Support NeoGAF

[Malyse]

A FEW HOURS after dark one evening earlier this month, a small quadcopter drone lifted off from the parking lot of Ben-Gurion University in Beersheba, Israel. It soon trained its built-in camera on its target, a desktop computer’s tiny blinking light inside a third-floor office nearby. The pinpoint flickers, emitting from the LED hard drive indicator that lights up intermittently on practically every modern Windows machine, would hardly arouse the suspicions of anyone working in the office after hours. But in fact, that LED was silently winking out an optical stream of the computer’s secrets to the camera floating outside.

That data-stealing drone, shown in the video, works as a Mr. Robot-style demonstration of a very real espionage technique. A group of researchers at Ben-Gurion’s cybersecurity lab has devised a method to defeat the security protection known as an “air gap,” the safeguard of separating highly sensitive computer systems from the internet to quarantine them from hackers. If an attacker can plant malware on one of those systems—say, by paying an insider to infect it via USB or SD card—this approach offers a new way to rapidly pull secrets out of that isolated machine. Every blink of its hard drive LED indicator can spill sensitive information to any spy with a line of sight to the target computer, whether from a drone outside the window or a telescopic lens from the next roof over.

An air gap, in computer security, is sometimes seen as an impenetrable defense. Hackers can’t compromise a computer that’s not connected to the internet or other internet-connected machines, the logic goes. But malware like Stuxnet and the Agent.btz worm that infected American military systems a decade ago have proven that air gaps can’t entirely keep motivated hackers out of ultra-secret systems—even isolated systems need code updates and new data, opening them to attackers with physical access. And once an air-gapped system is infected, researchers have demonstrated a grab bag of methods for extracting information from them despite their lack of an internet connection, from electromagnetic emanations to acoustic and heat signaling techniques—many developed by the same Ben-Gurion researchers who generated the new LED-spying trick.

But exploiting the computer’s hard drive indicator LED has the potential to be a stealthier, higher-bandwidth, and longer-distance form of air-gap-hopping communications. By transmitting data from a computer’s hard drive LED with a kind of morse-code-like patterns of on and off signals, the researchers found they could move data as fast as 4,000 bits a second, or close to a megabyte every half hour. That may not sound like much, but it’s fast enough to steal an encryption key in seconds. And the recipient could record those optical messages to decode them later; the malware could even replay its blinks on a loop, Guri says, to ensure that no part of the transmission goes unseen.

The technique also isn’t as limited in range as other clever systems that transmit electromagnetic signals or ultrasonic noises from speakers or a computer’s fans. And compared to other optical techniques that use the computer’s screen or keyboard light to secretly transmit information, the hard-drive LED indicator—which blinks anytime a program accesses the hard drive—routinely flashes even when a computer is asleep. Any malware that merely gains the ability of a normal user, rather than deeper administrative privileges, can manipulate it. The team used a Linux computer for their testing, but the effects should be the same on a Windows device.

“The LED is always blinking as it’s doing searching and indexing, so no one suspects, even in the night,” says Guri. “It’s very covert, actually.”

https://www.wired.com/2017/02/malware-sends-stolen-data-drone-just-pcs-blinking-led/

 

[shira]

Can't you disable the LED or just rip it out?

 

[rrs]

I could see this working, unlike say that ultrasonic infection ghost in the shell bullshit

Can't you disable the LED or just rip it out?

or just pull the header out, it's honestly an leftover from earlier days of computing where disk drive usage was kept as low as possible so no blinking light meant something was up

 

[MoonsaultSlayer]

Yeah, now that this is out, expect LED removal or coverings.

 

[Peter Ian Staker]

Can't you disable the LED or just rip it out?

Or cover it with tape?

 

[Palmer_v1]

Yeah, I look forward to getting orders from INFOSEC to disable all LED's connected to a PC in any way.

 

[SiteSeer]

Can't you disable the LED or just rip it out?

of course but the point is that this technique is hidden in plain sight. an infected air gapped computer is spilling its secrets in "morse code" while you think it's just accessing data as normal.

 

[Trojita]

You need physical access

The airgapped system needs to be visible from a window with the led visible as well.

