Tech Alert: Ultrasonic Inaudible Sounds Can take Over Your Phone or Computer

Voice recognition systems built into your phone, computer, or other devices, such as Siri, Google Now, Cortana, or Alexa, can respond to ultrasonic sounds far above your hearing range.  If a computer or smartphone has the voice features activated, the device could secretly be given commands to make phone calls, access malicious websites, or many other vulnerable features without the user being aware.

This could be used for deliberate eavesdropping, surveillance, or other form of espionage attack. If a command was given to dial a specific phone number, for instance, the call could connect and let the adversary listen in all nearby conversations.

Previous research [here] from UC Berkeley and Georgetown U found that Google Now could interpret commands even though the audio had been severely distorted. See previous article Manipulating Phone Commands.

Researchers from Zhejiang University in China designed a completely inaudible attack on speech recognition systems they dubbed “DolphinAttack”. Their system modulates voice commands using ultrasonic frequencies higher than 20 kHz. Their full report is available [here].


DolphinAttack demonstrated by playing the command “Hey Siri” followed by a phone number.
First done audibly then inaudibly using ultrasonic frequencies.

They found that the microphone and audio circuits common in smartphones and computers were still sensitive to these higher frequencies. The audio commands would be successfully interpreted by the speech recognition systems. They tested popular systems including Siri, Google Now, Samsung S Voice, Huawei HiVoice, Microsoft Cortana, and Amazon Echo (Alexa).

Some of the attacks there were able to successfully complete include activating Siri to initiate a Face Time call, Google Now switched a phone into airplane mode, and even manipulated the navigation system in an Audi Q3.

Lab setup for testing ultrasonic attack
Lab setup for testing ultrasonic audio commands using electret (ECM) and electro-mechanical (MEMS) mics.
[Photo: Guoming Zhange, Chen Yan]

Their tests required that the modulated source be fairly close to the microphone of the device under test, typically from 10 to 160 cm. The lab set up using a higher powered signal source got better distance than the smaller portable system they designed.

Ultrasonic portable attack setup
Portable setup for ultrasonic audio commands using a Galaxy S6 Edge, and ultrasonic transducer, and a low cost amplifier.
[Photo: Guoming Zhange, Chen Yan]

The researchers did offer a few defenses that seem to fall on the manufacturers, including filtering microphone input to block or suppress ultrasonic frequencies, adding a module that could cancel a baseband part of the modulation, and a software countermeasure that could block commands based on distinctive features of the ultrasonic attack.

Cortana command control
Microsoft Cortana Settings

Simpler countermeasures include disabling voice recognition features of your devices through the standard feature settings. The microphone on many smart phones can also be disabled by plugging in a 3.5mm external mic connector that has had the microphone disconnected or cut off. If you use an external microphone on your computer, you may want to choose one with a physical switch to keep it turned off when not in use.

This may not pose a major threat for most people at this time, due to distance requirements and other limitations. As more and more sensors are introduced into our environment, though, we should be aware of their presence at all times, as well as what information is communicated in their vicinity.

Full PDF:
DolphinAttack: Inaudible Voice Commands

Additional reports can be read at:
http://thehackernews.com/2017/09/ai-digital-voice-assistants.html
https://www.fastcodesign.com/90139019/a-simple-design-flaw-makes-it-astoundingly-easy-to-hack-siri-and-alexa

Zhejiang University researchers include:
Guoming Zhang, Chen Yan, Xiaoyu Ji,Tianchen Zhang, Taimin Zhang, and Wenyuan Xu.

By | 2017-09-08T09:29:39+00:00 September 7th, 2017

New Stylish RFID Blocking Wallet in Development

CardTrak Staff, June 28, 2017

In these days of electronic eavesdropping, carrying around a bunch of credit cards with contactless features (RFID) can make you vulnerable to fraud. The solution is simple: a quick-access wallet made from carbon fiber materials.

A startup company is launching a line of stylish Carbon Fiber Wallets with RFID blocking, this fall.

You can play a part in their launch by making a small pledge or placing an advance order. The PITAKA New Carbon Fiber Wallet KickStarter campaign is underway.

