Bust the password for an air-gapped machine – with its keyboard LEDs

Here’s a Hollywood scenario for you: elite hacker Jack wants to get some top secret security codes from a locked down computer inside a government facility, guarded by sharks with lasers. And the computer is air-gapped – it isn’t connected to a network! Is Jack fazed? Not at all.

He gets the office cleaner to infect the computer with his own custom malware. Then, he dons his haxxor sunglasses and breaks into the security camera watching the room containing the target computer. He points it at the infected computer’s keyboard, and then the malware uses the keyboard’s LED lights to communicate the secret password! The security camera sends him the video, which he then uses to ‘read’ the LEDs and reconstitute the code.

If that sounds as unrealistic as most Hollywood hacker movies, think again. Researchers at Israel’s Ben-Gurion University have developed a technique for reading data from air-gapped PCs using LEDs. Cue dynamic hacker music now.

How does it work?

First, you’d have to get the malware onto the target machine so that it would be able to manipulate the keyboard. Ideally, you want a detachable keyboard with three LED lights (caps lock, num lock, and scroll lock).

The malware collects the data it wants to steal from the PC. It then arranges the data into a series of frames, comprising a preamble (announcing the start of the frame), an agreed number of bits constituting the actual data being transmitted (the researchers used 256 bits) and then a checksum to ensure that the data arrived properly. It transmits these frames in three-bit chunks by switching each of the three LEDs on or off.

To read that data, you need an optical receiver that can see the LED. The team suggests a hidden camera in the room (or a compromised IPTV security camera). Alternatively, assuming that an air-gapped PC isn’t in a windowless room, they say that you could use a high-resolution camera outside the building that can see the LEDs from afar.

‘Evil maid’

The problem lies in lining the camera up with the LEDs. As the researchers point out, the viewing distance shrinks if you can’t align the optical sensor to see all the LEDs properly and distinguish them from each other. However, if the attacker is on the premises, then they could wear a camera, perhaps in the form of a smartwatch, allowing them to get up close. This is known as an ‘evil maid’ attack, in which the attacker gains physical access to an already compromised device that enables them to access it.

To process the video, the researchers used an open source computer vision library which could interpret the brightness of each LED in the image as either on or off, recreating the data at the receiving end.

The device used determines the transmission speed, in combination with the speed at which the computer can flip the LEDs. A high-end security camera could read 45 bits per second when watching all three LEDs, while a Samsung Galaxy S7 could read data at between 45 and 130. The higher number is down to the higher maximum number of frames per second it can shoot (up to 120, compared to the security camera’s 30). Either way, don’t try to Bittorrent the Matrix using this method. It’s strictly for encryption keys or passwords.

Things get much better when you use a photodiode, which converts light into electrical current and is capable of reading LED light at high rates. Although the photodiode can’t distinguish between different lights like a camera, it’s really good at sensing different brightness levels, so the researchers were still able to send multiple levels of signal using the lights in conjunction with each other. The photodiode received a maximum 5155 bits/sec with an error rate of 3.10%. At that speed it would take about two and a half days to transmit the Mueller report, so stick to short stuff only.

You can try to detect the malware to prevent this kind of attack (and you should be detecting malware regardless), but the most effective countermeasure is probably covering up the LEDs or using a keyboard that doesn’t have them.

Of course, if you can infect an air-gapped machine with malware in the first place, you can probably just have it slurp the data from the PC onto the USB stick and walk off with it. That wouldn’t look quite so good on film, though.

Air-gaps aren’t an impermeable barrier. Researchers at Ben-Gurion have been researching air-gapped data exfiltration for a while now. The researchers previously transmitted data from an air-gapped computer using hard-drive LEDs, and infra-red cameras, but also power lines, fan noise, and even magnetic signals emitted by the computer’s CPU.