What if it was possible to remotely steal data from a target's computer without having to physically install a bug? And what if you could do so without having to send that data through the internet using the target's wireless network, which might set off alarms?
That's exactly the idea behind Funtenna, an ingenious hack that can turn connected devices—the internet of things—into bugs capable of transmitting data out of a network using audio waves that can't be heard by a human ear.
Electronic devices, such as computers or telephones, emit high frequency sounds and signals, and as early as the 1970s, the NSA took advantage of these signals for its spying operations. More recently, the spy agency has been using small, physical bugs implanted inside a target's computer that can be used to siphon data out thanks to a sophisticated technique that essentially consists of beaming a radio signal at the bug and have it reflected back.
But with a Funtenna, a spy needs only to install malware on a device such as a printer or an office phone, after which the wires and components of the device itself can be turned into a radio transmitter.
The device can then be forced to emit radio signals that can be used to transmit data. These signals can be picked up with a software defined radio receiver (a device that can be programmed to send and receive a wide range of radio frequencies using software instead of hardware), and an AM radio antenna.
Funtenna turns the internet of things into bugs capable of transmitting data out of a network using audio waves.
Ang Cui, the chief scientist at Red Balloon Security and a recent PhD graduate from Columbia University, showed me how Funtenna works during a demo at his office in Manhattan a couple of weeks ago. He's going to present his research at the Black Hat security conference in Las Vegas on Wednesday.
For the demo, Cui installed malware he wrote on a Pantum printer—a cheap wireless laser printer that has all the necessary hardware to act as a covert bug. However, Cui told me the technique could work with other embedded devices, and even laptops.
First, to show he had complete control of the printer and could turn it into an "improvised transmitter," as he put it, he forced it to play a loud sound.
"Can you make it play a song?" I asked.
Cui laughed, but said it might be possible. Earlier this week, he sent me an audio file. The sounds, except for the drum and the text to speech, all come from a hacked printer.
This is obviously a stunt, and not a great way to be stealthy, but Cui can also make the printer emit ultrasounds that can't be heard, and even radio signals that can be modulated to stealthily transmit data out of the printer, and out of the building, to a nearby receiver.
For Cui, this is a "much more attractive way to go about" siphoning data out of network compared to some of the NSA's bugs, he told me, "because instead of having a physical implant and the need to illuminate the thing with a radar gun with direct line of sight, you can send software into machine, transmit data out, and if you want to erase your presence you just delete the software."
Cui can make the printer emit ultrasounds that can't be heard, and radio signals that can stealthily transmit data out.
In practice, using Funtenna, spies could infect a printer in an office building to get into the network, then move to other devices such as computers and steal small amounts of data such as crypto keys. Then they can use the printer to exfiltrate that data out, without using the network. The same technique, Cui said, could be use to collect microphone data by compromising office phones.If you understand how radio signals work, and you know a thing or two about hacking, you can watch a demo of how Funtenna works below.
Cui said his technique might help explain what he defined as "vodoo hacker" tales, such as the mysterious malware badBIOS, capable of spreading itself to and from computers not connected to the internet.
"That type of stealthy data exploitation is a absolutely plausible," Cui told me. "It's not only plausible, it's here."