PITAKA has years of experience working with carbon fiber and composite materials for major phone companies and brings that particular expertise to this new project. Their latest product, the PITAKA New Carbon Fiber Wallet is modular, magnetic strip friendly, features RFID blocking and securely protects daily essentials in a gorgeous, quick access wallet with unparalleled style and security.

The PITAKA New Wallet is made of 100% carbon fiber material to achieve the slimmest, strongest and most versatile wallet available today. One glance and it’s apparent that this is no ordinary wallet. The tell-tale carbon fiber surface looks and feels great and presents a modern style that is totally unique for a wallet. The design features 6 special modules that can safely hold up to 10 credit cards plus daily essentials such as cash, coins, memory cards, keys and more.

Designed to be functional as well as good-looking, the PITAKA New incorporates smart modern tech that makes all other wallets obsolete. Each of the PITAKA’s unique modules is connected using powerful magnets which contribute to the wallet’s ultra-slim size. Using magnet closures allows the wallet to remain secure, yet able to open with a quick flick for fast access to cards, cash or other items.

Users can mix and match the modules depending on their needs to create a customized wallet. The box module is perfect for coins and memory cards, a money clip module handles bills, and a tool module can open a bottle or solve life’s little problems.

Of particular note is the RFID blocking and the anti-degaussing module, two essential security features that help prevent theft and card damage. The RFID blocking feature keeps credit cards, driver’s licenses and other cards safe from RFID skimming, a form of theft that allows criminals to steal information. The anti-degaussing module further protects the magnetic stripe on cards by blocking damaging interference.

Researchers design sounds that can be recorded by microphones but inaudible to humans

June 23, 2017

Coordinated Science Lab

The sound’s frequency is designed by the researchers and transmitted from ultrasonic speakers, completely inaudible to humans but able to be recorded by microphones. Credit: Coordinated Science Laboratory

Microphones, from those in smartphones to hearing aids, are built specifically to hear the human voice—humans can’t hear at levels higher than 20 kHz, and microphones max out at around 24 kHz, meaning that microphones only capture the sound we can hear with our ears.

However, researchers at the Coordinated Science Laboratory at the University of Illinois have designed a sound that is completely inaudible to humans (40 kHz or above) yet is audible to any microphone. The sound combines multiple tones that, when interacting with the microphone’s mechanics, create what researchers call a “shadow,” which is a sound that the microphones can detect.

The team, which includes PhD student Nirupam Roy and CSL Professors Romit Roy Choudhury and Haitham Hassanieh, see many applications for this work. This work won Best Paper Award, titled “BackDoor: Making Microphones Hear Inaudible Sounds,” at a leading conference, MobiSys 2017.

“Imagine having a private conversation with someone. You can broadcast this inaudible signal, which translates to a white noise in the microphone, to prevent any spy microphones from recording voices,” said Roy, a PhD student in electrical and computer engineering. “Because it’s inaudible, it wouldn’t interfere at all with the conversation.”

According to the researchers, military and government officials could secure private and confidential meetings from electronic eavesdropping or cinemas and concerts could prevent unauthorized recording of movies and live performances.

The signal can also be used to send communication between Internet of Things (IoT) devices, such as an Amazon Echo or Google Home, which would reduce the growing load on Bluetooth, since Bluetooth is primarily how IoT devices communicate. They also foresee that this signal could protect users from unauthorized recording when communicating with voice-activated systems.

“We thought, can we design an application so that when you are actually giving a message, like to an Amazon Echo, no one can record your voice to the Amazon Echo if we’re playing this sound?” said Roy. “Voice-activated systems are everywhere, so now it is important to build defenses against attacks that can be launched through your voice.”

The sound’s frequency is designed by the researchers and transmitted from ultrasonic speakers, completely inaudible to humans but able to be recorded by microphones.

The team acknowledges there may be ways to misuse this technology, though they hope that by knowing the problems that can arise, they can build measures to protect against it.

“Inaudible sound jammers, could, for example, affect someone wearing a hearing aid because the internal microphone would pick up that sound,” said Roy. “Or, for example, in a bank robbery, someone might be trying to make a phone call to 911, but this sound could jam all the phones trying to make calls.”

