nach oben

Erschienen in:

2017 | OriginalPaper | Buchkapitel

LED-it-GO: Leaking (A Lot of) Data from Air-Gapped Computers via the (Small) Hard Drive LED

verfasst von : Mordechai Guri, Boris Zadov, Yuval Elovici

Erschienen in: Detection of Intrusions and Malware, and Vulnerability Assessment

Verlag: Springer International Publishing

Einloggen

Aktivieren Sie unsere intelligente Suche, um passende Fachinhalte oder Patente zu finden.

search-config

KI-gestützte Suche

Aus

Abstract

In this paper we present a method that allows attackers to covertly leak data from isolated, air-gapped computers. Our method utilizes the hard disk drive (HDD) activity LED which exists in most of today’s desktop PCs, laptops, and servers. We show that a malware can indirectly control the HDD LED, turning it on and off rapidly (up to 5800 blinks per second) – a rate that exceeds the visual perception capabilities of humans. Sensitive information can be encoded and leaked over the LED signals, which can then be received remotely by different kinds of cameras and light sensors (Demonstration video: https://www.youtube.com/watch?v=4vIu8ld68fc). Compared to other LED methods, our method is unique, because it is also covert; the HDD activity LED routinely flickers frequently, and therefore the user may not be suspicious of changes in its activity. We discuss attack scenarios and present the necessary technical background regarding the HDD LED and its hardware control. We also present various data modulation methods and describe the implementation of a user-level malware that doesn’t require a kernel component. During the evaluation, we examined the physical characteristics of different colored HDD LEDs (red, blue, and white) and tested different types of receivers: remote cameras, ‘extreme’ cameras, security cameras, smartphone cameras, drone cameras, and optical sensors. Finally, we discuss hardware and software countermeasures for such a threat. Our experiment shows that sensitive data can successfully be leaked from air-gapped computers via the HDD LED at a maximum bit rate of 120 bit/s (bits per second) when a video camera is used as a receiver, and 4000 bit/s when a light sensor is used for the reception. Notably, the maximal speed is 10 times faster than the existing optical covert channels for air-gapped computers. These rates allow rapid exfiltration of encryption keys, keystroke logging, and text and binary files.

Sie haben noch keine Lizenz? Dann Informieren Sie sich jetzt über unsere Produkte:

Springer Professional "Wirtschaft+Technik"

Online-Abonnement

Mit Springer Professional "Wirtschaft+Technik" erhalten Sie Zugriff auf:

über 102.000 Bücher
über 537 Zeitschriften

aus folgenden Fachgebieten:

Automobil + Motoren
Bauwesen + Immobilien
Business IT + Informatik
Elektrotechnik + Elektronik
Energie + Nachhaltigkeit
Finance + Banking
Management + Führung
Marketing + Vertrieb
Maschinenbau + Werkstoffe
Versicherung + Risiko

Jetzt Wissensvorsprung sichern!

Jetzt informieren

Springer Professional "Technik"

Online-Abonnement

Mit Springer Professional "Technik" erhalten Sie Zugriff auf:

über 67.000 Bücher
über 390 Zeitschriften

aus folgenden Fachgebieten:

Automobil + Motoren
Bauwesen + Immobilien
Business IT + Informatik
Elektrotechnik + Elektronik
Energie + Nachhaltigkeit
Maschinenbau + Werkstoffe

Jetzt Wissensvorsprung sichern!

Jetzt informieren

Springer Professional "Wirtschaft"

Online-Abonnement

Mit Springer Professional "Wirtschaft" erhalten Sie Zugriff auf:

über 67.000 Bücher
über 340 Zeitschriften

aus folgenden Fachgebieten:

Bauwesen + Immobilien
Business IT + Informatik
Finance + Banking
Management + Führung
Marketing + Vertrieb
Versicherung + Risiko

Jetzt Wissensvorsprung sichern!

