Abstract
In this paper we present a method that allows attackers to covertly leak data from isolated, air-gapped computers. Our method utilizes the hard disk drive (HDD) activity LED which exists in most of today’s desktop PCs, laptops, and servers. We show that a malware can indirectly control the HDD LED, turning it on and off rapidly (up to 5800 blinks per second) – a rate that exceeds the visual perception capabilities of humans. Sensitive information can be encoded and leaked over the LED signals, which can then be received remotely by different kinds of cameras and light sensors (Demonstration video: https://www.youtube.com/watch?v=4vIu8ld68fc). Compared to other LED methods, our method is unique, because it is also covert; the HDD activity LED routinely flickers frequently, and therefore the user may not be suspicious of changes in its activity. We discuss attack scenarios and present the necessary technical background regarding the HDD LED and its hardware control. We also present various data modulation methods and describe the implementation of a user-level malware that doesn’t require a kernel component. During the evaluation, we examined the physical characteristics of different colored HDD LEDs (red, blue, and white) and tested different types of receivers: remote cameras, ‘extreme’ cameras, security cameras, smartphone cameras, drone cameras, and optical sensors. Finally, we discuss hardware and software countermeasures for such a threat. Our experiment shows that sensitive data can successfully be leaked from air-gapped computers via the HDD LED at a maximum bit rate of 120 bit/s (bits per second) when a video camera is used as a receiver, and 4000 bit/s when a light sensor is used for the reception. Notably, the maximal speed is 10 times faster than the existing optical covert channels for air-gapped computers. These rates allow rapid exfiltration of encryption keys, keystroke logging, and text and binary files.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Similar content being viewed by others
References
Federation of American Scientists. http://fas.org/irp/program/disseminate/jwics.htm
MCAFEE. Defending Critical Infrastructure Without Air Gaps and Stopgap Security, 14 August 2015. https://blogs.mcafee.com/executive-perspectives/defending-critical-infrastructure-without-air-gaps-stopgap-security/
Karnouskos, S.: Stuxnet worm impact on industrial cyber-physical system security. In: IECON 2011-37th Annual Conference on IEEE Industrial Electronics Society (2011)
SECURELIST, Agent.btz: a Source of Inspiration? 12 March 2014. https://securelist.com/blog/virus-watch/58551/agent-btz-a-source-of-inspiration/
Knowlton, B.: Military Computer Attack Confirmed, 25 August 2010. http://www.nytimes.com/2010/08/26/technology/26cyber.html?_r=2&adxnnl=1&ref=technology&adxnnlx=1423562532-hJL+Kot1FP3OEURLF9hjDw
Goodin, D., Group, K.E.: How “omnipotent” hackers tied to NSA hid for 14 years—and were found at last. ars technica (2015)
ICS-CERT. Malware infections in the conrol environment (2012)
Stasiukonis, S.: Social-Engineering-the-USB-Way (2006). http://www.darkreading.com/attacks-breaches/social-engineering-the-usb-way/d/d-id/1128081?
Mordechai, G., Kedma, G., Kachlon, A., Elovici, Y.: AirHopper: bridging the air-gap between isolated networks and mobile phones using radio frequencies. In: 2014 9th International Conference on Malicious and Unwanted Software: The Americas (MALWARE), IEEE, 2014, pp. 58–67
Kuhn, M.G., Anderson, R.J.: Soft tempest: hidden data transmission using electromagnetic emanations. In: Aucsmith, D. (ed.) IH 1998. LNCS, vol. 1525, pp. 124–142. Springer, Heidelberg (1998). doi:10.1007/3-540-49380-8_10
Kuhn, M.G.: Compromising Emanations: Eavesdropping Risks of Computer Displays. University of Cambridge, Computer Laboratory (2003)
Vuagnoux, M., Pasini, S.: Compromising electromagnetic emanations of wired and wireless keyboards. In: USENIX Security Symposium (2009)
