New ‘CASPER’ Attack Can Steal Data from Air-Gapped Systems Using Internal Speakers

A new secret channel attack emerges after Korean researchers figured out a way to steal data from an air-gapped system using its internal speakers.

The concept, dubbed CASPER, was brought to life thanks to the academic efforts of researchers Hyeongjun Choi, Ji Hyuk Jung and Ji Won Yoon at Korea University’s School of Cyber Security.

CASPER relies on the system’s speakers to generate sounds at a specific frequency, which are then inconspicuously recorded with a small device, such as a smartphone.

Randomly generating sounds wouldn’t be enough to leak sensitive information from any device; in their experiment, researchers first encoded data of interest into Morse or binary code and then initiated the transfer.

In this scenario, the recording device can be set up to 1.5 meters from the system to achieve practical results.

“At this time, the location of the smartphone can be any distance within 1.5 m when the length per bit is longer than 50 ms, such as on the computer body or on the desk,” reads the researchers’ technical paper. “Data are obtained by analyzing the recorded file. Our results show that data is transferred from a network-separated computer using an internal speaker with 20 bits/s in maximum.”

However, anyone trying to use CASPER in a real-life scenario would likely run into a few serious stumbling blocks. First of all, air-gapped systems rarely, if ever, have external speakers that could exfiltrate sensitive data. Therefore, the attack must rely entirely on the device’s internal speakers, such as those soldered on the motherboard.

This, in turn, raises additional issues: not all devices have system speakers, and those that do are generally loud enough to raise suspicion.

Furthermore, as with all covert channel attacks, threat actors need physical access to an air-gapped device to deploy CASPER, making the method more theoretical than practical. On the other hand, the risk of disgruntled employees helping perpetrators infect targeted devices by proxy is always worth considering.