from the if-they-have-physical-access,-they-have-everything dept.
Apparently anything on a PC that makes noise or light is fair game for exploitation to breach air gapped PCs.
Researchers at Ben-Gurion University of the Negev in Israel have disclosed yet another method that can be used to exfiltrate data from air-gapped computers, and this time it involves the activity LED of hard disk drives (HDDs).
Many desktop and laptop computers have an HDD activity indicator, which blinks when data is being read from or written to the disk. The blinking frequency and duration depend on the type and intensity of the operation being performed.
According to researchers, a piece of malware can indirectly control the LED using specific read/write operations. More precisely, the size of the buffer being written or read is proportional to the amount of time the LED stays on, while sleeping causes the LED to be turned off. Experts have determined that these LEDs can blink up to 6,000 times per second, which allows for high data transmission rates.
The state of the LED can be translated into "0" or "1" bits. The data can be encoded using several methods: LED on is "1" and LED off is "0" (OOK encoding), off and on is "0" and on and off is "1" (Manchester encoding, which is slower but more reliable), or on for a certain duration is "1" and on for a different duration is "0" (Binary Frequency Shift Keying).
A piece of malware that is installed on the targeted air-gapped device can harvest data and exfiltrate it using one of these encoding systems. As for reception and decoding, the attacker must find a way to observe the targeted device's activity LED, either using a local hidden camera, a high-resolution camera that can capture images from outside the building, a camera mounted on a drone, a compromised security camera, a camera carried by a malicious insider, or optical sensors.
(Score: 3, Interesting) by looorg on Friday February 24 2017, @02:02PM
Tape to the rescue! So another part of the computer I have to put tape over then, first it was the camera and now I can't even show the blinking LEDs anymore. Come to think of it looking at my tower I don't even have showing LEDs anymore - Immunity! Just from memory I don't think I have been having blinking HD LEDs on the front of my tower for a really long time. There is one on my laptop, but it's very small and positioned so that my body should cover it from any drone hanging around behind me, and I think I would notice a drone hanging just above or behind me for a while unless they invent total stealth mode. Also won't it be fairly obvious if you have a drone hovering outside your window as it tries to read your computer.
(Score: 0) by Anonymous Coward on Friday February 24 2017, @02:39PM
If you were just waiting for this article to think of taping over (or unplugging!) your computer's activity lights, you're doing it wrong.
(Score: 2) by bob_super on Friday February 24 2017, @05:25PM
Well, you also need to tape over your screen, just in case some program displaying a gray dot is actually modulating the pixels to transmit data to anyone pointing a high-speed camera towards it.
There's paranoia, and then there's stupidity. This is straight up stupid.
(Score: 0) by Anonymous Coward on Friday February 24 2017, @07:01PM
If your computer's not airgapped, you probably wouldn't need to tape the LEDs -- if anyone manages to get malware running on your system to manipulate the HDD light, that malware can probably just send the data out over the network.
If you are setting up an airgapped system, well, you might as well tape over (or better, remove/unplug) the HDD LEDs -- not because it's particularly likely to face malware attempting to exfiltrate data via HDD LED, but because if you make it categorically impossible, you don't have to assess how probable it is, and whether or not there's some place someone could mount a secret camera/receiver. (Note that direct line of sight to the LED is not needed -- if someone can look through a door or window, and see a diffuse reflection off a wall, that's good enough.)
(Score: 1) by Ethanol-fueled on Saturday February 25 2017, @12:42AM
I taped it anyway, my power LED is blue and is pretty goddamn bright with the sleep-killing spectrum of light when at night.
Next we'll have BIOS hackers attacking Gaymers by modulating their motherboard rainbow LEDs like this [wikipedia.org] or some shit.
(Score: 2) by Snotnose on Friday February 24 2017, @02:04PM
I'm not too worried about this. First, you need physical access to install malware. Second, you need to record the LED at least 12,000 times a second (nyquist frequency). Finally, at most you'll get 6,000 bits per second after all this work.
When the dust settled America realized it was saved by a porn star.
(Score: 0) by Anonymous Coward on Friday February 24 2017, @04:54PM
That's 5 times the data rate of an old 300 Baud modem!
