2025\/06\/Airgapped.jpg\")
<\/p>\n<\/p>\n
A new attack dubbed ‘SmartAttack’ uses smartwatches as a covert ultrasonic signal receiver to exfiltrate data from physically isolated (air-gapped) systems.<\/p>\n
Air-gapped systems, commonly deployed in mission-critical environments such as government facilities, weapons platforms, and nuclear power plants, are physically isolated from external networks to prevent malware infections and data theft.<\/p>\n
Despite this isolation, they remain vulnerable to compromise through insider threats such as rogue employees using USB drives or state-sponsored supply chain attacks.<\/p>\n
Once infiltrated, malware can operate covertly, using stealthy techniques to modulate the physical characteristics of hardware components to transmit sensitive data to a nearby receiver without interfering with the system’s regular operations.<\/p>\n
SmartAttack was devised by Israeli university researchers led by Mordechai Guri<\/a>, a specialist in the field of covert attack channels who previously presented methods to leak data using LCD screen noise<\/a>,\u00a0RAM modulation<\/a>, network card LEDs<\/a>, USB drive RF signals<\/a>, SATA cables<\/a>, and power supplies<\/a>.<\/p>\n While attacks on air-gapped environments are, in many cases, theoretical and extremely difficult to achieve, they still present interesting and novel approaches to exfiltrate data.<\/p>\n How SmartAttack works<\/p>\n SmartAttack requires malware to somehow infect an air-gapped computer to gather\u00a0sensitive information such as keystrokes, encryption keys, and credentials. It can then use the computer’s built-in speaker to emit ultrasonic signals to the environment.<\/p>\n By using a binary frequency shift keying (B-FSK), the audio signal frequencies can be modulated to represent binary data, aka ones and zeroes. A frequency of 18.5 kHz represents “0,” while 19.5 kHz denotes “1.”<\/p>\n Frequencies at this range are inaudible to humans, but they can still be caught by a smartwatch microphone worn by a person nearby.<\/p>\n The sound monitoring app in the smartwatch applies signal processing techniques to detect frequency shifts and demodulate the encoded signal, while integrity tests can also be applied.<\/p>\n The final exfiltration of the data can take place via Wi-Fi, Bluetooth, or cellular connectivity.<\/p>\n The smartwatch can either be purposefully equipped with this tool by a rogue employee, or outsiders may infect it without the wearer’s knowledge.<\/p>\n Performance and limitations<\/p>\n The researchers note that smartwatches use small, lower-SNR microphones compared to smartphones, so signal demodulation is quite challenging, especially at higher frequencies and lower signal intensities.<\/p>\n Even wrist orientation was found to play a crucial role in the feasibility of the attack, working best when the watch has “line-of-sight” with the computer speaker.<\/p>\n Depending on the transmitter (speaker type), the maximum transmission range is between 6 and 9 meters (20 \u2013 30 feet).<\/p>\n The data transmission rate ranges from 5 bits per second (bps) to 50 bps, reducing reliability as the rate and distance increase.<\/p>\n The researchers say the best way to counter the SmartAttack is to prohibit using smartwatches in secure environments.<\/p>\n Another measure would be to remove in-built speakers from air-gapped machines. This would eliminate the attack surface for all acoustic covert channels, not just SmartAttack.<\/p>\n If none of this is feasible, ultrasonic jamming through the emission of broadband noise, software-based firewalls, and audio-gapping could still prove effective.<\/p>\n![\"The](\"https:\/\/www.europesays.com\/uk\/wp-content\/uploads\/2025\/06\/inter.jpg\")
The covert channel and interference from keyboard typing<\/strong>
Source: arxiv.org<\/p>\n![\"Transmitter](\"https:\/\/www.europesays.com\/uk\/wp-content\/uploads\/2025\/06\/transmitter.jpg\")
Transmitter type performance<\/strong>
Source: arxiv.org<\/p>\n![\"Performance](\"https:\/\/www.europesays.com\/uk\/wp-content\/uploads\/2025\/06\/table(2).jpg\")
Performance measurements (Signal to Noise Ratio, Bit Error Rate)<\/strong>
Source: arxiv.org<\/p>\n
![\"Tines](\"https:\/\/www.europesays.com\/uk\/wp-content\/uploads\/2025\/06\/tines-needle.jpg\")
<\/a><\/p>\n