SoylentNews is people
SoylentNews
from the if-they-have-physical-access,-they-have-everything dept.
Apparently anything on a PC that makes noise or light is fair game for exploitation to breach air gapped PCs.
Researchers at Ben-Gurion University of the Negev in Israel have disclosed yet another method that can be used to exfiltrate data from air-gapped computers, and this time it involves the activity LED of hard disk drives (HDDs).
Many desktop and laptop computers have an HDD activity indicator, which blinks when data is being read from or written to the disk. The blinking frequency and duration depend on the type and intensity of the operation being performed.
According to researchers, a piece of malware can indirectly control the LED using specific read/write operations. More precisely, the size of the buffer being written or read is proportional to the amount of time the LED stays on, while sleeping causes the LED to be turned off. Experts have determined that these LEDs can blink up to 6,000 times per second, which allows for high data transmission rates.
The state of the LED can be translated into "0" or "1" bits. The data can be encoded using several methods: LED on is "1" and LED off is "0" (OOK encoding), off and on is "0" and on and off is "1" (Manchester encoding, which is slower but more reliable), or on for a certain duration is "1" and on for a different duration is "0" (Binary Frequency Shift Keying).
A piece of malware that is installed on the targeted air-gapped device can harvest data and exfiltrate it using one of these encoding systems. As for reception and decoding, the attacker must find a way to observe the targeted device's activity LED, either using a local hidden camera, a high-resolution camera that can capture images from outside the building, a camera mounted on a drone, a compromised security camera, a camera carried by a malicious insider, or optical sensors.
(Score: 0) by Anonymous Coward on Friday February 24 2017, @07:07PM
Well, 6000Hz is the maximum -- you can run at, say 30 Hz, and use a 60fps camera; all depends how much information you need and when you need it by.
But yeah, the whole ultrasonic speaker/microphone thing we heard about last year is a lot more practical -- get malware on a nearby non-airgapped computers, and it just works; whereas even if you slow this down enough to use a built-in webcam on most laptops and a few desktops, you've still got to rely on luck for someone to leave the computer open (if laptop) and aligned so it can see the airgapped system. Microphones and speakers are more or less omnidirectional.