New CASPER Attack Steals Data from Air-gapped Computers

Researchers from the Korea University School of Cyber Security, Seoul, have recently presented a new covert channel attack known as CASPER, which has been developed as part of a research project that is currently in progress.

In addition to this, it has also been reported that the attack may be able to leak data at a rate of 20 bits per second from air-gapped computers to nearby smartphones.

Defining a covert channel in terms of computer security means that it is a channel through which information is transferred through previously unknown channels.

Therefore, this type of communication can be used not only as a means of conveying information safely but it can also be used as a means of secretly transferring that information by encrypting it.

Research has shown that the CASPER attack takes advantage of the internal speakers in the target computer as a means of transferring data into the target system.

It is here where the attackers use high-frequency audio that a human ear cannot hear so that they can transmit binary or Morse code with a microphone up to 1.5m away in order to send high-frequency audio.

Infecting the target

However, this scenario may sound unfeasible, or even far-fetched, but there have been many instances when such attacks have been successful in the past.

While the Stuxnet worm is an infamous example of a cyberattack of this sort. In addition to targeting Iran’s uranium enrichment facility at Natanz, according to reports, the malware has also been linked to infecting a U.S. military base with the Agent[.]BTZ malware just a few days ago.

Over a five-year period, Remsec was found to be using its modular backdoor to collect information from air-gapped networks of government agencies.

Using the malware, the following information about the target can be auto-enumerated:-

  • Filesystem
  • Locate files
  • File types

It is done when a combination of code matches a hardcoded list and then tries to exfiltrate the data from the target system.

Alternatively, it can log keystrokes on a more realistic level, as this is more suitable for slow transmissions, and therefore, the attackers are using this method more frequently.

Experimental Outcomes

Using a Linux-based computer that is Ubuntu 20.04 as the target, the researchers experimented with the described model. In order to be able to use this system, the experts have used a Samsung Galaxy Z Flip 3 which will have a sampling frequency of up to 20kHz, running the basic recorder application on it.

According to the results of the tests conducted, and assuming a length per bit of 100 milliseconds, one can conclude that the maximum distance of the receiver is 1.5 meters, which is a height of 4.9 feet.

It was concluded from the overall results of the experiment that the length per bit determines the bit error rate and that a length per bit of 50 ms will result in a reliable bit rate of transmission of 20 bits/second.

A common 8-character password could be transmitted in about three seconds by a malware program using this data transfer rate, as well as an RSA key with a length of 2048 bits in about 100 seconds by the malware program.

The research that has been conducted has shown that it is possible to make sounds through internal speakers on computers that lack external speakers.


As a result, it has been suggested that organizations be reminded that they may need to take precautions to prevent data from being transferred in this way in the future.

A number of measures can be taken to protect your company against the CASPER attack. The simplest of these measures is to remove the internal speaker from any computer that is crucial to the operation of your company.

However, there might be some possibility, that the defenders can find a way to block ultrasound transmissions if that is not possible, by creating a high-pass filter that keeps all frequencies generated within the audible range of sound.

Network Security Checklist – Download Free E-Book

Related Read: