Don't Look Up: Ubiquitous Data Exfiltration Pathways in Commercial Spaces

TL;DR

This paper reveals that commercial buildings are vulnerable to a new data exfiltration method using vibrations from transmitters, capable of transmitting high-quality data across the building's infrastructure, even if air-gapped.

Contribution

It identifies a novel exfiltration attack exploiting building vibrations, demonstrating its feasibility and potential for high data rates in real-world commercial buildings.

Findings

Achieved a bit rate of 300Kbps using vibration channels

Successfully transmitted audio, images, and video data

Discussed challenges in detection and countermeasures

Abstract

We show that as a side effect of building code requirements, almost all commercial buildings today are vulnerable to a novel data exfiltration attack, even if they are air-gapped and secured against traditional attacks. The new attack uses vibrations from an inconspicuous transmitter to send data across the building's physical infrastructure to a receiver. Our analysis and experiments with several large real-world buildings show a single-frequency bit rate of 300Kbps, which is sufficient to transmit ordinary files, real-time MP3-quality audio, or periodic high-quality still photos. The attacker can use multiple channels to transmit, for example, real-time MP4-quality video. We discuss the difficulty of detecting the attack and the viability of various potential countermeasures.