Jetzt informieren

Vorheriges Kapitel Last Line of Defense: A Novel IDS Approach Against Advanced Threats in Industrial Control Systems

Nächstes Kapitel A Stealth, Selective, Link-Layer Denial-of-Service Attack Against Automotive Networks

Federation of American Scientists. http://fas.org/irp/program/disseminate/jwics.htm

MCAFEE. Defending Critical Infrastructure Without Air Gaps and Stopgap Security, 14 August 2015. https://blogs.mcafee.com/executive-perspectives/defending-critical-infrastructure-without-air-gaps-stopgap-security/

Karnouskos, S.: Stuxnet worm impact on industrial cyber-physical system security. In: IECON 2011-37th Annual Conference on IEEE Industrial Electronics Society (2011)

SECURELIST, Agent.btz: a Source of Inspiration? 12 March 2014. https://securelist.com/blog/virus-watch/58551/agent-btz-a-source-of-inspiration/

Knowlton, B.: Military Computer Attack Confirmed, 25 August 2010. http://www.nytimes.com/2010/08/26/technology/26cyber.html?_r=2&adxnnl=1&ref=technology&adxnnlx=1423562532-hJL+Kot1FP3OEURLF9hjDw

Goodin, D., Group, K.E.: How “omnipotent” hackers tied to NSA hid for 14 years—and were found at last. ars technica (2015)

ICS-CERT. Malware infections in the conrol environment (2012)

Stasiukonis, S.: Social-Engineering-the-USB-Way (2006). http://www.darkreading.com/attacks-breaches/social-engineering-the-usb-way/d/d-id/1128081?

Mordechai, G., Kedma, G., Kachlon, A., Elovici, Y.: AirHopper: bridging the air-gap between isolated networks and mobile phones using radio frequencies. In: 2014 9th International Conference on Malicious and Unwanted Software: The Americas (MALWARE), IEEE, 2014, pp. 58–67

10.

Kuhn, M.G., Anderson, R.J.: Soft tempest: hidden data transmission using electromagnetic emanations. In: Aucsmith, D. (ed.) IH 1998. LNCS, vol. 1525, pp. 124–142. Springer, Heidelberg (1998). doi:10.1007/3-540-49380-8_10 CrossRef

11.

Kuhn, M.G.: Compromising Emanations: Eavesdropping Risks of Computer Displays. University of Cambridge, Computer Laboratory (2003)

12.

Vuagnoux, M., Pasini, S.: Compromising electromagnetic emanations of wired and wireless keyboards. In: USENIX Security Symposium (2009)

13.

Guri, M., Kachlon, A., Hasson, O., Kedma, G., Mirsky, Y., Elovici, Y.: GSMem: data exfiltration from air-gapped computers over GSM frequencies. In: 24th USENIX Security Symposium (USENIX Security 15), Washington, D.C. (2015)

14.

Hanspach, M., Goetz, M.: On covert acoustical mesh networks in air. J. Commun. 8, 758–7647 (2013)

15.

Halevi, T., Saxena, N.: A closer look at keyboard acoustic emanations: random passwords, typing styles and decoding techniques. In: ACM Symposium on Information, Computer and Communications Security (2012)

16.

Guri, M., Monitz, M., Mirski, Y., Elovici, Y.: BitWhisper: covert signaling channel between air-gapped computers using thermal manipulations. In: 2015 IEEE 28th Computer Security Foundations Symposium (CSF) (2015)

17.

Flicker fusion threshold. https://en.wikipedia.org/wiki/Flicker_fusion_threshold

18.

Guri, M., Monitz, M., Elovici, Y.: USBee: air-gap covert-channel via electromagnetic emission from USB (2016). arXiv:1608.08397 [cs.CR]

19.

Funtenna. https://github.com/funtenna

20.

Matyunin, N., Szefer, J., Biedermann, S., Katzenbeisser, S.: Covert channels using mobile device’s magnetic field sensors. In: 2016 21st Asia and South Pacific Design Automation Conference (ASP-DAC) (2016)

21.

Kasmi, C., Esteves, J.L., Valembois, P.: Air-gap limitations and bypass techniques: command and control using smart electromagnetic interferences. In: Botconf (2015)

22.

Hanspach, M., Goetz, M.: On covert acoustical mesh networks in air (2014). arXiv preprint arXiv:1406.1213

23.

Lee, E., Kim, H., Yoon, J.W.: Attack, various threat models to circumvent air-gapped systems for preventing network. Inf. Secur. Appl. 9503, 187–199 (2015)

24.

O’Malley, S.J., Choo, K.-K.R.: Bridging the air gap: inaudible data exfiltration by insiders. In: Americas Conference on Information Systems (2014)

25.