(Score: 0) by Anonymous Coward on Friday February 24 2017, @04:56PM
Actually, it's 20 times the data rate. Well, unless for each bit of data you used 3 bits of error correction data. :-)
(Score: 0) by Anonymous Coward on Friday February 24 2017, @05:39PM
As always, it all depends on why the system is airgapped in the first place, and what threats you are trying to defend against.
Often such systems are designed to access secrets, and the goal is to prevent any one person (or a sufficiently small group of conspirators) from "going rogue" and moving the secrets outside of the room without anyone else noticing. Still, rogue actors secretly installing hard drive LED malware plus secretly installing a hidden high-framerate camera nearby seems a bit far-fetched...
(Score: 0) by Anonymous Coward on Friday February 24 2017, @07:07PM
Well, 6000Hz is the maximum -- you can run at, say 30 Hz, and use a 60fps camera; all depends how much information you need and when you need it by.
But yeah, the whole ultrasonic speaker/microphone thing we heard about last year is a lot more practical -- get malware on a nearby non-airgapped computers, and it just works; whereas even if you slow this down enough to use a built-in webcam on most laptops and a few desktops, you've still got to rely on luck for someone to leave the computer open (if laptop) and aligned so it can see the airgapped system. Microphones and speakers are more or less omnidirectional.
(Score: 0, Insightful) by TheGratefulNet on Friday February 24 2017, @02:17PM
this is pure bs.
leds vary SO MUCH in how they are implemented. controllers, drives, etc. they usually (I'd hazzard a guess that 99% of the time) they simply set a led timer as a one-shot and turn the led on to show the start of a block transfer. the off-time could be quite a bit diff from the true end of packet.
who, here, thinks that, for every single bit write operation, the led is turned off and on?
really? how fast CAN you modulate an led? hint, a bit above audio range but NOT even close into entry-level RF range.
this is pure bollocks.
"It is now safe to switch off your computer."
(Score: 2) by Hyperturtle on Friday February 24 2017, @02:48PM
I think it's a marketing story to sell some product to the executive that read a whitepaper on CIO.com
But I don't *know* that... but I would like to think so, because this very concept comes up every few years, with new descriptions of how to do it based on high tech stuff.
Morse code isn't new, nor is the exploitation of fears caused by flashing lights.
Maybe three or five years ago, I read how some uninformed management people at various companies were requiring their IT staff to use black electrical tape over the LEDS in case hackers were reading data off the arrays through the opaque glass door leading into the otherwise physically secured raised floor data center room that had no web cameras enabled on the servers because Hackers.
So yeah, it could happen in specific instances in poorly secure environments to begin with, at a slow rate of speed, and someone has to export the data after it collects it after having first installed it on something that only had one LED light that represented all of the disk activity. I guess they can flash numlock and cd rom drive lights too if those are still visible to a camera pointed at it being recorded by the same Hackers. I guess IP security cameras can capture a lot if compromised, but why not secure those first? Or don't use IP cameras in the data center that are accessible over the internet?
But those ideas won't sell solutions, since you can't download an app to be smart.
(Score: 2) by c0lo on Friday February 24 2017, @02:50PM
Increase the transmission rate using audio [youtube.com]
https://www.youtube.com/watch?v=aoFiw2jMy-0 https://soylentnews.org/~MichaelDavidCrawford
(Score: 3, Informative) by EvilSS on Friday February 24 2017, @03:06PM
(Score: 4, Interesting) by VLM on Friday February 24 2017, @03:14PM
how fast CAN you modulate an led? hint, a bit above audio range but NOT even close into entry-level RF range.
Depends how you define entry-level RF. You might be surprised. Obviously this is for non-phosphor LEDS, like plain red. Long duration phosphors would seem to limit some older tech white LEDs to like "Hz" level modulation. Probably.
Just a simple transistor will get you up to "MHz" but eventually the capacitance across the LED will be an issue. Or it was in the old days. How do you shut something off when its got a built in source of current longer than your off periods? Well, there are ways...
