Imagine you’re sitting in an office building at night, the only light coming from the blinking of your hard drive’s LED. Imagine a drone, hovering outside your window, peering in.
Are you being snooped on by a peeping Tom?
Maybe. Or, as researchers have demonstrated, you might not be of interest at all to whoever’s operating the quadcopter. Rather, they could be reading the blinking LED lights as if they made up a form of optical Morse code, intercepting strings of data that malware might have caused the system to encode and transmit.
Such data can stream at fast enough rates to include encryption keys, keystroke logging, or text and binary files, the researchers say.
Researchers at Ben-Gurion University’s Negev Cyber Security Research Center this month demonstrated this type of espionage technique: one that can defeat an air gap. An air gap is a network security measure in which highly sensitive computers are physically isolated, kept away from both the public internet or from unsecured local area networks and the hackers who could get at their data.
You can see their demonstration in this video:
Granted, for such an attack to work, the hackers would first need to infect a targeted system with malware. As the researchers describe in their paper (PDF), such malware could be used to control a system’s hard disk drive’s LED, turning it off and on at a rate of up to 5,800 blinks per second: faster than human eyes can detect.
For air-gapped systems, that dirty work would have to be carried out by an insider: somebody who could infect a system with a USB or SD card, for example (I can’t help wondering if an attacker with that much accesses would need to resort to these kind of elaborate exfiltration tricks).
After the machine’s infected, there are a number of ways an attacker could pick up on the encoded LED blinks. Hiding a camera internally would work, as would a camera carried by a malicious insider – as long as the receiving camera has a line of sight to the front panel of the transmitting, infected computer.
The drone approach works, too, as the researchers showed. A camera installed on a drone that’s flown to a spot where it has line of sight with the front panel of the transmitting computer – such as near the window – can pick up data, though they said that this type of receiver is relevant for leaking a small amount of data, including encryption keys.
This type of attack is called a side-channel attack. They exploit a system’s physical parts – be they fans, LED lights, stray sounds, or WiFi emissions – as opposed to targeting a system by weaknesses in its algorithms or by brute force.
In other words, you don’t directly try to eavesdrop on the actual process or procedure that’s your target in a side-channel attack. Instead, you listen in to the side effects it causes and figure out what’s going on indirectly.
We’ve written about these attacks quite a lot, as we’ve seen:
- The Fansmitter: a way to use computer fan speed to exfiltrate data on you, also brought to us courtesy of Ben-Gurion University researchers.
- The BadBIOS story from 2013, in which a Canadian researcher thought he might have discovered a strain of in-the-wild BIOS malware that could jump airgaps in a similar way.
- An Indian company that claimed to have a system for keeping track of what TV ads customers are watching, even on unconnected, non-smart-TVs, by embedding ultrasound in TV ads and picking it up on nearby mobile phones.
- A new type of attack using ultrasound to track Tor users.
- The surreptitious recording of the sound of keystrokes, or acoustic emanations, during a Skype voice or video call. The sounds can later be reassembled as text.
- A phone stealing a secret product prototype off your 3D printer by using smartphone sensors.
- The sound made by your computer being able to give away your encryption keys.
- “PowerSpy”: a way to track you by the power your phone’s using.
- Stealing ATM PINs with thermal cameras.
- Phones’ accelerometers being used to track you on the metro.
How to fend off the peeping drones
Fortunately, some of the countermeasures against the blinking-LED attacks are not only cheap; they’re also low-tech. You could just disconnect a computer’s LED light, for one thing, or just cover it with black tape. You could also pick up window film that shields computers from electronic eavesdropping.
Then again, you could always just move the air-gapped PC away from the windows, or to a room that doesn’t have windows at all.
2 comments on “Drones can steal data from infected PCs by spying on blinking LEDs”
LOL! This is so theoretical and improbable that it belongs on an episode of “The Lone Gunman.”
It’s still important to know about weaknesses that ‘can’ be exploited. I’ve often wondered if the hard disk LED leaks information this way. Presumably, the manufacturers could suppress the illuminations in such a way that would not indicate patterns or streams of data – although this may not give an accurate indication of disk activity.