Guri, M., Solewicz, Y., Daidakulov, A., Elovici, Y.: Fansmitter: acoustic data exfiltration from (speakerless) air-gapped computers (2016). arXiv:1606.05915

26.

Guri, M., Solewicz, Y., Daidakulov, A., Elovici, Y.: DiskFiltration: data exfiltration from speakerless air-gapped computers via covert hard drive noise (2016). arXiv:1608.03431

27.

Guri, M., Kedma, G., Kachlon, A., Elovici, Y.: AirHopper: bridging the air-gap between isolated networks and mobile phones using radio frequencies. In: 9th IEEE International Conference on Malicious and Unwanted Software (MALCON 2014), Puero Rico, Fajardo (2014)

28.

Loughry, J., Umphress, A.D.: Information leakage from optical emanations. ACM Trans. Inf. Syst. Secur. (TISSEC) 5(3), 262–289 (2002)CrossRef

29.

Sepetnitsky, V., Guri, M., Elovici, Y.: Exfiltration of information from air-gapped machines using monitor’s LED indicator. In: Joint Intelligence & Security Informatics Conference (JISIC-2014) (2014)

30.

S.G.SC Magazine UK. Light-based printer attack overcomes air-gapped computer security. 17 October 2014. http://www.scmagazineuk.com/light-based-printer-attack-overcomes-air-gapped-computer-security/article/377837/

31.

Lopes, A.C., Aranha, D.F.: Platform-agnostic low-intrusion optical data exfiltration. In: 3rd International Conference on Information Systems Security and Privacy (ICISSP 2017), Porto (2016)

32.

Griffith, S.: How to make a computer screen INVISIBLE, dailymail, October 2013. http://www.dailymail.co.uk/sciencetech/article-2480089/How-make-screen-INVISIBLE-Scientist-shows-make-monitor-blank-using-3D-glasses.html. Accessed May 2016

33.

Guri, M., Hasson, O., Kedma, G., Elovici, Y.: VisiSploit: an optical covert-channel (2016). arXiv:1607.03946 [cs.CR]

34.

Deshotels, L.: Inaudible sound as a covert channel in mobile devices. In: USENIX Workshop for Offensive Technologies (2014)

35.

Gostev, A.: Agent.btz: a Source of Inspiration? SecureList, 12 March 2014. http://securelist.com/blog/virus-watch/58551/agent-btz-a-source-of-inspiration/

36.

GReAT team. A Fanny Equation: I am your father, Stuxnet, Kaspersky Labs’ Global Research & Analysis Team, 17 February 2015 https://securelist.com/blog/research/68787/a-fanny-equation-i-am-your-father-stuxnet/

37.

Goodin, D.: Meet badBIOS, the mysterious Mac and PC malware that jumps airgaps. ars technica, 31 October 2013. http://arstechnica.com/security/2013/10/meet-badbios-the-mysterious-mac-and-pc-malware-that-jumps-airgaps/

38.

Khimji, I.: TripWire. The Malicious Insider, March 2015. http://www.tripwire.com/state-of-security/security-awareness/the-malicious-insider/. Accessed 09 May 2016

39.

TechTarget, Evil maid attack. http://searchsecurity.techtarget.com/definition/evil-maid-attack

40.

Costin, A.: Security of CCTV and video surveillance systems: threats, vulnerabilities, attacks, and mitigations. In: TrustED ‘16 Proceedings of the 6th International Workshop on Trustworthy Embedded Devices, New York (2016)

41.

9 Investigates hacked surveillance cameras across Central Florida, 3 Nov 2016 http://www.wftv.com/news/9-investigates/9-investigates-hacked-surveillance-cameras-across-central-florida/463226966. Accessed 12 Apr 2017

42.

Brant, T.: Samsung security cameras hacked again. pcmag, 18 January 2017. http://www.pcmag.com/news/351120/samsung-security-cameras-hacked-again. Accessed 12 Apr 2017

43.

thehackernews. Two arrested for hacking washington CCTV cameras before trump inauguration. 02 February 2017. http://thehackernews.com/2017/02/cctv-camera-hacking.html

44.

Schmid, S., Corbellini, G., Mangold, S., Gross, T.R.: An LED-to-LED visible light communication system with software-based synchronization. http://www.bu.edu/smartlighting/files/2012/10/Schmid_.pdf

45.