With a single transistor you can play the usual analog games old as dirt in every application where the DC bias of the emitter is set by a resistor but the AC performance is set by a cap and resistor so you set the DC bias with the emitter resistor to something sane for that LED in its midpoint, like hundreds of ohms, then essentially overmodulate the hell out of it using a cap thats practically zero AC impedance at freq with a fairly low AC emitter resistor like tens of ohms. This takes you thru the HF band roughly.
You can go into VHF or maybe VERY low UHF range if you get a very expensive high freq opamp with decent current and slew specs and just do the textbook dumb "voltage to current converter" and it'll work plus or minus the usual "I done made me an oscillator without even trying" stuff. The kind of thing that can drive a video or baseband signal down a 1000 feet of coax will laugh at a mere LED.
As a hint to the people who think FET H-bridges are the thing, high power h-bridge that can laugh at the impedance of an LED are slow, and fast ones turn it from a "how to I drive a LED really fast" to a "how do I drive a FET really fast" which admittedly is a lot easier but its not like a complete get out of jail free card.
Two side issues to keep in mind... driving a LED 100% modulation is tough, really tough, but like 80% modulation is way easier. From memory driving a LED from like 10% to 90% brightness is "easy" but driving in the 0 to 10% range is hard and avoiding the 90-100 range gives you headroom. If 50 mA will blow a junction at DC, its not like 55 mA at 150 MHz is somehow more survivable.
Another issue is its like going back to the 60s surplus textbooks I had as a kid and anyone younger than I donno 50 is probably surprised "a diode" can have a PIV rating lower than like 500 or 1000 volts (other than zeners duh) but some LEDs are ridiculous low and I seem remember in the bad old days of the earliest blues like a quarter century ago that some had LOWER PIV ratings than forward biased Vf... crazy. So yeah you think hooking up a LED to a 48 volt H-bridge is one admittedly violent way to deal with shoving enough peak current thru for a very short pulse, but the PIV of a LED is probably too low to survive the very first negative going cycle no matter how well the positive going cycle should have looked (unless times have recently changes)
Think like, emitter followers or avalanche mode switching and shunts in general, not so much class C bipolar amps and series in general.
Oh what else is fun... forget linear operation, LEDs are just linear enough to look not so ugly on the graph but not clean enough for like multi-octave hifi analog broadband that's why nobody uses them for (admittedly obscure) short range analog laser fiber optics.
One of the first insights you'll run into is when shunt drivers give "better" performance than series driving because transistors can "suck the current out" in shunt mode really well. Obviously when talking shunt drivers your figure of merit is like high frequency modulation of high brightness light, not "normal" LED driver figures of merit like low leakage current when off or high efficiency at turning DC into zero modulation light. So a good high freq drive circuit won't look much like a circuit for "I'm making a microcontroller LED blinkie"
Obviously if by "entry level RF range" you're one of those guys who sees anyone operating below SMA connector resonance or doesn't own a wire bonding machine for bare dies as a hopeless degenerate prole, well, whatever, but yeah LEDs with some care in the driver circuit design are good to like "GHz" range. Lasers of course go much faster for a given complexity of driver ckt, but they cost too much and life is too short and they get too hot blah whatever.
Googling around this seems to be an occasionally discussed scenario. A couple decades ago IrDA was a thing so you still see old timer discussion about running IR LEDs at 64 MHz or whatever hi speed mode was for IrDA. IrDA never worked in the field because of driver level issues not LED modulation issues.
Reviving something like a 2020 IrDA with better code that actually works might be interesting for the arduino generation. Simpler than QR codes, simpler and cheaper than RF, at tabletop scale not a bad idea at all for modest data rates (like under 100 MB/s)
I seem to recall near the death of FDDI there were some LED transmitters for FDDI that met spec, although I don't remember if that was shipping or vaporware trolling from marketing. FDDI for the arduino generation would be an interesting concept too.
(Score: 2, Funny) by Scruffy Beard 2 on Friday February 24 2017, @04:13PM
I was assuming TFA was talking about unmodified PC hardware.
But I suppose if you have access to install a high-speed camera, you may have access to install custom LED circuitry as well.
