SmartAttack uses smartwatches to steal data from air-gapped systems

A new attack dubbed ‘SmartAttack’ uses smartwatches as a covert ultrasonic signal receiver to exfiltrate data from physically isolated (air-gapped) systems.

Air-gapped systems, commonly deployed in mission-critical environments such as government facilities, weapons platforms, and nuclear power plants, are physically isolated from external networks to prevent malware infections and data theft.

Despite this isolation, they remain vulnerable to compromise through insider threats such as rogue employees using USB drives or state-sponsored supply chain attacks.

Once infiltrated, malware can operate covertly, using stealthy techniques to modulate the physical characteristics of hardware components to transmit sensitive data to a nearby receiver without interfering with the system’s regular operations.

SmartAttack was devised by Israeli university researchers led by Mordechai Guri, a specialist in the field of covert attack channels who previously presented methods to leak data using LCD screen noise, RAM modulation, network card LEDs, USB drive RF signals, SATA cables, and power supplies.

While attacks on air-gapped environments are, in many cases, theoretical and extremely difficult to achieve, they still present interesting and novel approaches to exfiltrate data.

How SmartAttack works

SmartAttack requires malware to somehow infect an air-gapped computer to gather sensitive information such as keystrokes, encryption keys, and credentials. It can then use the computer’s built-in speaker to emit ultrasonic signals to the environment.

By using a binary frequency shift keying (B-FSK), the audio signal frequencies can be modulated to represent binary data, aka ones and zeroes. A frequency of 18.5 kHz represents “0,” while 19.5 kHz denotes “1.”

Frequencies at this range are inaudible to humans, but they can still be caught by a smartwatch microphone worn by a person nearby.

The sound monitoring app in the smartwatch applies signal processing techniques to detect frequency shifts and demodulate the encoded signal, while integrity tests can also be applied.

The final exfiltration of the data can take place via Wi-Fi, Bluetooth, or cellular connectivity.

The smartwatch can either be purposefully equipped with this tool by a rogue employee, or outsiders may infect it without the wearer’s knowledge.

Performance and limitations

The researchers note that smartwatches use small, lower-SNR microphones compared to smartphones, so signal demodulation is quite challenging, especially at higher frequencies and lower signal intensities.

Even wrist orientation was found to play a crucial role in the feasibility of the attack, working best when the watch has “line-of-sight” with the computer speaker.

Depending on the transmitter (speaker type), the maximum transmission range is between 6 and 9 meters (20 – 30 feet).

The data transmission rate ranges from 5 bits per second (bps) to 50 bps, reducing reliability as the rate and distance increase.

The researchers say the best way to counter the SmartAttack is to prohibit using smartwatches in secure environments.

Another measure would be to remove in-built speakers from air-gapped machines. This would eliminate the attack surface for all acoustic covert channels, not just SmartAttack.

If none of this is feasible, ultrasonic jamming through the emission of broadband noise, software-based firewalls, and audio-gapping could still prove effective.

Patching used to mean complex scripts, long hours, and endless fire drills. Not anymore.

In this new guide, Tines breaks down how modern IT orgs are leveling up with automation. Patch faster, reduce overhead, and focus on strategic work — no complex scripts required.

Get the free guide