Linux Mac Windows

God of the Air Gaps: How Malware Can Be Spread By Microphone

Matthew Hughes 20-12-2013

There is an accepted wisdom when it comes to avoiding 7 Common Sense Tips to Help You Avoid Catching Malware The Internet has made a lot possible. Accessing information and communicating with people from far away has become a breeze. At the same time, however, our curiosity can quickly lead us down dark virtual alleys... Read More getting infected 10 Steps To Take When You Discover Malware On Your Computer We would like to think that the Internet is a safe place to spend our time (cough), but we all know there are risks around every corner. Email, social media, malicious websites that have worked... Read More with malware. Don’t install software from websites you don’t trust. Make sure your computer is up to date, patched and all software installed is running the latest updates. Don’t open any suspicious-looking attachments, no matter who sends them to you. Ensure you have a current anti-virus system in place. That sort of thing.


As Internet access, email and wireless technologies have progressively became more widespread, we have had to adjust to keep ourselves secure from malicious software and from hackers. With each new threat that emerges, our accepted wisdom updates.

With this in mind, you may be wondering what the next logical step is in the distribution of malicious software and in the compromising of computers? What if I told you that it was possible to remotely compromise a computer which was not connected to a network? And, just for good measure, what if I told you that this malware was passed using the unlikely medium of computer speakers and microphones?

You may think me quite mad, but it’s actually more likely than you think. Here’s why.


Dragos Ruiu is a computer security analyst and hacker based in Canada. In his professional life, he has worked for a number of giants of IT, including Hewlett Packard and Sourcefire, which was recently sold to American networking giant Cisco. He is the man behind the infamous Pwn2Own hacking competition in Vancouver, BC, where security minded individuals scour for severe vulnerabilities in popular web browsers, cell phone operating systems and operating systems. It goes without saying that this is a man with a pedigree for excellence in computer security.

Three years ago, he noticed something troubling. His Macbook Air (running a freshly installed copy of OS X) spontaneously updated its firmware. Even more troubling, when he tried to boot from a DVD-ROM, his machine refused. He started to notice that data and configuration files were being deleted and updated without his instruction.



Over the next few months, Dragos noticed a number of other events that could only be described as inexplicable. A machine running the notoriously secure OpenBSD system had serendipitously started modifying its settings, again without Dragos’ instruction or instigation. He started noticing traffic being broadcast from computers that had their networking and Bluetooth cards removed, which otherwise would have been impossible.

Over the next three years, these infections continued to plague Dragos’s laboratory, despite his better efforts. Even after wiping a computer clean, removing its networking capability and installing a new operating system, it would return to its previous suspicious behavior.

Dragos has laboriously documented his research into this malware The Complete Malware Removal Guide Malware is everywhere these days, and eradicating malware from your system is a lengthy process, requiring guidance. If you think your computer is infected, this is the guide you need. Read More , which he has dubbed BadBIOS. You can read follow his gripping account on Facebook and Twitter.


The Research

Michael Hanspach and Michael Goetz are two researchers at the highly celebrated German center of academia, the Fraunhofer Society for the advancement of applied research. In the November 2013 edition of the Journal of Communications, they published an academic paper called ‘On Covert Acoustical Mesh Networks in Air’.

This paper discusses some of the technologies behind what Dragos Ruiu may have discovered, including how malware can be spread over ‘air gaps’. Their research attacks the previously held understanding of how isolating an infected computer ensures network security by replicating what Ruiu may have seen in his laboratory.


Using off-the-shelf computers and acoustic communication, they were able to bridge a number of computers and turn them into an ad-hoc network which can transmit data over a number of hops. They even used this interesting technology to act as a key logger, with keystrokes transmitted to an attacker many rooms away, with each key stroke routed through multiple rooms and the speakers and microphones found on most modern laptop computers.


Hanspach and Goetz’s research is dependent upon something called ‘Generic Underwater Application Language’ or GUWAL, which is “an operational application language for tactical messaging in underwater networks with low bandwidth.”, and can transmit data at a speed of 20 bits per second. Latency is nowhere near to the speeds you would expect from a traditional copper or fiber optic network connection either, with each hop along the network taking around six seconds to complete.

