Hackers can steal your information from a PC’s blinking LED
Researchers at the Ben-Gurion University of the Negev, Israel have found a way to hack into isolated “air-gapped” computer’s hard disk drives (HDDs) by aiming drones at the blinking LEDs found on most of the desktops, laptops and servers. On February 22, 2016, the team released a YouTube video showing the ‘hack’ in action.
“Air-gapped” computers are isolated – separated both logically and physically from public networks – ostensibly so that they cannot be hacked over the Internet or within company networks.
The LED indicators of the isolated computers are taken control of, which are then forced to blink up to 6,000 times a second to send a signal containing data to a camera mounted on a drone near the targeted computer.
“Sensitive information can be encoded and leaked over the LED signals, which can then be received remotely by different kinds of cameras and light sensors,” the team, led by Dr Mordechai Guri, head of R&D at the Cyber Security Research Centre, said in its paper.
“We show how the malware can indirectly control the status of the LED, turning it on and off for a specified amount of time, by invoking hard drive’s ‘read’ and ‘write’ operations,” the paper continued.
“Our method is unique in two respects: it is covert and fast.”
The LED control method, which makes it possible to steal data from isolated computers while raising minimum suspicion, was devised by researchers of the Negev (BGU) Cyber Security Research Center at Ben-Gurion University.
“The LED is always blinking as it’s doing searching and indexing, so no one suspects, even in the night. It’s very covert, actually,” Guri said.
In a demonstration video, a drone with a camera is flown up multiple storeys outside of an office building until it locates the blinking HDD LED. Once it is in the line of sight of the LED, it records the blinks and steals the data.
According to the researchers, the data can be transferred at rate as fast as 4,000 bits per second with a specialized Siemens photodiode sensor on the drone. Later, the blinking can be recorded by a camera and deciphered.
The LED can be forced to blink at up to 6,000 blinks per second, which is a rate that isn’t able to be perceived by the human eye, but potentially readable for light sensors.
The paper explained what a theoretical attack would look like once infection had taken place. The team wrote: “The malware gathers sensitive information from the user’s computer, e.g., keystrokes, password, encryption keys, and documents.
“Eventually it starts transmitting the binary data through the blinking HDD LED using a selected encoding scheme. A hidden video camera films the activity in the room, including the LED signals. The attacker can then decode the signals and reconstruct the modulated data.”
It added: “We examined the physical characteristics of HDD LEDs […] and tested remote cameras, extreme cameras, security cameras, smartphone cameras, drone cameras, and optical sensors. Our results show that it is feasible to use this optical channel to efficiently leak [data].”
“It’s possible for the attacker to do such fast blinking that a human never sees it,” Guri noted.
The researchers found they could read the signal from 20 meters away from outside a building. That range could be even longer with an optical zoom lens.
“The fact that headphones, earphones and speakers are physically built like microphones and that an audio port’s role in the PC can be reprogrammed from output to input creates a vulnerability that can be abused by hackers,” says Prof. Yuval Elovici, director of the BGU Cyber Security Research Center (CSRC) and member of BGU’s Department of Information Systems Engineering.
Of course, the technique depends on the computer being infected prior to the transmission, which can be accomplished using a USB stick or SD card.
While this type of attack is novel and hard to detect, it has one obvious drawback: the computer’s LEDs can simply be covered with black tape. Also, you can restrict staff access to such air gapped computers or ban all forms of video cameras near the computer.