SoylentNews is people
SoylentNews
from the if-they-have-physical-access,-they-have-everything dept.
Apparently anything on a PC that makes noise or light is fair game for exploitation to breach air gapped PCs.
Researchers at Ben-Gurion University of the Negev in Israel have disclosed yet another method that can be used to exfiltrate data from air-gapped computers, and this time it involves the activity LED of hard disk drives (HDDs).
Many desktop and laptop computers have an HDD activity indicator, which blinks when data is being read from or written to the disk. The blinking frequency and duration depend on the type and intensity of the operation being performed.
According to researchers, a piece of malware can indirectly control the LED using specific read/write operations. More precisely, the size of the buffer being written or read is proportional to the amount of time the LED stays on, while sleeping causes the LED to be turned off. Experts have determined that these LEDs can blink up to 6,000 times per second, which allows for high data transmission rates.
The state of the LED can be translated into "0" or "1" bits. The data can be encoded using several methods: LED on is "1" and LED off is "0" (OOK encoding), off and on is "0" and on and off is "1" (Manchester encoding, which is slower but more reliable), or on for a certain duration is "1" and on for a different duration is "0" (Binary Frequency Shift Keying).
A piece of malware that is installed on the targeted air-gapped device can harvest data and exfiltrate it using one of these encoding systems. As for reception and decoding, the attacker must find a way to observe the targeted device's activity LED, either using a local hidden camera, a high-resolution camera that can capture images from outside the building, a camera mounted on a drone, a compromised security camera, a camera carried by a malicious insider, or optical sensors.
(Score: 0, Insightful) by TheGratefulNet on Friday February 24 2017, @02:17PM
this is pure bs.
leds vary SO MUCH in how they are implemented. controllers, drives, etc. they usually (I'd hazzard a guess that 99% of the time) they simply set a led timer as a one-shot and turn the led on to show the start of a block transfer. the off-time could be quite a bit diff from the true end of packet.
who, here, thinks that, for every single bit write operation, the led is turned off and on?
really? how fast CAN you modulate an led? hint, a bit above audio range but NOT even close into entry-level RF range.
this is pure bollocks.
"It is now safe to switch off your computer."
(Score: 2) by Hyperturtle on Friday February 24 2017, @02:48PM
I think it's a marketing story to sell some product to the executive that read a whitepaper on CIO.com
But I don't *know* that... but I would like to think so, because this very concept comes up every few years, with new descriptions of how to do it based on high tech stuff.
Morse code isn't new, nor is the exploitation of fears caused by flashing lights.
Maybe three or five years ago, I read how some uninformed management people at various companies were requiring their IT staff to use black electrical tape over the LEDS in case hackers were reading data off the arrays through the opaque glass door leading into the otherwise physically secured raised floor data center room that had no web cameras enabled on the servers because Hackers.
So yeah, it could happen in specific instances in poorly secure environments to begin with, at a slow rate of speed, and someone has to export the data after it collects it after having first installed it on something that only had one LED light that represented all of the disk activity. I guess they can flash numlock and cd rom drive lights too if those are still visible to a camera pointed at it being recorded by the same Hackers. I guess IP security cameras can capture a lot if compromised, but why not secure those first? Or don't use IP cameras in the data center that are accessible over the internet?
But those ideas won't sell solutions, since you can't download an app to be smart.
(Score: 2) by c0lo on Friday February 24 2017, @02:50PM
Increase the transmission rate using audio [youtube.com]
https://www.youtube.com/watch?v=aoFiw2jMy-0 https://soylentnews.org/~MichaelDavidCrawford
(Score: 3, Informative) by EvilSS on Friday February 24 2017, @03:06PM
(Score: 4, Interesting) by VLM on Friday February 24 2017, @03:14PM
how fast CAN you modulate an led? hint, a bit above audio range but NOT even close into entry-level RF range.
Depends how you define entry-level RF. You might be surprised. Obviously this is for non-phosphor LEDS, like plain red. Long duration phosphors would seem to limit some older tech white LEDs to like "Hz" level modulation. Probably.
Just a simple transistor will get you up to "MHz" but eventually the capacitance across the LED will be an issue. Or it was in the old days. How do you shut something off when its got a built in source of current longer than your off periods? Well, there are ways...
With a single transistor you can play the usual analog games old as dirt in every application where the DC bias of the emitter is set by a resistor but the AC performance is set by a cap and resistor so you set the DC bias with the emitter resistor to something sane for that LED in its midpoint, like hundreds of ohms, then essentially overmodulate the hell out of it using a cap thats practically zero AC impedance at freq with a fairly low AC emitter resistor like tens of ohms. This takes you thru the HF band roughly.