Like all techniques, inaudible sounds can be used in different ways, but “with this knowledge of how it can be used negatively, we can develop strategies to prevent it,” said Roy Choudhury, an associate professor of electrical and computer engineering.

The sound‘s frequency is designed by the researchers and transmitted from ultrasonic speakers, but the microphone—the receiver of the signal—is not altered in anyway. Off-the-shelf microphones will react in the same way to the signal.

“Microphones are in millions of devices, including all of our smartphones,” said Hassanieh, an assistant professor of electrical and computer engineering. “And this signal can be received without modifying the microphone, making this technique readily available to interact with the devices around us.”

Hidden Recorder Discovered in Commissioners’ Office

Thursday, June 01, 2017

County officials consider opening an investigation

By Leah Wankum/Richmond News Editor

A recording device was discovered hidden in the Ray County commissioners’ office late last week.

The small, thin, black recorder – the size of a thumb drive – was found on one of the chairs at a table near the entrance to the office. On the device was a piece of clear tape, rolled sticky side out. County officials suspected that it had been stuck to the bottom of the table.

The device was found late Friday morning, just before a meeting among Eastern Commissioner Allen Dale, Prosecuting Attorney Camille Johnston and Sheriff Garry Bush. Donna Dunwoodie, the county roads and bridges secretary, discovered it lying on the chair when she was arranging chairs for the meeting.

The complete story is in the Friday, May 26, 2017 Richmond News.

NOTE:  This is an issue I’ve frequently thought about with the ease of deploying these recording and transmitting devices.  City counsel chambers where closed sessions are conducted, judges’ chambers where they meet with attorneys, the offices of corporate general counsel, CEO offices, and the list goes on and on.   

Are You In Denial? – It’s Very Easy to Plant a “Bug” and Easier to Buy One

Senior executives and the corporations they represent from critical industries such as agribusiness, banking and finance, energy, the legal field, manufacturing, and pharmaceuticals are being targeted across the globe by espionage operatives. Our primary purpose during a technical surveillance countermeasures (TSCM) inspection is to uncover electronic devices used in corporate espionage attacks. However, other aspects of our business include providing an honest assessment of the security of your facility as well as to show executives how easy it is to introduce a “bug” (transmitting or recording device) into their corporate spaces where it is assumed to be safe to conduct sensitive meetings and discussions. Places like office suites, board rooms, conference rooms, private residences, or hotel suites. Incidentally, hotel rooms are one of the easiest spaces to gain access to and there is an expansive array of places where transmitters and cameras can be installed.

Today’s bugging devices are sensitive, versatile, and easy to obtain, frequently at prices far under $100. GSM transmitters, as an example, are essentially remote controlled cell phones. Many are secreted by the manufacturer in common office and household items for easy emplacement. The size of a basic GSM transmitter is so small that they can be easily hidden in a target space with virtually no training required. The device can be configured off site, carried to the target location, and installed by anyone including custodial staff, a member of a tour group, or a person posing as a job applicant. The device can then be turned on and listened to from anywhere in the world where there is cell phone service. No more sitting in the back of a van parked down the street from the target location. Some of the GSM devices are voice/noise activated and alert your smart phone by text message when voices are detected. You don’t even have to know when a meeting is going to take place for monitoring and recording. The difficulty in finding this type of device during a TSCM inspection is they are frequently dormant (non-transmitting) until they are turned on and start transmitting so there is no radio frequency signature that make them easy to find. Therefore, a board room or office suite may test negative during a low tech inspection of the space using “spy shop grade” equipment. The device can then be activated only as necessary, prolonging the life of the battery, and broadcasting every word during the meeting. I’ve got a GSM device laying here next to me, purchased off the internet, which is in a small black plastic box measuring 1 5/8” X 1 ¼” X ½”. Just charge the battery, insert your SIM card, program the device following the simple directions, and you’re ready to go. Very easy to hide under or behind a piece of furniture. Voice activated and sends a text message to your smart phone alerting you that the device has detected voices. Listen to it from half way around the world if you like. All that’s required for installation after set up is completed is a piece of high quality double-sided carpet tape.

