Skip to main content

2017 | OriginalPaper | Buchkapitel

LED-it-GO: Leaking (A Lot of) Data from Air-Gapped Computers via the (Small) Hard Drive LED

verfasst von : Mordechai Guri, Boris Zadov, Yuval Elovici

Erschienen in: Detection of Intrusions and Malware, and Vulnerability Assessment

Verlag: Springer International Publishing

Aktivieren Sie unsere intelligente Suche, um passende Fachinhalte oder Patente zu finden.

search-config
loading …

Abstract

In this paper we present a method that allows attackers to covertly leak data from isolated, air-gapped computers. Our method utilizes the hard disk drive (HDD) activity LED which exists in most of today’s desktop PCs, laptops, and servers. We show that a malware can indirectly control the HDD LED, turning it on and off rapidly (up to 5800 blinks per second) – a rate that exceeds the visual perception capabilities of humans. Sensitive information can be encoded and leaked over the LED signals, which can then be received remotely by different kinds of cameras and light sensors (Demonstration video: https://​www.​youtube.​com/​watch?​v=​4vIu8ld68fc). Compared to other LED methods, our method is unique, because it is also covert; the HDD activity LED routinely flickers frequently, and therefore the user may not be suspicious of changes in its activity. We discuss attack scenarios and present the necessary technical background regarding the HDD LED and its hardware control. We also present various data modulation methods and describe the implementation of a user-level malware that doesn’t require a kernel component. During the evaluation, we examined the physical characteristics of different colored HDD LEDs (red, blue, and white) and tested different types of receivers: remote cameras, ‘extreme’ cameras, security cameras, smartphone cameras, drone cameras, and optical sensors. Finally, we discuss hardware and software countermeasures for such a threat. Our experiment shows that sensitive data can successfully be leaked from air-gapped computers via the HDD LED at a maximum bit rate of 120 bit/s (bits per second) when a video camera is used as a receiver, and 4000 bit/s when a light sensor is used for the reception. Notably, the maximal speed is 10 times faster than the existing optical covert channels for air-gapped computers. These rates allow rapid exfiltration of encryption keys, keystroke logging, and text and binary files.

Sie haben noch keine Lizenz? Dann Informieren Sie sich jetzt über unsere Produkte:

Springer Professional "Wirtschaft+Technik"

Online-Abonnement

Mit Springer Professional "Wirtschaft+Technik" erhalten Sie Zugriff auf:

  • über 102.000 Bücher
  • über 537 Zeitschriften

aus folgenden Fachgebieten:

  • Automobil + Motoren
  • Bauwesen + Immobilien
  • Business IT + Informatik
  • Elektrotechnik + Elektronik
  • Energie + Nachhaltigkeit
  • Finance + Banking
  • Management + Führung
  • Marketing + Vertrieb
  • Maschinenbau + Werkstoffe
  • Versicherung + Risiko

Jetzt Wissensvorsprung sichern!

Springer Professional "Technik"

Online-Abonnement

Mit Springer Professional "Technik" erhalten Sie Zugriff auf:

  • über 67.000 Bücher
  • über 390 Zeitschriften

aus folgenden Fachgebieten:

  • Automobil + Motoren
  • Bauwesen + Immobilien
  • Business IT + Informatik
  • Elektrotechnik + Elektronik
  • Energie + Nachhaltigkeit
  • Maschinenbau + Werkstoffe




 

Jetzt Wissensvorsprung sichern!

Springer Professional "Wirtschaft"

Online-Abonnement

Mit Springer Professional "Wirtschaft" erhalten Sie Zugriff auf:

  • über 67.000 Bücher
  • über 340 Zeitschriften

aus folgenden Fachgebieten:

  • Bauwesen + Immobilien
  • Business IT + Informatik
  • Finance + Banking
  • Management + Führung
  • Marketing + Vertrieb
  • Versicherung + Risiko




Jetzt Wissensvorsprung sichern!