The Real World

It’s crucial to stress that the claims of Ruiu have not been independently substantiated and that the research of Hanspach and Goetz is just that – research. They have created a (massively impressive) proof of concept and their research paper is a fascinating read. However, there is no known malware currently circulating which resembles it.


This means there is no reason for you to start plugging up microphone holes and disconnecting speakers. With that said, what the security landscape of the future holds is anyone’s guess.


I’d like to thank Robert Wallace for his invaluable help in researching this article. I would also like to hear your thoughts. What do you think about malware being spread over microphones and speakers in the future? Let me know in the comments below.

Image credits: #Fail (sk8geek), Bios Setup (Nick Grey), Bloody Virus (Cheryl Cox), Podcasting (nobmouse)

Affiliate Disclosure: By buying the products we recommend, you help keep the site alive. Read more.

Whatsapp Pinterest

Leave a Reply

Your email address will not be published. Required fields are marked *

  1. sep tapod
    January 21, 2014 at 1:42 am

    could you send voice commands this way?

  2. Garth Harris
    January 14, 2014 at 5:57 pm

    GUWAL is used in the deployment of self-configured sensor networks. Given, those devices are meant to receive data this way, but I wouldn't find it that surprising at all to see it used to push 'code' to an uncompromised machine via a mic. The mic is digital, meaning that sound is 1s and 0s at some point, from there its no leap to expect someone found a surface to attack in that stack.

  3. karoshi
    January 11, 2014 at 7:07 pm

    I'ld rather expect it's a compromised OS or microcode in the first place. When I remember right, they could transmit up to 20 bits per seconds.
    Find it much more probable that [Broken URL Removed] found a real world example.

  4. tad
    December 26, 2013 at 11:17 pm

    from what I can tell by reading the account these were infected computers that were cleaned and the OS reinstalled. the BIOS was compromised enough to allow reinfection of the system and starting a new acoustic network.

  5. kaizoku-o
    December 26, 2013 at 12:51 pm

    great article, and interesting comments and views all around.

    all i can really say of it to all that doubt the possibilities is this... remember about a decade back when most of the world didnt know what a touchscreen or tabletPC was? well there were plenty of both at that date, and many years before that. NOTHING is impossible.. if it were, then the thought wouldnt have been. just because it IS possible, doesnt mean that there is a high likelihood or probability. as the years continue to go by, things that were considered "impossible" (especially with technology), are no longer thought as impossible. instead its anywhere from "not likely" to "how could it NOT be so?"

    in conclusion, i would request that all of you that still think of things as impossible to reconsider such a closed view. preparedness was what taught me how to take my black hat off every once in awhile and see what was to come and how it would even be effecting me sooner or later.

    respect mon. ~kaizoku-o

  6. @itinsecurity
    December 23, 2013 at 11:42 am

    Now, this is just all sorts of completely wrong!

    There is a huge difference in what @dragosr has claimed, and what is being said around the Internet.
    Nobody has said it is possible to INFECT computers just using sound. The research you link to has only shown that it is possible to use sound for communications (which shouldn't really come as a surprise to anyone). And @dragosr never made such a claim either.

    In order for there to be something at the receiving end capable of processing the incoming sound, the receiving computer must have been infected through other means already. Or else, it wouldn't know what to do with the incoming sound! It doesn't just happen with any regular software or OS.

    Or, as in the research paper you link to: sound is used to leak vital information out from an already compromised machine.
    You could also expect that a computer infected with a small initial payload for communications, could then use sound to download further malware to launch an attack.

    But whatever way you look at it, the computer MUST get an initial infection through other means, not through sound.

  7. Ramu
    December 23, 2013 at 5:52 am

    A good article about recent discoveries in Computer Security

    • Matthew H
      December 24, 2013 at 7:21 pm

      Thanks a lot man!