GSM transmitters are hidden in functional USB charging cubes that go unnoticed in almost any environment plugged in to a 110-volt AC outlet. There is even a version that is a functional cell phone charger that plugs in to a 12-volt vehicle outlet. That device not only allows for audio monitoring of the vehicle interior but also functions as a GPS tracker with Google Earth interface. Both are available for less than $50.

Similar to the GSM devices are the emerging WiFi devices that function much like the GSM items but transmit using the local WiFi instead of cellular technology. Of course that requires access to the facility WiFi either by hacking in or getting the WiFi login from an employee (can you say “insider threat?”).

Typical commercial security focuses on things like ID badges and access control to create the impression that there is protection against intrusion and technical surveillance device emplacements. Since most commercial security breaches are perpetrated by employees (i.e. the insider threat), those security measures are effectively useless. In reality common access control measures make it easier to gain entry to the building if you’re able to recognize the vulnerability and exploit it. Bottom line: “the appearance of security doesn’t translate to real security.” Typical corporate security measures intended to protect against the constant threat of corporate espionage essentially offer a false sense of security.

Detection of these types of electronic surveillance devices, especially when they are dormant, is extremely difficult without specialized tools and knowledge. You will need a professional TSCM inspection to assure your privacy has not been compromised.

Think of all the conversations that take place in corporate board rooms around the country and world on a daily basis. Subjects like product development, R&D discoveries, technology and software breakthroughs, mergers and acquisitions, potential market expansion, sensitive business negotiations with subcontractors, or sensitive internal employee issues. One bit of information gleaned from one of these meetings through eavesdropping may be worth several million dollars to a competitor not to mention loss of potential patent protection, loss of market share, impact on stock price, and damage to brand name and image. Then if you try to reclaim the information through a law suit the first question that will inevitably be raised by the defense attorney during depositions will center on what measures you took to protect the so called sensitive and valuable information that is now in the possession of their client (your competitor). Your response under oath will be essentially nothing.

What’s the biggest threat to the protection of sensitive corporate information? Quite simply it’s denial. Denial that there is a threat and denial that you could be victimized. You can’t imagine how many times I’ve heard the comments, “We’ve been in business here for X number of years and never had a problem. . .” or “We had a guy in here a few years ago. He walked around with a device with some antennas and flashing lights and didn’t find anything so we thought we were OK.”

Don’t wait until you’ve lost a few million dollars before you take measures to protect yourself from loss. Electronic surveillance threats continue to gain momentum. An underground industry centered on sales, installation, and monitoring of electronic devices generates approximately $2.2 billion each year according to a US Department of State study. If your company operates in a sensitive industry (you know who you are) rooms used for board meetings and sensitive meetings need to be inspected routinely by a TSCM specialist to ensure the rooms are free from transmitters or recorders. If possible those areas should remain locked and used exclusively for sensitive meetings.

If you have questions feel free to reach out to me at info@tscm-solutions.com so we can discuss your concerns or arrange a confidential inspection.   If you prefer you can use the contact/inquiry form on our web site at www.tscm-solutions.com. If you visit the web site you’ll find additional information on typical areas of concern for electronic eavesdropping as well as common indicators that may point to the possibility you or spaces under your control have been compromised.

If you suspect your sensitive business information, trade secrets, or personal information have been compromised, or are at risk, due to eavesdropping please contact us and provide a safe phone number and/or e-mail away from your area(s) of concern and we will contact you as soon as possible.  Do not use your personal cell phone. If you feel communication via encrypted e-mail is required advise us of that and we will quickly arrange for secure communication.   

 

Watch Out for Workplace Intruders – The Social Engineering Threat

Security Weekly

October 13, 2016 | 08:00 GMT

The unknown person at your office could be a co-worker you have not yet met — or a criminal who is up to no good.

By Ben West

A series of high-profile computer crimes has grabbed headlines this year. An elaborate CEO email scam netted fraudsters almost $100 million from Bangladesh’s central bank in February. In the spring, the Panama Papers leak of stolen electronic files exposed thousands of individual and corporate offshore bank accounts. The U.S. Democratic National Committee and state election commissions were hit by hackers who intercepted email communications. But a warning from the FBI office in Houston in early October reminded corporate security professionals not to overlook a well-worn tactic: the physical theft of sensitive material by people who intrude into workplaces. Much like the hackers who threaten companies’ efforts to keep information secure, the old-fashioned “office creeper” can use a variety of methods to penetrate physical security and gain access to company property and secrets.

