Stories
Slash Boxes
Comments

SoylentNews is people

posted by on Friday February 24 2017, @01:44PM   Printer-friendly
from the if-they-have-physical-access,-they-have-everything dept.

Apparently anything on a PC that makes noise or light is fair game for exploitation to breach air gapped PCs.

Researchers at Ben-Gurion University of the Negev in Israel have disclosed yet another method that can be used to exfiltrate data from air-gapped computers, and this time it involves the activity LED of hard disk drives (HDDs).

Many desktop and laptop computers have an HDD activity indicator, which blinks when data is being read from or written to the disk. The blinking frequency and duration depend on the type and intensity of the operation being performed.

According to researchers, a piece of malware can indirectly control the LED using specific read/write operations. More precisely, the size of the buffer being written or read is proportional to the amount of time the LED stays on, while sleeping causes the LED to be turned off. Experts have determined that these LEDs can blink up to 6,000 times per second, which allows for high data transmission rates.

The state of the LED can be translated into "0" or "1" bits. The data can be encoded using several methods: LED on is "1" and LED off is "0" (OOK encoding), off and on is "0" and on and off is "1" (Manchester encoding, which is slower but more reliable), or on for a certain duration is "1" and on for a different duration is "0" (Binary Frequency Shift Keying).

A piece of malware that is installed on the targeted air-gapped device can harvest data and exfiltrate it using one of these encoding systems. As for reception and decoding, the attacker must find a way to observe the targeted device's activity LED, either using a local hidden camera, a high-resolution camera that can capture images from outside the building, a camera mounted on a drone, a compromised security camera, a camera carried by a malicious insider, or optical sensors.


Original Submission

 
This discussion has been archived. No new comments can be posted.
Display Options Threshold/Breakthrough Mark All as Read Mark All as Unread
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.
  • (Score: 1, Redundant) by fritsd on Friday February 24 2017, @04:34PM

    by fritsd (4586) on Friday February 24 2017, @04:34PM (#471162) Journal

    You're much better off with systemd.

    Systemd has got a module to show large and informative QR codes [github.com] on-screen.

    Much better bandwidth and error correction than that tedious fuffing around with harddisk lights! Air-gap-hopping for the 21st century!11!

    </sarc>

    Starting Score:    1  point
    Moderation   -1  
       Redundant=1, Total=1
    Extra 'Redundant' Modifier   0  
    Karma-Bonus Modifier   +1  

    Total Score:   1  
  • (Score: 0) by Anonymous Coward on Friday February 24 2017, @04:48PM

    by Anonymous Coward on Friday February 24 2017, @04:48PM (#471166)

    Except that it would be obvious that something is amis to anyone using the compromised system. I think the intent here is subterfuge to allow the unorthodox transmission method to work unnoticed. Who would notice yet another blinking light? Just look at this thing [wikipedia.org] to get an idea of what I'm hinting at here.