Giustiniano, D., Tippenhauer, N.O., Mangold, S.: Low-complexity visible light networking with LED-to-LED communication. In: 2012 IFIP Wireless Days (WD) (2012)

46.

phys.org. Siemens Sets New Record for Wireless Data Transfer using White LEDs. 21 January 2010. https://phys.org/news/2010-01-siemens-wireless-white.html. Accessed 30 Jan 2017

47.

http://man7.org/linux/man-pages/man3/fseek.3.html

48.

http://man7.org/linux/man-pages/man3/fopen.3p.html

49.

(Unix), dd. https://en.wikipedia.org/wiki/Dd_(Unix). Accessed 01 July 2016

50.

sourceforge.net, 17 June 2015. https://sourceforge.net/projects/hdparm/. Accessed 01 July 2016

51.

Linux Programmer’s Manual. http://man7.org/linux/man-pages/man2/open.2.html

52.

CreateFile function. MICROSOFT. https://msdn.microsoft.com/en-us/library/aa363858(VS.85).aspx

53.

https://en.wikipedia.org/wiki/Visible_light_communication

54.

http://www.analog.com/media/en/technical-documentation/data-sheets/AD549.pdf

55.

NI-9223, C Series Voltage Input Module. http://sine.ni.com/nips/cds/view/p/lang/en/nid/209139

56.

https://www.thorlabs.com/thorproduct.cfm?partnumber=PDA100A

57.

http://www.seagate.com, http://www.seagate.com. SEGATE. http://www.seagate.com/em/en/tech-insights/advanced-format-4k-sector-hard-drives-master-ti/

58.

Rubini, A., Corbet, J., Kroah-Hartman, J.: Interrupt handling. In: Linux Device Drivers. O’Reilly (2005)

59.

Russinovich, M.E., Ionescu, A., Solomo, D.A.: Understanding the windows I/O system. MICROSOFT, 09 September 2012. https://www.microsoftpressstore.com/articles/article.aspx?p=2201309&seqNum=3

60.

McNamara, J.: The complete, unofficial tempest information page (1999). http://www.jammed.com/~jwa/tempest.html

61.

USAF. AFSSI 7700: Communications and information emission security. Secretary of the Air Force (2007)

62.

Anderson, R.J.: Emission security. In: Security Engineering, 2nd edn. Wiley Publishing, Inc., pp. 523–546 (2008)

63.

ZDNET. Surveillance cameras sold on Amazon infected with malware. April 2016. http://www.zdnet.com/article/amazon-surveillance-cameras-infected-with-malware/

64.

https://www.signalsdefense.com/products

Titel: LED-it-GO: Leaking (A Lot of) Data from Air-Gapped Computers via the (Small) Hard Drive LED
verfasst von: Mordechai Guri
Boris Zadov
Yuval Elovici
Verlag: Springer International Publishing
Buch: Detection of Intrusions and Malware, and Vulnerability Assessment
Print ISBN: 978-3-319-60875-4

Electronic ISBN: 978-3-319-60876-1

Copyright-Jahr: 2017
DOI: https://doi.org/10.1007/978-3-319-60876-1_8

Premium Partner

Bildnachweise

Rittal/© Rittal, NTT Data/© NTT Data, Wildix/© Wildix, Ceyoniq Technology GmbH/© Ceyoniq Technology GmbH, arvato Systems GmbH/© arvato Systems GmbH, Ninox Software GmbH/© Ninox Software GmbH, Everyday Software S.L./© Everyday Software S.L., Redgate/© Redgate, CELONIS Labs GmbH, DC-Datacenter-Group GmbH/© DC-Datacenter-Group GmbH, all for one/© all for one, G Data CyberDefense/© G Data CyberDefense, FAST LTA/© FAST LTA, Vendosoft/© Vendosoft, Kumavision/© Kumavision, Noriis Network AG/© Noriis Network AG, WSW Software GmbH/© WSW Software GmbH, tts GmbH/© tts GmbH

Springer Professional

Abstract

Bitte loggen Sie sich ein, um Zugang zu Ihrer Lizenz zu erhalten.

Sie haben noch keine Lizenz? Dann Informieren Sie sich jetzt über unsere Produkte:

Springer Professional "Wirtschaft+Technik"

Springer Professional "Technik"

Springer Professional "Wirtschaft"