  8. Fred
    December 21, 2013 at 11:29 am

    Imagine a Google DC full of servers with owned BIOS... Even if Google firewalls are pretty secure and the tech guys surely aware of those things, this is still a bit frightening. Same for gov. & other org.

    • Matthew H
      December 24, 2013 at 7:25 pm

      Yeah, that is scary!

  9. kihara
    December 21, 2013 at 7:57 am

    Great article, I had no idea this was even possible! Like you say, it makes you really think about the future security implications.

    • James B
      December 24, 2013 at 1:04 pm

      It's not possible.

    • Matthew H
      December 24, 2013 at 7:21 pm

      Infection? Who knows. As I mentioned in the article, the claims of Dragos are not independently substantiated.

      However, German researchers have been able to transmit data from one isolated computer to another using sound. I linked to the academic paper, should you wish to have a look.

  10. DGear
    December 21, 2013 at 5:59 am

    I agree with you @Kannon, good write up.

    The audio streams as a means of tranmitting data isn't new at all, if you consider that's how faxes changed the remote transmission of documents.

    Compromised systems built overseas should always be suspect. The FCC refused to allow Softbank who now owns Sprint to use Chinese made Huawei systems on their new 4G LTE network for this exact same reason.

    BTW, great write up on the Nexus 5 Kannon!

    • Matthew H
      December 24, 2013 at 7:21 pm

      Much appreciated man!

  11. Kannon Y
    December 21, 2013 at 3:12 am

    Great article!

    I'm pretty sure that BadBIOS really is a thing. There's already proof-of-concepts (plural) that malware can spread both through electrical and audio systems. Why there's so much contempt for Ruiu is confusing.

    I remember several years ago reading an article that national governments were attempting to infect firmware components with viruses as a form of espionage. A US security expert mentioned that many boards imported from China came with infected or compromised firmware. I would imagine that's what allows for BadBIOS to spread - computers already have compromised systems. I imagine that the NSA is a major contributor as well.

    • James B
      December 24, 2013 at 12:59 pm

      Rubbish. The computer would need to already be infected with something to receive the transmission - you can't use audio to transmit a virus to a clean PC.

    • James B
      December 24, 2013 at 1:06 pm

      Sorry, that second bit - yes. It would need to already be compromised. In which case, this isn't news at all. "Virus infected machines are able to transmit data" - OMG, no way!

    • Matthew H
      December 24, 2013 at 7:19 pm

      Hi James,

      Two points that I feel I must address here. Firstly, Dragos Ruiu insisted that the virus propagated over airgaps to freshly installed computers. Members of the technology community have expressed skepticism, and I feel like I addressed and mentioned this skepticism adequately and therefore did not draw any conclusions myself.

      Secondly, I'd agree that the research produced by the german chaps does not talk about infection, but rather data propagation. This should be regarded as something entirely separate from what Ruiu was talking about.


  12. Tom W
    December 20, 2013 at 10:26 pm

    I first read about this in the Sophos security blog. They were in the fence about the threat, but pointed out that many people in the security industry accept it as being real simply because Dragos Ruiu is such a well-known, respected, and trustworthy person with regards to security and that he would not benefit from keeping up a falsehood for such a long perion of time.

    • Matthew H
      December 24, 2013 at 7:31 pm

      Yeah, I think I read that blog post too. A lot of people are very much undecided.

    • Tom W
      December 27, 2013 at 1:32 pm

      I think I'll remain sceptical, based purely on the fact that the only "wild" compromised network happens to be the lab of a top security researcher. If it was truly a wild malware, other people would have noticed it on other machines by now.

  13. Chupamela
    December 20, 2013 at 8:30 pm

    That video makes no sense, what exactly it tries to prove? Activity is always shown by Procmon due Windows processes reading and writing from/to the registry.

    • Matthew H
      December 24, 2013 at 7:31 pm

      That's one video which Dragos uploaded as part of his investigation into BadBIOS.

    • boxtropica
      December 31, 2013 at 7:21 pm

      His laptop with OpenSuse Linux is sending files to his old Windows laptop without useing Bluetooth, or networking.