An experimental new attack can steal data from air-gapped computers using a phone’s gyroscope

A security researcher known for devising inventive ways to siphon data from computers that are disconnected from the internet has found a new exploit able to exfiltrate data to a nearby smartphone.

Air-gapped systems are physically segregated and incapable of connecting wirelessly or physically with other computers or network devices. You’ll find them in places where network security is paramount, like critical infrastructure. While uncommon, some techniques developed in recent years can defeat air-gap isolation, like the Mosquito attack, which uses a nearby smartphone’s microphone to receive data. Since then, Apple and Google have introduced permissions settings in iOS and Android that block apps from accessing a device’s microphone, and both operating systems use visual indicators when the microphone is active.

But unlike microphones, gyroscopes — found as standard in most modern smartphones — don’t have the same protections. Gyroscopes are used to detect the rate of rotation of the smartphone, and are widely considered a safer sensor, since neither iOS or Android indicate when they are used or given the option to block access altogether.

Now, the creator of the Mosquito attack has a new technique that uses a smartphone’s gyroscope to pick up inaudible nearby soundwaves and doesn’t rely on using the microphone.

Mordechai Guri, the head of research and development at the Cyber Security Research Center at Ben Gurion University, said in his latest research paper that this new attack, which he calls “Gairoscope,” can exfiltrate sensitive information from air-gapped computers just “a few meters away.”

Like other exploits against air-gapped systems, Guri’s “Gairoscope” proof-of-concept requires close proximity to the air-gapped system. But from there, an attacker could collect passwords or login credentials by listening for sound waves generated from the speakers of an air-gapped system and picked up from the gyroscope of a nearby smartphone.

Guri says these inaudible frequencies produce “tiny mechanical oscillations within the smartphone’s gyroscope,” which can be converted into readable data. He added that an attacker could execute the exploit using a mobile browser, since phone gyroscopes can be accessed using JavaScript.

While the method is still experimental, Guri and his team have recommended some countermeasures aimed at limiting the impact of the new malware, such as eliminating loudspeakers to create an audio-less networking environment and filtering out the resonance frequencies generated by the audio hardware using an audio filter.