A Creeping Threat

On Oct. 4, the FBI issued an appeal to the public for help in investigating intrusions from 2015 into an unnamed international energy firm’s Houston offices. The FBI released surveillance footage of the two incidents: one on June 25, the other on Dec. 30. In the June incident, a man wearing a dress shirt, slacks and a baseball cap entered the company’s offices at about 3 a.m. through an unlocked security door. He can be seen walking the halls, getting in an elevator and leaving with two bags that he did not possess earlier. The man moves confidently — like an employee familiar with the building, not like a thief. The FBI is concerned that he may have taken sensitive material in a possible case of industrial espionage. (In the second break-in, the culprit is shown trying but failing to enter the company’s main office suite and takes a security radio off a desk on his way out.)

It is easy to imagine the value of information that a major energy company would possess. Choice pieces of information could be worth millions of dollars to corporate rivals or foreign governments. Chinese intelligence services in particular have demonstrated an appetite for insider knowledge they could use to benefit state-owned enterprises. Recent revelations of an office intrusion at a renewable energy firm in Edinburgh, Scotland, appear to link an official Chinese state visit in early 2011 with an overnight burglary two months later that netted several thousand dollars’ worth of laptops. A Chinese prototype of a wave energy machine similar to the Scottish company’s design was released three years later. Authorities have not confirmed that the 2011 break-in was tied to Chinese industrial espionage, but the details surrounding the case suggest that the theft was more strategic than a simple burglary.

In contrast to the Scotland burglary, several factors indicate that the Houston incident was more likely the work of an opportunistic office creeper than a sophisticated spy. Electronic infiltration is the tactic of choice for leading industrial espionage powers such as China and Russia because of the broader access and lower risk it offers. If a human source is needed, foreign intelligence agencies or rival companies tend to recruit a current or recently departed employee to access proprietary information. When a state intelligence service directly engages in physical intrusions, its operatives demonstrate higher degrees of tradecraft (such as the ability to pick locks) than did the Houston suspect. In addition, sending an agent to nose around in the middle of the night is a high-risk/low-reward operation, an unlikely task for a well-trained professional.

Gaining Access

Office creepers are like computer hackers in that they seek access to unauthorized areas they can exploit for their own gain. Some are opportunistic, like the thief in Southern California who, in 2015, targeted offices during lunch hours, entering and stealing electronics when workers were most likely to be away from their desks. If confronted, he would claim that he was lost and ask for directions. Other intruders are more organized. One Ohio thief, Larry Cobb, would wear a homemade ID badge when he targeted offices during the early 2000s. Cobb was caught and sent to prison in 2007, but within a few months of his release in 2013, he returned to his old ways — this time with added sophistication. He recruited others to help him commit systematic fraud using credit cards filched from wallets and purses left unattended in the offices he burgled during regular business hours. Victimized employees rarely confronted him, even though they later said they had a strange feeling about him, and authorities say Cobb was involved in hundreds of office creeper cases over the years.

The most famous of the modern-day office creepers, though, is probably Ameenah Franks, who, like Cobb, served time in the early 2000s for stealing from employees after illegally accessing office spaces. Franks, however, went after much harder targets, including government agencies in Washington; the Federal Reserve Bank of Richmond, Virginia; law firms; and even the offices of the Nuclear Regulatory Commission in Maryland. Franks also returned to office creeping after her sentence was up, was caught and was sentenced again in 2016.

The tactics employed by office creepers and computer hackers often parallel one another. In at least one case, Franks used a stolen security access card to enter secure parts of a building — much as a hacker uses stolen or cracked passwords to access secure computer networks. The man who broke into the Houston firm in 2015 took advantage of a faulty door, like a hacker who exploits a backdoor system vulnerability. But the most common tactic used in both office creeping and hacking seems to be social engineering.

