As if there weren’t enough security threats that hover over smartphones and tablets, researchers at the University of Alabama at Birmingham have found that mobile malware attacks can be triggered by music.
As a serious music lover, you can bet this caught my attention. ESET’s WeLiveSecurity blog explained it this way:
A team of researchers was able to trigger pre-installed malware from a distance of 55 feet using music as a signal. They were also able to use light from monitor screens and overhead bulbs, as well as vibrations from a subwoofer in separate tests. Signals could be sent using “low-end PC speakers with minimal amplification and low volume,” the researchers said.
The researchers said that using sensors like music changes how we understand malware. Before, it was spread by written communication – an email, a download – something that we could see and read. And react to. If we saw a phishing email with a link or attachment with malware, we knew to ignore it and to make sure our AV software was working. As one of the researchers, Ragib Hasan, stated in a release:
We devote a lot of our efforts towards securing traditional communication channels. But when bad guys use such hidden and unexpected methods to communicate, it is difficult if not impossible to detect that.
One positive note – this malware technology doesn’t seem to be a problem. Yet. As Shams Zawoad, a doctoral student and graduate assistant on the research team, pointed out, this type of attack is very sophisticated and is very difficult to execute. But the bad guys seem to catch on quickly, so you know it is just a matter of time.
So no, this isn’t something that enterprise will have to start building into their BYOD policy today or tomorrow. I can’t even imagine how difficult that would be to add – avoid places playing canned music or using artificial light? (Coffee shops would suddenly become silent and the fight to sit next to windows will be more brutal than the fight over tables next to power outlets.) However, it is something that security decision makers will have to keep an eye on to understand how the security will work against these sensors.