Literatur
3.
Zurück zum Zitat Karnouskos, S.: Stuxnet worm impact on industrial cyber-physical system security. In: IECON 2011-37th Annual Conference on IEEE Industrial Electronics Society (2011) Karnouskos, S.: Stuxnet worm impact on industrial cyber-physical system security. In: IECON 2011-37th Annual Conference on IEEE Industrial Electronics Society (2011)
6.
Zurück zum Zitat Goodin, D., Group, K.E.: How “omnipotent” hackers tied to NSA hid for 14 years—and were found at last. ars technica (2015) Goodin, D., Group, K.E.: How “omnipotent” hackers tied to NSA hid for 14 years—and were found at last. ars technica (2015)
7.
Zurück zum Zitat ICS-CERT. Malware infections in the conrol environment (2012) ICS-CERT. Malware infections in the conrol environment (2012)
9.
Zurück zum Zitat Mordechai, G., Kedma, G., Kachlon, A., Elovici, Y.: AirHopper: bridging the air-gap between isolated networks and mobile phones using radio frequencies. In: 2014 9th International Conference on Malicious and Unwanted Software: The Americas (MALWARE), IEEE, 2014, pp. 58–67 Mordechai, G., Kedma, G., Kachlon, A., Elovici, Y.: AirHopper: bridging the air-gap between isolated networks and mobile phones using radio frequencies. In: 2014 9th International Conference on Malicious and Unwanted Software: The Americas (MALWARE), IEEE, 2014, pp. 58–67
10.
Zurück zum Zitat Kuhn, M.G., Anderson, R.J.: Soft tempest: hidden data transmission using electromagnetic emanations. In: Aucsmith, D. (ed.) IH 1998. LNCS, vol. 1525, pp. 124–142. Springer, Heidelberg (1998). doi:10.1007/3-540-49380-8_10 CrossRef Kuhn, M.G., Anderson, R.J.: Soft tempest: hidden data transmission using electromagnetic emanations. In: Aucsmith, D. (ed.) IH 1998. LNCS, vol. 1525, pp. 124–142. Springer, Heidelberg (1998). doi:10.​1007/​3-540-49380-8_​10 CrossRef
11.
Zurück zum Zitat Kuhn, M.G.: Compromising Emanations: Eavesdropping Risks of Computer Displays. University of Cambridge, Computer Laboratory (2003) Kuhn, M.G.: Compromising Emanations: Eavesdropping Risks of Computer Displays. University of Cambridge, Computer Laboratory (2003)
12.
Zurück zum Zitat Vuagnoux, M., Pasini, S.: Compromising electromagnetic emanations of wired and wireless keyboards. In: USENIX Security Symposium (2009) Vuagnoux, M., Pasini, S.: Compromising electromagnetic emanations of wired and wireless keyboards. In: USENIX Security Symposium (2009)
13.
Zurück zum Zitat Guri, M., Kachlon, A., Hasson, O., Kedma, G., Mirsky, Y., Elovici, Y.: GSMem: data exfiltration from air-gapped computers over GSM frequencies. In: 24th USENIX Security Symposium (USENIX Security 15), Washington, D.C. (2015) Guri, M., Kachlon, A., Hasson, O., Kedma, G., Mirsky, Y., Elovici, Y.: GSMem: data exfiltration from air-gapped computers over GSM frequencies. In: 24th USENIX Security Symposium (USENIX Security 15), Washington, D.C. (2015)
14.
Zurück zum Zitat Hanspach, M., Goetz, M.: On covert acoustical mesh networks in air. J. Commun. 8, 758–7647 (2013) Hanspach, M., Goetz, M.: On covert acoustical mesh networks in air. J. Commun. 8, 758–7647 (2013)
15.
Zurück zum Zitat Halevi, T., Saxena, N.: A closer look at keyboard acoustic emanations: random passwords, typing styles and decoding techniques. In: ACM Symposium on Information, Computer and Communications Security (2012) Halevi, T., Saxena, N.: A closer look at keyboard acoustic emanations: random passwords, typing styles and decoding techniques. In: ACM Symposium on Information, Computer and Communications Security (2012)