Social engineering is a type of confidence trick. An intruder convinces an authorized worker to give him or her access to an off-limits area. Franks repeatedly used this tactic to gain access to secure government buildings. She flirted with security guards, convinced people that she had left her badge at her desk, chatted up employees outside buildings and then tailed them inside, or stood outside entryways smoking while waiting for someone to open the door. Franks relied on her ability to convince people she was someone who she was not. More extreme versions of social engineering can involve the use of props, such as wearing a hard hat and carrying a clipboard, or carrying a toolbox and ladder, which gives employees a reason to open the door for the imposter.

A Deeper Danger

Many office creepers are simply out to steal personal property. That is just the tip of the iceberg, however, when it comes to the damage an intruder can inflict on a company and its employees. Espionage is a form of surveillance, and all of those familiar with the attack cycle know that pre-operational surveillance is critical to staging a successful attack. Energy companies, for instance, are often targeted by protesters to make a political point. If the protesters gained access to a restricted office building, they would have many opportunities to wreak havoc through sabotage, disruptions or both in a bid to generate adverse publicity. A disgruntled former employee, an extremist with violent motives or a delusional individual could even take lives. In June, police arrested a man carrying firearms and explosive devices on a Google corporate campus. He had attacked the company’s offices several times before because he thought Google was spying on him.

Physical infiltration can assist electronic infiltration and vice versa. Much as social engineering operations have been the root of many successful electronic intrusions, hacking groups also can benefit from gaining access to restricted areas to fill in information gaps about a company. In the case of the Bangladesh central bank, for example, investigators said the perpetrators used inside knowledge of the bank’s communications and hierarchy to enhance the plausibility of their email scam. The Stuxnet worm, one of the most powerful computer weapons yet deployed, disabled Iranian centrifuges processing nuclear material in 2009-10. It is believed to have been introduced using a USB drive that had to be physically connected to a computer.

There are many reasons for people to enter unauthorized areas, including mundane curiosity. Though mechanical security systems are an important tool for countering intrusions, no system is perfect. Humans can override nearly all automated security measures, ensuring that social engineering will remain a threat to physical and network security alike. Companies can deter office creepers and the threats that they pose by practicing standard facility security measures: enforcing badge policies, restricting access with door codes and timers, and, most important, encouraging employees to confront people who try to follow them into restricted areas.

Confronting a Creeper

In many successful office creeper cases, employees cited the social difficulty of challenging people they do not recognize when working in a large office. More often than not, the stranger following you onto the elevator turns out to be a new employee or a co-worker from a different department. Calling someone out as a potential intruder risks embarrassment and offense, but there is no need for the interaction to be hostile. Regular workplace trainings can create an environment in which security enforcement is normal. For reasons that transcend good security practices, encouraging employees to introduce themselves to fellow workers makes for a better workplace. If you do not recognize the person following you into a restricted area, use the opportunity to meet him or her. If someone is not displaying an ID badge, make it a learning moment and remind the person that wearing badges is required. If the person’s story does not check out or if he or she cannot produce the proper credentials, alert a security manager.

General awareness on the part of employees can dramatically improve corporate security and deter the majority of opportunistic office intrusions. Increased awareness of the social engineering threat can deter many electronic intrusion attempts as well. Practicing common-sense security measures will help preserve employees’ property, work or, in extreme cases, their lives.

IT Security Alert: The USB Leach

The LAN Turtle is a covert systems administration and penetration testing tool providing stealth remote access, network intelligence gathering, and “man-in-the-middle” monitoring capabilities. Housed within a generic “USB Ethernet Adapter” case, the LAN Turtle’s covert appearance allows it to blend into many IT environments.” Since almost no one ever looks behind their computer hard drive box, unless they need to attach a new piece of wiring or hardware, the likelihood of one of these being detected is almost nonexistent.
 

Dutch Man Arrested Over Suspected Spying at Siemens

World News | Fri Apr 7, 2017 | 6:20am EDT

By Thomas Escritt and Toby Sterling | AMSTERDAM

AMSTERDAM Siemens said on Friday that an employee had been arrested in the Netherlands in a case which the country’s financial crimes prosecutor said involved suspected espionage for a Chinese competitor.

“I can confirm that a Siemens Netherlands employee was arrested by police yesterday for questioning,” Siemens spokesman Leo Freriks said.

