Smartwatches tabbed as latest vehicle for air-gapped system attacks

Researchers say that the latest vehicle for covert data extraction from secured systems could be sitting on your wrist.

A paper published by the Ben-Gurion University of the Negev in Beer Sheva, Israel, details how a smartwatch could possibly be employed to lift secured data from air-gapped machines by intercepting electronic signals.

Air-gapped machines sit apart from any network connection. Such systems are usually employed to hold highly sensitive data on a one-way connection without any possibility of outside access.

While such setups would, on the surface, seem to be impenetrable to anyone who didn’t have direct physical access to a connection port on the machine, researchers have found that there are various methods with which a threat actor can intercept signals or interpret electromagnetic activity in such a way as to intercept and log data transmissions. This would result in the theft of potentially sensitive information.

In this case, the researchers found that attackers could utilize off-the-shelf smartwatch devices to communicate with air-gapped systems and log sensitive information for exfiltration.

To make a very complicated matter into a very abrupt form, the signal waves generated by a data transmission between devices can potentially be read by specially designed listening devices and used to interpret the binary signal transmissions that, when run through multiple layers of translation, allow for a human to read the data in transit.

“When ultrasonic waves propagate through or around physical obstructions, they experience attenuation due to absorption, scattering, and reflection,” the researchers explained.

“The extent of attenuation depends on the signal frequency, the properties of the obstructing material, and the effective distance the sound wave travels.”

In practice, the smartwatch would be able to make a scan of the acoustic spectrum near the air-gapped device and listen for any possible sound waves that would be recognizable as data transmissions.

“Upon detecting a transmission, it demodulates and decodes the exfiltrated data, reconstructing the stolen information,” the researchers noted.

“The smartwatch then forwards the extracted data to the attacker using available communication channels such as Wi-Fi, cellular networks, or Bluetooth tethering, effectively bypassing traditional security measures.”

From there, the data could either be logged by the device itself or exfiltrated to another remote storage device. While exfiltrating entire databases worth of information might not be practical, the attack could yield vital information such as account credentials or keys.

While the most practical use of the vulnerability would be the interception of sensitive data, the researchers believe that under the right circumstances smartwatch devices could even be used by threat actors to inject commands into a nearby air-gapped system.

“Beyond covert channels, ultrasonic signals can also be exploited for direct command injection attacks, posing security risks to voice-controlled devices,” the Ben-Gurion researchers noted.

Least administrators get too worked up over the prospects of attack, experts noted that any theoretical exploit would require very specific conditions in which both the watch device and the targeted system were already compromised by the attacker.

"SmartAttack is clever research, but it’s not a fire‑drill for typical enterprises. An attacker must already own the air‑gapped machine and a smartwatch that sits within about twenty feet, then settle for dial‑up‑era speeds. That makes it a boutique tool for espionage scenarios, not a mainstream corporate threat," explained Victor Wieczorek, senior VP of offensive security at GuidePoint Security.

"The broader lesson is simpler: if a device can record audio, treat it as a potential covert channel and control it accordingly.”