16.
Zurück zum Zitat Guri, M., Monitz, M., Mirski, Y., Elovici, Y.: BitWhisper: covert signaling channel between air-gapped computers using thermal manipulations. In: 2015 IEEE 28th Computer Security Foundations Symposium (CSF) (2015) Guri, M., Monitz, M., Mirski, Y., Elovici, Y.: BitWhisper: covert signaling channel between air-gapped computers using thermal manipulations. In: 2015 IEEE 28th Computer Security Foundations Symposium (CSF) (2015)
18.
Zurück zum Zitat Guri, M., Monitz, M., Elovici, Y.: USBee: air-gap covert-channel via electromagnetic emission from USB (2016). arXiv:1608.08397 [cs.CR] Guri, M., Monitz, M., Elovici, Y.: USBee: air-gap covert-channel via electromagnetic emission from USB (2016). arXiv:​1608.​08397 [cs.CR]
20.
Zurück zum Zitat Matyunin, N., Szefer, J., Biedermann, S., Katzenbeisser, S.: Covert channels using mobile device’s magnetic field sensors. In: 2016 21st Asia and South Pacific Design Automation Conference (ASP-DAC) (2016) Matyunin, N., Szefer, J., Biedermann, S., Katzenbeisser, S.: Covert channels using mobile device’s magnetic field sensors. In: 2016 21st Asia and South Pacific Design Automation Conference (ASP-DAC) (2016)
21.
Zurück zum Zitat Kasmi, C., Esteves, J.L., Valembois, P.: Air-gap limitations and bypass techniques: command and control using smart electromagnetic interferences. In: Botconf (2015) Kasmi, C., Esteves, J.L., Valembois, P.: Air-gap limitations and bypass techniques: command and control using smart electromagnetic interferences. In: Botconf (2015)
23.
Zurück zum Zitat Lee, E., Kim, H., Yoon, J.W.: Attack, various threat models to circumvent air-gapped systems for preventing network. Inf. Secur. Appl. 9503, 187–199 (2015) Lee, E., Kim, H., Yoon, J.W.: Attack, various threat models to circumvent air-gapped systems for preventing network. Inf. Secur. Appl. 9503, 187–199 (2015)
24.
Zurück zum Zitat O’Malley, S.J., Choo, K.-K.R.: Bridging the air gap: inaudible data exfiltration by insiders. In: Americas Conference on Information Systems (2014) O’Malley, S.J., Choo, K.-K.R.: Bridging the air gap: inaudible data exfiltration by insiders. In: Americas Conference on Information Systems (2014)
25.
Zurück zum Zitat Guri, M., Solewicz, Y., Daidakulov, A., Elovici, Y.: Fansmitter: acoustic data exfiltration from (speakerless) air-gapped computers (2016). arXiv:1606.05915 Guri, M., Solewicz, Y., Daidakulov, A., Elovici, Y.: Fansmitter: acoustic data exfiltration from (speakerless) air-gapped computers (2016). arXiv:​1606.​05915
26.
Zurück zum Zitat Guri, M., Solewicz, Y., Daidakulov, A., Elovici, Y.: DiskFiltration: data exfiltration from speakerless air-gapped computers via covert hard drive noise (2016). arXiv:1608.03431 Guri, M., Solewicz, Y., Daidakulov, A., Elovici, Y.: DiskFiltration: data exfiltration from speakerless air-gapped computers via covert hard drive noise (2016). arXiv:​1608.​03431
27.
Zurück zum Zitat Guri, M., Kedma, G., Kachlon, A., Elovici, Y.: AirHopper: bridging the air-gap between isolated networks and mobile phones using radio frequencies. In: 9th IEEE International Conference on Malicious and Unwanted Software (MALCON 2014), Puero Rico, Fajardo (2014) Guri, M., Kedma, G., Kachlon, A., Elovici, Y.: AirHopper: bridging the air-gap between isolated networks and mobile phones using radio frequencies. In: 9th IEEE International Conference on Malicious and Unwanted Software (MALCON 2014), Puero Rico, Fajardo (2014)
