Drones can steal data from infected PCs by spying on blinking LEDs

Imagine you’re sitting in an office building at night, the only light coming from the blinking of your hard drive’s LED. Imagine a drone, hovering outside your window, peering in.

Are you being snooped on by a peeping Tom?

Maybe. Or, as researchers have demonstrated, you might not be of interest at all to whoever’s operating the quadcopter. Rather, they could be reading the blinking LED lights as if they made up a form of optical Morse code, intercepting strings of data that malware might have caused the system to encode and transmit.

Such data can stream at fast enough rates to include encryption keys, keystroke logging, or text and binary files, the researchers say.

Researchers at Ben-Gurion University’s Negev Cyber Security Research Center this month demonstrated this type of espionage technique: one that can defeat an air gap. An air gap is a network security measure in which highly sensitive computers are physically isolated, kept away from both the public internet or from unsecured local area networks and the hackers who could get at their data.

You can see their demonstration in this video:

Granted, for such an attack to work, the hackers would first need to infect a targeted system with malware. As the researchers describe in their paper (PDF), such malware could be used to control a system’s hard disk drive’s LED, turning it off and on at a rate of up to 5,800 blinks per second: faster than human eyes can detect.

For air-gapped systems, that dirty work would have to be carried out by an insider: somebody who could infect a system with a USB or SD card, for example (I can’t help wondering if an attacker with that much accesses would need to resort to these kind of elaborate exfiltration tricks).

After the machine’s infected, there are a number of ways an attacker could pick up on the encoded LED blinks. Hiding a camera internally would work, as would a camera carried by a malicious insider – as long as the receiving camera has a line of sight to the front panel of the transmitting, infected computer.

The drone approach works, too, as the researchers showed. A camera installed on a drone that’s flown to a spot where it has line of sight with the front panel of the transmitting computer – such as near the window – can pick up data, though they said that this type of receiver is relevant for leaking a small amount of data, including encryption keys.

This type of attack is called a side-channel attack. They exploit a system’s physical parts – be they fans, LED lights, stray sounds, or WiFi emissions – as opposed to targeting a system by weaknesses in its algorithms or by brute force.

In other words, you don’t directly try to eavesdrop on the actual process or procedure that’s your target in a side-channel attack. Instead, you listen in to the side effects it causes and figure out what’s going on indirectly.

We’ve written about these attacks quite a lot, as we’ve seen:

How to fend off the peeping drones

Fortunately, some of the countermeasures against the blinking-LED attacks are not only cheap; they’re also low-tech. You could just disconnect a computer’s LED light, for one thing, or just cover it with black tape. You could also pick up window film that shields computers from electronic eavesdropping.

Then again, you could always just move the air-gapped PC away from the windows, or to a room that doesn’t have windows at all.