Guri, M., Kachlon, A., Hasson, O., Kedma, G., Mirsky, Y., Elovici, Y.: GSMem: data exfiltration from air-gapped computers over GSM frequencies. In: 24th USENIX Security Symposium (USENIX Security 15), Washington, D.C. (2015)
Hanspach, M., Goetz, M.: On covert acoustical mesh networks in air. J. Commun. 8, 758–7647 (2013)
Halevi, T., Saxena, N.: A closer look at keyboard acoustic emanations: random passwords, typing styles and decoding techniques. In: ACM Symposium on Information, Computer and Communications Security (2012)
Guri, M., Monitz, M., Mirski, Y., Elovici, Y.: BitWhisper: covert signaling channel between air-gapped computers using thermal manipulations. In: 2015 IEEE 28th Computer Security Foundations Symposium (CSF) (2015)
Flicker fusion threshold. https://en.wikipedia.org/wiki/Flicker_fusion_threshold
Guri, M., Monitz, M., Elovici, Y.: USBee: air-gap covert-channel via electromagnetic emission from USB (2016). arXiv:1608.08397 [cs.CR]
Funtenna. https://github.com/funtenna
Matyunin, N., Szefer, J., Biedermann, S., Katzenbeisser, S.: Covert channels using mobile device’s magnetic field sensors. In: 2016 21st Asia and South Pacific Design Automation Conference (ASP-DAC) (2016)
Kasmi, C., Esteves, J.L., Valembois, P.: Air-gap limitations and bypass techniques: command and control using smart electromagnetic interferences. In: Botconf (2015)
Hanspach, M., Goetz, M.: On covert acoustical mesh networks in air (2014). arXiv preprint arXiv:1406.1213
Lee, E., Kim, H., Yoon, J.W.: Attack, various threat models to circumvent air-gapped systems for preventing network. Inf. Secur. Appl. 9503, 187–199 (2015)
O’Malley, S.J., Choo, K.-K.R.: Bridging the air gap: inaudible data exfiltration by insiders. In: Americas Conference on Information Systems (2014)
Guri, M., Solewicz, Y., Daidakulov, A., Elovici, Y.: Fansmitter: acoustic data exfiltration from (speakerless) air-gapped computers (2016). arXiv:1606.05915
Guri, M., Solewicz, Y., Daidakulov, A., Elovici, Y.: DiskFiltration: data exfiltration from speakerless air-gapped computers via covert hard drive noise (2016). arXiv:1608.03431
Guri, M., Kedma, G., Kachlon, A., Elovici, Y.: AirHopper: bridging the air-gap between isolated networks and mobile phones using radio frequencies. In: 9th IEEE International Conference on Malicious and Unwanted Software (MALCON 2014), Puero Rico, Fajardo (2014)
Loughry, J., Umphress, A.D.: Information leakage from optical emanations. ACM Trans. Inf. Syst. Secur. (TISSEC) 5(3), 262–289 (2002)
Sepetnitsky, V., Guri, M., Elovici, Y.: Exfiltration of information from air-gapped machines using monitor’s LED indicator. In: Joint Intelligence & Security Informatics Conference (JISIC-2014) (2014)
S.G.SC Magazine UK. Light-based printer attack overcomes air-gapped computer security. 17 October 2014. http://www.scmagazineuk.com/light-based-printer-attack-overcomes-air-gapped-computer-security/article/377837/
Lopes, A.C., Aranha, D.F.: Platform-agnostic low-intrusion optical data exfiltration. In: 3rd International Conference on Information Systems Security and Privacy (ICISSP 2017), Porto (2016)
Griffith, S.: How to make a computer screen INVISIBLE, dailymail, October 2013. http://www.dailymail.co.uk/sciencetech/article-2480089/How-make-screen-INVISIBLE-Scientist-shows-make-monitor-blank-using-3D-glasses.html. Accessed May 2016
Guri, M., Hasson, O., Kedma, G., Elovici, Y.: VisiSploit: an optical covert-channel (2016). arXiv:1607.03946 [cs.CR]
Deshotels, L.: Inaudible sound as a covert channel in mobile devices. In: USENIX Workshop for Offensive Technologies (2014)
Gostev, A.: Agent.btz: a Source of Inspiration? SecureList, 12 March 2014. http://securelist.com/blog/virus-watch/58551/agent-btz-a-source-of-inspiration/
GReAT team. A Fanny Equation: I am your father, Stuxnet, Kaspersky Labs’ Global Research & Analysis Team, 17 February 2015 https://securelist.com/blog/research/68787/a-fanny-equation-i-am-your-father-stuxnet/
