"This message could just contain the recorded keystrokes, but it is also conceivable to include the Guwmanet/Guwal headers to tunnel the protocol over TCP/IP and to extend the covert acoustical mesh network to another covert network at any place in the world," the researchers said in the paper.
The malware that can implement the acoustical transmission and keylogging needs to be installed on the air-gapped computer using some other method, such as an infected USB stick or an insider with access.
The research shows that network air gaps might not be sufficient to protect data from being stolen by malware. "It highly depends on the level of assurance you need to achieve," Hanspach said. "If you have high valued data, you should think about implementing countermeasures."
The researchers described a few methods to prevent audio transmissions in their paper. The most obvious one is to switch off the audio input and output devices on the air-gapped computers, but this might not be practical in cases where other important applications need access to those devices. "For these cases it is possible to prevent inaudible communication of audio input and output devices by application of a software-defined lowpass filter," the researchers said. "An audio-filtering guard can be used to control any audio-based information flow in a component-based operating system."
A more advanced approach would be to build a host-based audio intrusion detection system that can analyze audio input and output for modulated signals or hidden messages, the researchers said.
The software used for these experiments will not be publicly released, because the researchers don't own the code. However, some of the utilized software components are available as open source, Hanspach said.
It might be possible for other groups to replicate the setup because the techniques used are publicly available, he said.
This research comes after security researcher Dragos Ruiu said last month he believed some of his computers were infected with BIOS malware capable of jumping air gaps possibly by using ultrasonic audio transmissions. The existence of that malware, dubbed badBIOS, has yet to be proven and some people from the security community have doubts about Ruiu's claims.