(Score: 1, Informative) by Anonymous Coward on Friday February 24 2017, @03:36PM
This won't be an attack used to get your bank information. This would indeed have to be a very coordinated effort to pull off and would require both a group to do it and another group that's housing secure data that's worth enough to use this technique on it. This is more like sophisticated attack measures against sophisticated defense measures, possibly the future of international and corporate espionage for the digital age. Digital communication can still happen over latent or intermittent connectivity if the right techniques are used.
(Score: 2) by butthurt on Friday February 24 2017, @05:54PM
who, here, thinks that, for every single bit write operation, the led is turned off and on?
From the summary:
[...] the size of the buffer being written or read is proportional to the amount of time the LED stays on [...]
I didn't read the article but it's clear that they're talking about doing timed writes and observing the time that the write occurred and the amount of time it took. The actual data that end up being written are immaterial. That's not what's being observed.
how fast CAN you modulate an led? hint, a bit above audio range but NOT even close into entry-level RF range.
From the summary:
[...] these LEDs can blink up to 6,000 times per second [...]
I didn't read the article but it's clear that they're talking about the visible light from the LED, not RF emissions.
(Score: 0) by Anonymous Coward on Friday February 24 2017, @04:09PM
Next they'll publish a paper on how the PC speaker can be used to exfiltrate information. Then using the CPU fan. Then using the utility meter.
(Score: 0) by Anonymous Coward on Friday February 24 2017, @04:51PM
What about this: Use the user's mood to transmit information. It only works with an extremely low bitrate, and you'll have to study the user well to calibrate your transmission, but the basic idea is this: Depending on the data to transmit, the malware causes errors at specific times. Those errors enrage the user, and that is detected by software monitoring the user through a hacked security camera. As a bonus, the computer itself need not be visible on the camera image. ;-)
(Score: 1) by Scruffy Beard 2 on Friday February 24 2017, @06:20PM
The new "smart meters" may be able to exfiltrate data as a decent data-rate. At least one bit per minute anyway. You can possibly encode several bit into each sample interval: depending what else is hanging off the meter, and CPU utilization from legitimate tasks.
(Score: 0) by Anonymous Coward on Friday February 24 2017, @06:35PM
As a computer security 'hanger on', I can say that one man's paper mill is another man's interesting read. I could say the same thing about printers of certain kinds of books. In the modern digital world, it's easy to forget some of the roots that got us here. We pretend that computers are all digital, virtual, 'in the cloud' and that it's safe. We're learning however that the physicality of the computer system itself is an attack surface for the determined. If your job is defending a computer system against all forms of compromise, you'd be very interested in this paper mill.
(Score: 0) by Anonymous Coward on Friday February 24 2017, @09:20PM
"You have code running on the machine that produces an observable effect, and that effect is then observed. Therefore, you can send a message over that channel."
That was the "innovative" discovery. But that would only be one paper; instead they have their friends on the program committee accept a paper every year with just the specific effect substituted out.
(Score: 1, Redundant) by fritsd on Friday February 24 2017, @04:34PM
You're much better off with systemd.
Systemd has got a module to show large and informative QR codes [github.com] on-screen.
Much better bandwidth and error correction than that tedious fuffing around with harddisk lights! Air-gap-hopping for the 21st century!11!
</sarc>
(Score: 0) by Anonymous Coward on Friday February 24 2017, @04:48PM
Except that it would be obvious that something is amis to anyone using the compromised system. I think the intent here is subterfuge to allow the unorthodox transmission method to work unnoticed. Who would notice yet another blinking light? Just look at this thing [wikipedia.org] to get an idea of what I'm hinting at here.
(Score: 2, Interesting) by TheSouthernDandy on Friday February 24 2017, @05:54PM
the size of the buffer being written or read is proportional to the amount of time the LED stays on
That's great, but it says nothing about the contents of the buffer, right? An identical pattern of on and off could be observed writing nuclear codes, or a cat picture. So how exactly will "data" get stolen, aside from the patterns of free space on the drive (which would tend to determine the size of contiguous data written)?
Perhaps just my ignorance of I/O details, though. Didn't read the paper either, so more ignorance there. At any rate, summary-of-the-summary-page and the summary page itself don't seem to convey why this is important...