Large files would require a drone that could keep a level state for a long time without running out of battery

 

[Bregor]

And the air gapped system would already have to be infected by malicious software that uses the LED to transmit the data.

 

[joelseph]

And the air gapped system would already have to be infected by malicious software that uses the LED to transmit the data.

How else would you access a offline machine?!

 

[Weckum]

Hacking air gapped computers is becoming easier and easier, it's scary:

Researchers Hack Air-Gapped Computer With Simple Cell Phone

https://www.wired.com/2015/07/researchers-hack-air-gapped-computer-simple-cell-phone/

Clever Attack Uses the Sound of a Computer's Fan to Steal Data

https://www.wired.com/2016/06/clever-attack-uses-sound-computers-fan-steal-data/

New Hack Uses Hard Drive's Noise to Transfer Stolen Data from Air-Gapped Computer

https://thehackernews.com/2016/08/air-gapped-computer-hacking.html


Of course, one has to be physically present at this point to be able to steal the data.

 

[Graphics Horse]

Large files would require a drone that could keep a level state for a long time without running out of battery

Or two drones *gasp*

 

[Imperfected]

I don't know about you guys, but any time I'm working on a computer too secure to ever connect to the internet I like to just plop it out somewhere in clear view of the sky.

 

[BadAss2961]

So Watch Dogs 2 isn't all bullshit.

 

[Bregor]

How else would you access a offline machine?!

To me the idea that a compromised machine is compromised isn't noteworthy. Finding ways to get data off the machine is cute, but it doesn't really imply a security risk. The security failing was allowing the malware on the computer in the first place.

 

[Breakage]

This is gonna be a gadget in the next Splinter Cell.

How does the malware get on there in the first place tho? Is it really just a case of exploiting human curiosity? eg. drop a usb with a "TOP SECRET pictures" sticker on it and hope a user picks it up and plugs it in.

 

[shiba5]

We were never allowed to open the window blinds at work because of stuff like this. All the real sensitive stuff was in windowless SCIFs.

 

[Somnid]

4,000 bits a second would require a 4000 fps camera as you could not differentiate the blinking between frames otherwise.

Anyway there are much cooler techniques like causing the CPU or other devices to emit radio frequencies to transmit data. You wouldn't even need direct line of sight (but the carry distance is much smaller).

 

[wenis]

I love technology.

 

[Wowfunhappy]

Let's remember that this requires a freaking drone to fly up and peak through someone's window. I don't think this is a concern unless your computer contains nuclear codes or something. In which case, that computer really shouldn't have any LEDs, or speakers, etc.

Spoiler

Now, about Donald Trump's Android phone...

 

[Kyuur]

So I guess the next step is buildings with no windows.

 

[Koomaster]

Am I misunderstanding something here? For this to work you already have to have someone physically access the computer to install the malware... why not just have them copy what files you need on a usb? Seems it would be faster and less needlessly complex if you already have someone on the inside with access to the computer.

Also what ultra secure computer is facing a window? You could just break in and grab the computer and leave. Like what the hell? xD

 

[Ocara]

So I guess the next step is buildings with no windows.

From what ive heard from a coworker who used to do high-clearance government work, anything that sensitive already takes place in unmarked buildings that have no windows and are more like a bunker. Probably not concerned with this particular tech.

This seems more like something that could be used in corporate espionage or other lower security installations.

 

[Cyrano]

Or you could just put tape over the LEDs like people already do with cameras...

 

[Walter White Walker]

Pretty soon her my entire pc and monitor are going to be covered in duct tape.

 

[AtomicShroom]

Am I misunderstanding something here? For this to work you already have to have someone physically access the computer to install the malware... why not just have them copy what files you need on a usb? Seems it would be faster and less needlessly complex if you already have someone on the inside with access to the computer.

Also what ultra secure computer is facing a window? You could just break in and grab the computer and leave. Like what the hell? xD

The goal here is to have it done unknowingly by an innocent party. For example by swapping a USB key meant for an update by a compromised one. And then when the innocent engineer updates the computer, the virus gets installed and the HDD LED begins spewing out code for your drone to read.

