Leaking data via out of unconnected devices (both connected and unconnected) is a very interesting topic, often called “soft tempest”. Often this is the realm of absurdly costly lab equipment, source code isn’t published etc. Here i would like to demonstrate this using the simplest equipment and means, and make it very easy to reproduce.
Humans can hear frequencies from 16Hz to 20kHz (16kHz according to some sources). Only some very young people with excellent hearing will reach the 20kHz upper limit, usually this is much less. I know i am able to hear 15.5kHz, but not much more.
A modern computer sound card usually runs at 48kHz sampling rate or more. According to the Nyquist theorem, they can reproduce frequencies up to 1/2 of the sampling rate, or 24kHz. The speakers are usually physically small (which means they will work well at high frequencies), and usually there is no lowpass filtering applied. So a normal laptop (or desktop with speakers) can produce sound at frequencies above the human hearing range. This can be used to transmit data, without people realizing it.
Signals can be modulated using different methods. Here i will use morse code for simplicity. This also allows one to judge the signal to noise ratio by just listening. It is also possible to decode it by ear without additional devices if one knows morse code, if not there is a lot of software that can do it (although usually with much worse performance than an experienced human operator).
Transmission is implemented via very simple shell scripts. Only bash, sox and alsa-utils are needed. This enables the script to be used easily on embedded devices and other platforms where shipping binaries, installing a python environment etc might be a problem.
The proof-of-concept script is available at https://github.com/sq5bpf/sonify
Demo:
Run as a user with privileges to play sound:
./sonify1.sh
o transmit “sonify1 demo” or to exfiltrate the contents of /tmp/secret.txt
./sonify1 /tmp/secret.txt
The audio signal can be demodulated on another computer with DL4YHF Spectrum Lab . The file sq5bpf_sonify1.usr in the github repository contains the Spectrum Lab receiver configuration.
Morse code can be decoded by fldigi, or other software, however it is best to have a human decode the signal by ear.
Demo receiving the signal at 5m:
I’ve also been able to receive a good signal at 20m distance with the laptop internal microphone, and the trasmitting laptop on a balcony at 4m height.
How to replicate in your own environment
This was demonstrated to work on a Dell Latitude 6220 laptop running Debian Bullseye as the transmitting laptop, and a Dell Latitude 5310 laptop as the receiver. The receiver software is DL4YHF Spectrum Lab and fldigi, connected via pulseaudio.
The 21.5kHz frequency was arbitrarily chosen. The performance of audio hardware (speaker efficiency, microphone sensitivity) in laptops often rolls off at higher frequencies, either due to component characteristics, or due to some additional lowpass filtering. During tests slightly better range was obtained with 20.5kHz.
Much better range can be obtained using a dedicated directional microphone, and a better Morse code decoder (a trained human operator is best). There isn’t much interference at ultrasound frequencies, however echo might be a problem (also for humans), especially at higher data rates. Also Doppler shift can be a problem, when performing the demo please have all of the equipment stationary and try not to move much.
Much better range could also be obtained with different modulation schemes. There are a lot of amateur radio weak signal modes that could be repurposed for ultrasound transmission and reception.
The“software” side of sonify is intentionally a very primitive silly hack.
Prior art
There isn’t anything novel here. Data via ultrasound has been shown many times, for example here:
TalkingBehind Your BackAttacks & Countermeasures of Ultrasonic Cross-Device Tracking
This article is another article in the Soft TEMPEST series, others are:
Etherify – bringing the ether back to ethernet
If you cite this, please include the webpage address and attribute Jacek Lipkowski (SQ5BPF). Email can be sent to my_callsign @ this_domain.