28.
Zurück zum Zitat Loughry, J., Umphress, A.D.: Information leakage from optical emanations. ACM Trans. Inf. Syst. Secur. (TISSEC) 5(3), 262–289 (2002)CrossRef Loughry, J., Umphress, A.D.: Information leakage from optical emanations. ACM Trans. Inf. Syst. Secur. (TISSEC) 5(3), 262–289 (2002)CrossRef
29.
Zurück zum Zitat Sepetnitsky, V., Guri, M., Elovici, Y.: Exfiltration of information from air-gapped machines using monitor’s LED indicator. In: Joint Intelligence & Security Informatics Conference (JISIC-2014) (2014) Sepetnitsky, V., Guri, M., Elovici, Y.: Exfiltration of information from air-gapped machines using monitor’s LED indicator. In: Joint Intelligence & Security Informatics Conference (JISIC-2014) (2014)
31.
Zurück zum Zitat Lopes, A.C., Aranha, D.F.: Platform-agnostic low-intrusion optical data exfiltration. In: 3rd International Conference on Information Systems Security and Privacy (ICISSP 2017), Porto (2016) Lopes, A.C., Aranha, D.F.: Platform-agnostic low-intrusion optical data exfiltration. In: 3rd International Conference on Information Systems Security and Privacy (ICISSP 2017), Porto (2016)
34.
Zurück zum Zitat Deshotels, L.: Inaudible sound as a covert channel in mobile devices. In: USENIX Workshop for Offensive Technologies (2014) Deshotels, L.: Inaudible sound as a covert channel in mobile devices. In: USENIX Workshop for Offensive Technologies (2014)
40.
Zurück zum Zitat Costin, A.: Security of CCTV and video surveillance systems: threats, vulnerabilities, attacks, and mitigations. In: TrustED ‘16 Proceedings of the 6th International Workshop on Trustworthy Embedded Devices, New York (2016) Costin, A.: Security of CCTV and video surveillance systems: threats, vulnerabilities, attacks, and mitigations. In: TrustED ‘16 Proceedings of the 6th International Workshop on Trustworthy Embedded Devices, New York (2016)
45.
Zurück zum Zitat Giustiniano, D., Tippenhauer, N.O., Mangold, S.: Low-complexity visible light networking with LED-to-LED communication. In: 2012 IFIP Wireless Days (WD) (2012) Giustiniano, D., Tippenhauer, N.O., Mangold, S.: Low-complexity visible light networking with LED-to-LED communication. In: 2012 IFIP Wireless Days (WD) (2012)
58.
Zurück zum Zitat Rubini, A., Corbet, J., Kroah-Hartman, J.: Interrupt handling. In: Linux Device Drivers. O’Reilly (2005) Rubini, A., Corbet, J., Kroah-Hartman, J.: Interrupt handling. In: Linux Device Drivers. O’Reilly (2005)
61.
Zurück zum Zitat USAF. AFSSI 7700: Communications and information emission security. Secretary of the Air Force (2007) USAF. AFSSI 7700: Communications and information emission security. Secretary of the Air Force (2007)
62.
Zurück zum Zitat Anderson, R.J.: Emission security. In: Security Engineering, 2nd edn. Wiley Publishing, Inc., pp. 523–546 (2008) Anderson, R.J.: Emission security. In: Security Engineering, 2nd edn. Wiley Publishing, Inc., pp. 523–546 (2008)
Metadaten
Titel
LED-it-GO: Leaking (A Lot of) Data from Air-Gapped Computers via the (Small) Hard Drive LED
verfasst von
Mordechai Guri
Boris Zadov
Yuval Elovici
Copyright-Jahr
2017
DOI
https://doi.org/10.1007/978-3-319-60876-1_8