At first thought, it might seem impossible to pull data from a computer that’s not connected to the Internet. How can a system be hacked without a direct connection? Well as it turns out, a paper recently published by a team of cyber security researchers discusses a method of hacking information from a computer insulated from the Internet. Hacking an air-gapped computer has been done before; back in 2016 a team from Ben Gurion University in Israel showed how USB devices could be turned into RF transmitters that essentially removed the air-gap from insulated computers.
LED-it-GO: Leaking Data from Air-Gapped Computers via the Hard Drive LED
A summary of the abstract to the paper reads as follows:
In this paper we present a method which allows attackers to covertly leak data from isolated, air-gapped computers. Our method utilizes the hard disk drive (HDD) activity LED which exists in most of today’s desktop PCs, laptops and servers. We show that a malware can indirectly control the HDD LED, turning it on and off rapidly (up to 5800 blinks per second) – a rate that exceeds the visual perception capabilities of humans. Sensitive information can be encoded and leaked over the LED signals, which can then be received remotely by different kinds of cameras and light sensors.
Essentially, the Israeli team is installing malware on an air-gapped computer. The malware reads data from the system and then ‘plays it back’ as a series of flashes from the hard drive LED. It’s the high-speed equivalent of flashing an S.O.S. with a flashlight.
The flashes can be recorded by a camera and then the video run through a separate computer program to ‘decode’ the sequence and recreate the data. Depending on the quality of the camera, the LED could flash as fast as 5800 blinks per second – faster than the human eye can even detect.
Although the transmission speed is relatively low, the ability to operate covertly could mean that many hours or days could pass with the malware undetected while data is continuously leaked. At a maximum rate of 4000 bit/s, a 1000-word text document could be transferred in just a few minutes.
Implications of Air-Gap Hacking
The possibility to record leaked data without a network connection of any kind stresses the importance of physical security in the IT environment. To be successful, someone has to physically install the malware on the host system. Proper physical security can render a hacking attempt useless.
If the physical security is compromised and a computer is infected with this type of malware, then all bets are off. Infected computers near windows could have their leaked data recorded by a simple drone flying outside. Hacked security cameras could be used as well.
The team at the Cyber Security Research Center released this video example of the attack using a drone:
Protecting Against Air-Gap Hacking
The most obvious way to protect against this specific attack would be simply placing tape over the LED light so that any cameras can’t see the activity but let’s not forget air-gapped systems should be protected with adequate physical security first and foremost. When I worked at the DoD, air-gapped systems had to be located in windowless rooms behind locked doors. In many cases, white noise generators were required at the entrances to muffle any sounds coming from within a classified area.
For highly secure environments, adhering to USB restrictions and removable media are paramount. Again, when I worked at the DoD, USB flash drives were strictly prohibited and could be confiscated at any time. Even unclassified systems had USB functionality completely disabled to prevent malware infections and hacking.
Extending the Attack to Other Hardware
What the Israeli team has truly exposed is the concept that any device with LED indicators could be hacked to leak the data it has access to. Imagine network switches leaking data via the switch port link lights or even Smart TVs leaking data from the power LED. How about hacking infrared LEDs to leak data from IP cameras completely naked to the human eye?
The world is changing. Cyber security practices will need to change as well.