 

[Jag]

If nothing else, it will be fun to see the conspiracy people with fully taped PCs!

Pretty soon her my entire pc and monitor are going to be covered in duct tape.

Already started.

The goal here is to have it done unknowingly by an innocent party. For example by swapping a USB key meant for an update by a compromised one. And then when the innocent engineer updates the computer, the virus gets installed and the HDD LED begins spewing out code for your drone to read.

Mossad has mastered the honey pot. Try saying no to Gal Gadot as she slips her USB into your slot.

 

[Minus_Me]

So I guess the next step is buildings with no windows.

An example is 33 Thomas Street, or the AT&T Long Lines Building. Allegedly contains NSA communications interception capabilities.

Spoiler

It was originally designed to withstand nuclear attack and maintain operations there after.

 

[Arulan]

Hah, I knew I disabled my HDD LED header for a good reason!

Spoiler

I didn't want a useless blinking light at night.

That's pretty clever though.

 

[TAJ]

4,000 bits a second would require a 4000 fps camera as you could not differentiate the blinking between frames otherwise.

Anyway there are much cooler techniques like causing the CPU or other devices to emit radio frequencies to transmit data. You wouldn't even need direct line of sight (but the carry distance is much smaller).

Google 'fastest camera frame rate' and prepare to have your mind blown.
And there are a lot of 20,000fps videos on YouTube because those cameras are pretty affordable.

 

[andythinkpad]

A drone has 20-min air time, how much moose code do you expect you can steal in 20 minutes?

 

[sono]

Inventive.

A drone has 20-min air time, how much moose code do you expect you can steal in 20 minutes?

Less than with morse code.

 

[lastplayed]

The original air gap hacker

 

[AbortedWalrusFetus]

The problem with these exploits on air-gap systems is they almost invariably require an actor with inside access to plant malware with a USB stick of some variety. If you have an inside actor with physical access to the machines, it's very unlikely you'd need to actually USE this exploit.

There are others that can do the same with the audio from the fan speed, or thermal from the heat produced by the system, things like that. The only advantage would be planting the malware and getting continued monitoring of the infected system. Problem with that is you'd need to fly your drone regularly and that would cause someone to notice at some point.

 

[thesoapster]

That's actually really fucking cool.

 

[low-G]

I'll be more impressed with a drone can sense the electromagnetic waves emitted from a CPU and correctly analyze all functionality in real time.

This air-gapped computer never outputs any files or anything, nothing ever sent to a terminal? There's gotta be a better way to get info out.

 

[Monocle]

This is actually pretty awesome.

 

[UpDownLeftRight]

The problem with these exploits on air-gap systems is they almost invariably require an actor with inside access to plant malware with a USB stick of some variety. If you have an inside actor with physical access to the machines, it's very unlikely you'd need to actually USE this exploit.

There are others that can do the same with the audio from the fan speed, or thermal from the heat produced by the system, things like that. The only advantage would be planting the malware and getting continued monitoring of the infected system. Problem with that is you'd need to fly your drone regularly and that would cause someone to notice at some point.

That's what I'm getting from it too. A kinda cool development I guess but largely useless due to the needs of hands nearby to initiate it more or less negating the actual functionality. Wouldn't the malware also be detected eventually if used to monitor over time? If so, wouldn't it essentially be more risky than simply having the guy who would infect the system just rip what he wants on the spot?

 

[ColdPizza]

4,000 bits a second would require a 4000 fps camera as you could not differentiate the blinking between frames otherwise.

Anyway there are much cooler techniques like causing the CPU or other devices to emit radio frequencies to transmit data. You wouldn't even need direct line of sight (but the carry distance is much smaller).

True, but in my experience most buildings that would host sensitive data like this would have spotty radio reception to begin with (concrete walls, steel beams). Would be hit or miss.

 

[Makai]

Why go with such an inefficient transmission vector if you've already installed malware?

 

[Brakke]

I think the moral of the story here is less that this is some foolproof technique but more it goes to illustrate that a truly dedicated adversary can find a way to defeat you if you're at all casual in your security measures.