Goodin, D.: Meet badBIOS, the mysterious Mac and PC malware that jumps airgaps. ars technica, 31 October 2013. http://arstechnica.com/security/2013/10/meet-badbios-the-mysterious-mac-and-pc-malware-that-jumps-airgaps/
Khimji, I.: TripWire. The Malicious Insider, March 2015. http://www.tripwire.com/state-of-security/security-awareness/the-malicious-insider/. Accessed 09 May 2016
TechTarget, Evil maid attack. http://searchsecurity.techtarget.com/definition/evil-maid-attack
Costin, A.: Security of CCTV and video surveillance systems: threats, vulnerabilities, attacks, and mitigations. In: TrustED ‘16 Proceedings of the 6th International Workshop on Trustworthy Embedded Devices, New York (2016)
9 Investigates hacked surveillance cameras across Central Florida, 3 Nov 2016 http://www.wftv.com/news/9-investigates/9-investigates-hacked-surveillance-cameras-across-central-florida/463226966. Accessed 12 Apr 2017
Brant, T.: Samsung security cameras hacked again. pcmag, 18 January 2017. http://www.pcmag.com/news/351120/samsung-security-cameras-hacked-again. Accessed 12 Apr 2017
thehackernews. Two arrested for hacking washington CCTV cameras before trump inauguration. 02 February 2017. http://thehackernews.com/2017/02/cctv-camera-hacking.html
Schmid, S., Corbellini, G., Mangold, S., Gross, T.R.: An LED-to-LED visible light communication system with software-based synchronization. http://www.bu.edu/smartlighting/files/2012/10/Schmid_.pdf
Giustiniano, D., Tippenhauer, N.O., Mangold, S.: Low-complexity visible light networking with LED-to-LED communication. In: 2012 IFIP Wireless Days (WD) (2012)
phys.org. Siemens Sets New Record for Wireless Data Transfer using White LEDs. 21 January 2010. https://phys.org/news/2010-01-siemens-wireless-white.html. Accessed 30 Jan 2017
(Unix), dd. https://en.wikipedia.org/wiki/Dd_(Unix). Accessed 01 July 2016
sourceforge.net, 17 June 2015. https://sourceforge.net/projects/hdparm/. Accessed 01 July 2016
Linux Programmer’s Manual. http://man7.org/linux/man-pages/man2/open.2.html
CreateFile function. MICROSOFT. https://msdn.microsoft.com/en-us/library/aa363858(VS.85).aspx
http://www.analog.com/media/en/technical-documentation/data-sheets/AD549.pdf
NI-9223, C Series Voltage Input Module. http://sine.ni.com/nips/cds/view/p/lang/en/nid/209139
http://www.seagate.com, http://www.seagate.com. SEGATE. http://www.seagate.com/em/en/tech-insights/advanced-format-4k-sector-hard-drives-master-ti/
Rubini, A., Corbet, J., Kroah-Hartman, J.: Interrupt handling. In: Linux Device Drivers. O’Reilly (2005)
Russinovich, M.E., Ionescu, A., Solomo, D.A.: Understanding the windows I/O system. MICROSOFT, 09 September 2012. https://www.microsoftpressstore.com/articles/article.aspx?p=2201309&seqNum=3
McNamara, J.: The complete, unofficial tempest information page (1999). http://www.jammed.com/~jwa/tempest.html
USAF. AFSSI 7700: Communications and information emission security. Secretary of the Air Force (2007)
Anderson, R.J.: Emission security. In: Security Engineering, 2nd edn. Wiley Publishing, Inc., pp. 523–546 (2008)
ZDNET. Surveillance cameras sold on Amazon infected with malware. April 2016. http://www.zdnet.com/article/amazon-surveillance-cameras-infected-with-malware/
Author information
Authors and Affiliations
Corresponding authors
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2017 Springer International Publishing AG
About this paper
Cite this paper
Guri, M., Zadov, B., Elovici, Y. (2017). LED-it-GO: Leaking (A Lot of) Data from Air-Gapped Computers via the (Small) Hard Drive LED. In: Polychronakis, M., Meier, M. (eds) Detection of Intrusions and Malware, and Vulnerability Assessment. DIMVA 2017. Lecture Notes in Computer Science(), vol 10327. Springer, Cham. https://doi.org/10.1007/978-3-319-60876-1_8
Download citation
DOI: https://doi.org/10.1007/978-3-319-60876-1_8
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-319-60875-4
Online ISBN: 978-3-319-60876-1
eBook Packages: Computer ScienceComputer Science (R0)