He said the investigation was directed “at the employee and not Siemens as a company”. He did not disclose which department the employee worked for or whether it was known if secrets had been leaked.

Headquartered in Germany, Siemens is a leading European manufacturer involved in sectors including automation, building technologies, drive technology, healthcare, mobility, energy and consumer products.

The man, whom they identified as a 65-year-old living in the province of Twente, is suspected of having leaked patent and other company secrets, the Netherlands’ national financial crimes prosecutor said in a statement.

Investigators said the man was detained on a train station platform as he was about to travel to China.

In addition to searching his baggage, they raided his home and workplace, seizing several digital memory devices.

Corporate espionage cases rarely come to light in the Netherlands.

Panasonic Accused of Bugging Biz Partner’s Meeting to Steal Info

By Lisa Fickenscher / New York Times

March 2, 2017 | 10:02pm | Updated March 3, 2017 | 2:56pm

A Panasonic Corp. unit secretly bugged a room where its business partner was holding a crucial meeting so it could steal information to use against the company, the jilted partner claims in a lawsuit.

The sensitive and proprietary info Panasonic Avionics swiped was related to the software used to run its in-flight entertainment systems, the lawsuit claims.

The partner, CoKinetic Systems Corp., said Panasonic bugged a meeting with Emirates Airlines at the carrier’s lab so Panasonic could learn how to make CoKinetic software fail to work with in-flight entertainment systems on Emirates planes.

By souring the CoKinetics-Emirates relationship, Panasonic could swoop in and have its own software replace that of CoKinetics, the lawsuit claims.

“Panasonic has carried out a relentless campaign to maintain monopoly control over the software and media services used by airlines around the world,” Todd Higgins, a lawyer for CoKinetic, said in the lawsuit, filed in Manhattan federal court.

CoKinetic had a 10-year partnership with Panasonic until it recently soured.

Over that period, CoKinetic software had powered Panasonic seat back screens aboard several airlines, including Delta and Virgin America.

Panasonic also bribed airline executives to drop CoKinetic, it is alleged.

CoKinetic learned about the alleged bugs from a Panasonic whistle blower — who was then fired by Panasonic , the lawsuit claims.

Panasonic Avionics also gave Delta Airlines officials free televisions to influence them, the suit says.

The lawsuit continues a rocky 2017 for the Panasonic unit.

In February, it disclosed that the Justice Department was investigating allegations Panasonic has bribed foreign officials.

The same month, Paul Margis, the unit’s longtime chief executive, and Paul Bottiaux, its chief financial officer, left the company.

Panasonic Avionics did not return calls for comment on Thursday.

Panasonic Avionics Corporation (“PAC”) vigorously disputes the allegations made in a lawsuit filed today by CoKinetic Systems Corporation in the Southern District of New York. The allegations are without merit and PAC intends to contest the suit, the company said on Friday.

SPYING THROUGH OFFICE WINDOWS

With talented hackers able to break into just about any device that’s connected to the internet the best way to keep sensitive data safe is to cut the cord completely. Keeping an “air gap” between a hard drive and other devices forces any would-be thief to physically go to the machine … or so you might think. Cyber security researchers have shown that hackers could hijack the innocent flashing LED on the outside of a computer, and use it to beam a steady stream of data to a waiting drone. .

Now, a team at the Ben-Gurion University Cyber Security Research Center has demonstrated a new way that creative crooks could crack that isolated data. A piece of malware infecting an air-gapped computer could harness the hard drive’s LED, making it flash in a very controlled and very fast manner. Flickering thousands of times a second, the virus could blink out a binary code of the desired data, at a rate that a human sitting at that computer wouldn’t even notice. Special cameras or light sensors – say from a drone hovering at the window, with a line of sight to the LED – could then receive and record that information.

OPTIONS FOR MITIGATION:

  1. Visual surveillance through a window is easy using high-powered optics. Keep computers screens positioned so they can’t be viewed from outside the building.
  2.  A “clear desk policy” is always wise when dealing with sensitive information. This policy should be extended to removing sensitive documents from a desk when they are not needed, particularly if there is a window associated with the space.