From providing a simple and low-cost entry system for public transport, to facilitating peer-to-peer payments between two unconnected parties, using sound to transfer data can bring unique benefits to many different applications.
Although the usability benefits and time-saving capabilities of acoustic data transmission are well-understood, the security implications of data-over-sound are lesser known. On one hand, audio seems more secure than IP-based connectivity, which can be penetrated remotely by hackers. But can broadcasting information over soundwaves be protected from nearby eavesdroppers?
With this question in mind, let’s take a look at the properties of sound and how industry-standard encryption can be applied to acoustic data transfer to render it secure and safe from the risk of prying ears.
Acoustic vs Radio Frequency (RF) security
When understanding the potential of sound as a means for secure data exchanges, it is useful to understand its fundamental security benefits and ability to perform just as securely as other forms of connectivity, such as RF.
Acoustic data transfer enables localized connectivity, which can effectively reduce the area of potential attack. It doesn’t require IP-based connectivity to perform the transmission, which reduces the risk of remote hackers being able to interfere.
Ultrasonic transmissions are also beneficial in environments that require secure near-field data transfer in sensitive or RF-saturated vicinities. Because sound doesn’t leak through walls, it cannot be eavesdropped on from listeners in adjacent buildings. This makes it highly suited to areas such as industrial sites or hotel rooms where certain sensitive data must be kept within the confines of one space.
In terms of regulatory considerations, offline acoustic transmissions are compliant with the parameters set by the General Data Protection Regulation (GDPR) and the Children’s Online Privacy Protection Act (COPPA) information security rulings — an asset that removes further compliance concerns and is particularly valuable for those delivering consumer-facing applications.
Encryption with a shared key (AES)
Encryption makes data unreadable by anyone other than those with the keys to decode it. Networking technology like data-over-sound can provide the transport layer, with an encryption algorithm applied to the data to protect it from nearby listeners during transmission.
Depending on the use case, different approaches can be taken. A common approach is Advanced Encryption Standard (AES), one of the most widely adopted encryption algorithms due to its proven security for a range of applications. AES was first adopted by the United States government to keep classified information safe, and is used in secure file transfer protocols including HTTPS and SSH. AES is particularly suitable as it doesn’t increase the size of the payload, which is useful for the low-bandwidth channel that acoustic networking provides.
The first step to applying encryption to audio-based transmission is to determine the AES block size to use (128, 192, 256-bit), and pick a shared key to use on both the sender and receiver side. Next, an initialization vector (IV) or a counter needs to be provided. This value should be different for each of the payloads that are being encrypted; otherwise, this will not be secure for transmission.
The way the IV is modified must be known by both parts and replicable, as you can only decrypt the data with the exact same IV. Finally, the encryption function on the data needs to be called. This method will return the encrypted payload and will consist of the same length as the raw payload.
The process of decrypting an AES ciphertext is similar to the encryption process, in the reverse order.
Encryption with a public/private key infrastructure (RSA)
RSA (Rivest, Shamir, Adelman) is another algorithm used to encrypt data. It is a strong technique for situations in which an individual wants to make a secure transaction to a trusted third party that already has the public keys — for example, a bank or point of sale.
Additionally, the third party is also able to verify its identity using the RSA signature. Once a message has been encrypted using the public key, it is only able to be decrypted by an additional key, also known as the private key.
Time-based keying (TOTP)
As an alternative to encryption, time-based one-time passwords (TOTP) can be used to create throwaway single-use keys. This approach is good for situations in which an individual needs a lightweight way to authenticate using a PIN, which is safe from the risk of replay attacks. It is, however, worth noting that this method requires a clock that is roughly synchronized to both devices being used for the encryption process.
As discussed, there are several distinct options when it comes to transmitting data securely and, as a result, there is no one solution to rule them all. With various encryption options readily available, sound-based connectivity can be equally as secure as the likes of RF-based transmission, with the affordance of giving the user complete control over their encryption approaches.
With the option to select and build their own approaches to security, developers can be confident that the method used is the correct one for their specific scenario and successfully enable secure data transmission using sound.