(Score: 1) by Scruffy Beard 2 on Friday February 24 2017, @06:24PM
I think the idea is that you can do dummy read/writes after using your malware to capture and encode the sensitive data.
(Score: 0) by Anonymous Coward on Friday February 24 2017, @06:48PM
This is not meant to be a TEMPEST-like attack to read data from an uncompromised system.
The idea is, assuming you somehow have a means to get malware onto an air-gapped system, how does that malware report data back? You can't rely on reversing the original vector, after all; it could be as simple as dropping malware-infested USB drives in the parking lot, and even a moron who would plug such a lucky find into the air-gapped system isn't going to obligingly drop it back in the parking lot the next day. (But maybe if we leave a note on it asking nicely...)
Known options for exfiltrating data from malware running on an airgapped system include writing the data to any removable storage devices, in hopes that they are later plugged into a compromised non-airgapped computer; sending ultrasonics using the air-gapped system's speakers, and receiving them with a compromised non-airgapped system's microphone; and the like.
This paper examines the option of having your malware make a carefully constructed sequence of writes of junk data to a junk file, causing the hard drive LED to blink in a sequence encoding the data to be exfiltrated. Yes, there's some serious difficulties (interference if any other process writes to the drive at the same time, difficulty of placing a suitable camera with line of sight), but it's still well worth knowing about; it can be 100% prevented by simply removing/unplugging the hard drive LED.
(Score: 2) by maxwell demon on Friday February 24 2017, @08:32PM
A note on the stick would probably draw some suspicion. But what about a note a few days later in the same parking lot about a lost memory stick with important data on it; anyone who has found it please put it at a certain place where you can fetch it?
The Tao of math: The numbers you can count are not the real numbers.
(Score: 2) by Runaway1956 on Friday February 24 2017, @06:40PM
If you've nothing to hide, you have no worries, Citizen! Let the blinkies wink!
(Score: 0) by Anonymous Coward on Friday February 24 2017, @07:04PM
Every few months another one of these worthless air-gap experiments comes out. Have we established that if a machine is able to affect the world around it (via light patterns, sound waves, heat) significantly enough for another machine to notice, they can communicate? Or do we need to prove computers can talk via variable fan oscillation next?
(Score: 2) by xpda on Friday February 24 2017, @11:13PM
That was a high transmission rate for dialup in the 1970's, not so much now. It also works only if the malware is installed on the air-gapped PC, and if the optical receiver is withing sight during data transfer. It's not something I'll lose sleep over.
(Score: -1, Troll) by Anonymous Coward on Saturday February 25 2017, @01:57AM
It is just jews being what they are. The jewish "researchers" wouldn't let an opportunity pass them by if it can make them richer. Their opportunity is our bad luck.
They can't help being vermin.
The JIDF is reading this, and they will add it to a list, and will then try to find who wrote it so he/she can be murdered.
The jew is my enemy.
(Score: 2) by Bot on Saturday February 25 2017, @06:22PM
> LEDs can blink up to 6,000 times per second
So the malware must get to the led, not to the write mechanism, likely not to blink so fast. OK, so it gets root.
and the camera picking it up?
Compromised security camera: from 30 down to .1 fps
Drone 60 fps
Expensive drone with big ass camera? 300fps? (Yes there are highspeed cameras but other than high fps it must have high light gathering ability because the led is indoor and far away and rather weak)
- "Officer Meddlinkov, we are ready."
- "Good, Drone ready?"
- "Drone in position, recording, malware active"
- "Good, give me those documents"
- "Here is the new troop deployment scheme sir"
- "wew that was fast"
- "Well it was on display on the screen and the drone caught it."
- "Oh I see, what about the root password?"
- "malware has root privileges to control the led, i guess we can set a new root password if we want?"
- "Good! and BTW, how did we get to put malware on an airgapped pc?"
- "The operator, sir, is one of ours"
- "but... WTF are we doing here then, spying on our people?"
- "Yes, but so much effort went into this led spying thing that nobody points it out."
- "Good good, finally an assignment I can't fail. Bring some prostitutes before the thing here gets tedious."
- "Right away sir."
Account abandoned.