Here’s a Hollywood scenario for you: elite hacker Jack wants to get some top secret security codes from a locked down computer inside a government facility, guarded by sharks with lasers. And the computer is air-gapped – it isn’t connected to a network! Is Jack fazed? Not at all.
He gets the office cleaner to infect the computer with his own custom malware. Then, he dons his haxxor sunglasses and breaks into the security camera watching the room containing the target computer. He points it at the infected computer’s keyboard, and then the malware uses the keyboard’s LED lights to communicate the secret password! The security camera sends him the video, which he then uses to ‘read’ the LEDs and reconstitute the code.
If that sounds as unrealistic as most Hollywood hacker movies, think again. Researchers at Israel’s Ben-Gurion University have developed a technique for reading data from air-gapped PCs using LEDs. Cue dynamic hacker music now.
How does it work?
First, you’d have to get the malware onto the target machine so that it would be able to manipulate the keyboard. Ideally, you want a detachable keyboard with three LED lights (caps lock, num lock, and scroll lock).
The malware collects the data it wants to steal from the PC. It then arranges the data into a series of frames, comprising a preamble (announcing the start of the frame), an agreed number of bits constituting the actual data being transmitted (the researchers used 256 bits) and then a checksum to ensure that the data arrived properly. It transmits these frames in three-bit chunks by switching each of the three LEDs on or off.
To read that data, you need an optical receiver that can see the LED. The team suggests a hidden camera in the room (or a compromised IPTV security camera). Alternatively, assuming that an air-gapped PC isn’t in a windowless room, they say that you could use a high-resolution camera outside the building that can see the LEDs from afar.
The problem lies in lining the camera up with the LEDs. As the researchers point out, the viewing distance shrinks if you can’t align the optical sensor to see all the LEDs properly and distinguish them from each other. However, if the attacker is on the premises, then they could wear a camera, perhaps in the form of a smartwatch, allowing them to get up close. This is known as an ‘evil maid’ attack, in which the attacker gains physical access to an already compromised device that enables them to access it.
To process the video, the researchers used an open source computer vision library which could interpret the brightness of each LED in the image as either on or off, recreating the data at the receiving end.
The device used determines the transmission speed, in combination with the speed at which the computer can flip the LEDs. A high-end security camera could read 45 bits per second when watching all three LEDs, while a Samsung Galaxy S7 could read data at between 45 and 130. The higher number is down to the higher maximum number of frames per second it can shoot (up to 120, compared to the security camera’s 30). Either way, don’t try to Bittorrent the Matrix using this method. It’s strictly for encryption keys or passwords.
Things get much better when you use a photodiode, which converts light into electrical current and is capable of reading LED light at high rates. Although the photodiode can’t distinguish between different lights like a camera, it’s really good at sensing different brightness levels, so the researchers were still able to send multiple levels of signal using the lights in conjunction with each other. The photodiode received a maximum 5155 bits/sec with an error rate of 3.10%. At that speed it would take about two and a half days to transmit the Mueller report, so stick to short stuff only.
You can try to detect the malware to prevent this kind of attack (and you should be detecting malware regardless), but the most effective countermeasure is probably covering up the LEDs or using a keyboard that doesn’t have them.
Of course, if you can infect an air-gapped machine with malware in the first place, you can probably just have it slurp the data from the PC onto the USB stick and walk off with it. That wouldn’t look quite so good on film, though.
Air-gaps aren’t an impermeable barrier. Researchers at Ben-Gurion have been researching air-gapped data exfiltration for a while now. The researchers previously transmitted data from an air-gapped computer using hard-drive LEDs, and infra-red cameras, but also power lines, fan noise, and even magnetic signals emitted by the computer’s CPU.
11 comments on “Bust the password for an air-gapped machine – with its keyboard LEDs”
Put a piece of tape of the scroll lock light, which nobody ever uses anyway. Something semi-translucent so you could see it sitting at the keyboard. Also, clog all the USB ports with a hot glue gun to defeat the initial infection.
Or we can just implement a security Policy that disables the USB ports.
What if the computer has to use an USB dongle for software licenses like some stuff requires?
Probably not the sort of software you want to choose for an air-gapped system in the first place.
Some software relies on regular (though not necessarily frequent) access to the internet to do some sort of cloud-based licensing validation…
…don’t want to use that, either.
Who leaves their computer on and connected to the internet anyways, especially if it is at an office and not at home?
I mean, if you’re pointing a camera at the keyboard can’t you just watch the person type the password? Maybe it takes a little bit to fully get it seems harder to infect a computer then setup a camera and read blinking lights which btw would seem pretty bizarre to a person using the computer and they’ll most likely know something isn’t right.
Neat experiment but completely impractical if you ask me :p
The idea is not specifically to steal a password – authentication might be done by some other means such as an iris scan or a hardware token, anyway – but to be able to export arbitrary data by using an unusual or unexpected signalling system. Like the proverbial stories of prisoners in solitary confinement communicating by tapping out messages on the pipes (and hoping no guards would notice the very structured plumbing noises).
Guard1: Hey, do you hear that? Are the pipes cooling off for the night?”
Guard2: Too rhythmic… I think it’s a song. “Folsom Prison Blues?”
Guard1: Sounds more like “Jailhouse Rock” to me.
Guard3: You philistines; that’s the Pina Colada Song. Now shut up and go back to sleep.
Arthur C. Clarke and Stanley Kubrick predicted this a version of this…remember 2001 when the astronauts went into the capsule, turn off comms and to talk about HAL’s recent mistakes but HAL read their lips…
“I’m sorry, Dave. I don’t remember that part of the movie.”
If we’re presuming that we’re safe from anyone physically watching during the exfiltration, we can probably get rather better bandwidth (and maybe also good TV) by flashing a sequence of QR codes up on the monitor (which of course didn’t get physically switched off). I have a long-unfinished project to do this, prompted at the time by a legitimate need in an overly enthusiastic corporate network lockdown where our browsers could GET fairly freely, but POST very restrictively. Been done since by Neohapsis, you can find that on Github.