You can go into VHF or maybe VERY low UHF range if you get a very expensive high freq opamp with decent current and slew specs and just do the textbook dumb "voltage to current converter" and it'll work plus or minus the usual "I done made me an oscillator without even trying" stuff. The kind of thing that can drive a video or baseband signal down a 1000 feet of coax will laugh at a mere LED.
As a hint to the people who think FET H-bridges are the thing, high power h-bridge that can laugh at the impedance of an LED are slow, and fast ones turn it from a "how to I drive a LED really fast" to a "how do I drive a FET really fast" which admittedly is a lot easier but its not like a complete get out of jail free card.
Two side issues to keep in mind... driving a LED 100% modulation is tough, really tough, but like 80% modulation is way easier. From memory driving a LED from like 10% to 90% brightness is "easy" but driving in the 0 to 10% range is hard and avoiding the 90-100 range gives you headroom. If 50 mA will blow a junction at DC, its not like 55 mA at 150 MHz is somehow more survivable.
Another issue is its like going back to the 60s surplus textbooks I had as a kid and anyone younger than I donno 50 is probably surprised "a diode" can have a PIV rating lower than like 500 or 1000 volts (other than zeners duh) but some LEDs are ridiculous low and I seem remember in the bad old days of the earliest blues like a quarter century ago that some had LOWER PIV ratings than forward biased Vf... crazy. So yeah you think hooking up a LED to a 48 volt H-bridge is one admittedly violent way to deal with shoving enough peak current thru for a very short pulse, but the PIV of a LED is probably too low to survive the very first negative going cycle no matter how well the positive going cycle should have looked (unless times have recently changes)
Think like, emitter followers or avalanche mode switching and shunts in general, not so much class C bipolar amps and series in general.
Oh what else is fun... forget linear operation, LEDs are just linear enough to look not so ugly on the graph but not clean enough for like multi-octave hifi analog broadband that's why nobody uses them for (admittedly obscure) short range analog laser fiber optics.
One of the first insights you'll run into is when shunt drivers give "better" performance than series driving because transistors can "suck the current out" in shunt mode really well. Obviously when talking shunt drivers your figure of merit is like high frequency modulation of high brightness light, not "normal" LED driver figures of merit like low leakage current when off or high efficiency at turning DC into zero modulation light. So a good high freq drive circuit won't look much like a circuit for "I'm making a microcontroller LED blinkie"
Obviously if by "entry level RF range" you're one of those guys who sees anyone operating below SMA connector resonance or doesn't own a wire bonding machine for bare dies as a hopeless degenerate prole, well, whatever, but yeah LEDs with some care in the driver circuit design are good to like "GHz" range. Lasers of course go much faster for a given complexity of driver ckt, but they cost too much and life is too short and they get too hot blah whatever.
Googling around this seems to be an occasionally discussed scenario. A couple decades ago IrDA was a thing so you still see old timer discussion about running IR LEDs at 64 MHz or whatever hi speed mode was for IrDA. IrDA never worked in the field because of driver level issues not LED modulation issues.
Reviving something like a 2020 IrDA with better code that actually works might be interesting for the arduino generation. Simpler than QR codes, simpler and cheaper than RF, at tabletop scale not a bad idea at all for modest data rates (like under 100 MB/s)
I seem to recall near the death of FDDI there were some LED transmitters for FDDI that met spec, although I don't remember if that was shipping or vaporware trolling from marketing. FDDI for the arduino generation would be an interesting concept too.
(Score: 2, Funny) by Scruffy Beard 2 on Friday February 24 2017, @04:13PM
I was assuming TFA was talking about unmodified PC hardware.
But I suppose if you have access to install a high-speed camera, you may have access to install custom LED circuitry as well.
(Score: 1, Informative) by Anonymous Coward on Friday February 24 2017, @03:36PM
This won't be an attack used to get your bank information. This would indeed have to be a very coordinated effort to pull off and would require both a group to do it and another group that's housing secure data that's worth enough to use this technique on it. This is more like sophisticated attack measures against sophisticated defense measures, possibly the future of international and corporate espionage for the digital age. Digital communication can still happen over latent or intermittent connectivity if the right techniques are used.
(Score: 2) by butthurt on Friday February 24 2017, @05:54PM
who, here, thinks that, for every single bit write operation, the led is turned off and on?
From the summary:
[...] the size of the buffer being written or read is proportional to the amount of time the LED stays on [...]
I didn't read the article but it's clear that they're talking about doing timed writes and observing the time that the write occurred and the amount of time it took. The actual data that end up being written are immaterial. That's not what's being observed.
how fast CAN you modulate an led? hint, a bit above audio range but NOT even close into entry-level RF range.
From the summary:
[...] these LEDs can blink up to 6,000 times per second [...]
I didn't read the article but it's clear that they're talking about the visible light from the LED, not RF emissions.