Academics Steal Data From Air-Gapped Systems Via a Keyboard's LEDs (zdnet.com) 112
The Caps Lock, Num Lock, and Scroll Lock LEDs on a keyboard can be used to exfiltrate data from a secure air-gapped system, academics from an Israeli university have proved. From a report: The attack, which they named CTRL-ALT-LED, is nothing that regular users should worry about but is a danger for highly secure environments such as government networks that store top-secret documents or enterprise networks dedicated to storing non-public proprietary information. he attack requires some pre-requisites, such as the malicious actor finding a way to infect an air-gapped system with malware beforehand. CTRL-ALT-LED is only an exfiltration method. But once these prerequisites are met, the malware running on a system can make the LEDs of an USB-connected keyboard blink at rapid speeds, using a custom transmission protocol and modulation scheme to encode the transmitted data. A nearby attacker can record these tiny light flickers, which they can decode at a later point, using the same modulation scheme used to encode it.
Well no shit (Score:5, Insightful)
Whaaaat, you mean if somebody gets malware on a computer they have access to the computer?
Re: (Score:1)
Yep, and we can modulate the fan speed, CPU temperature, make clicks on the speaker, etc. to send information via non-network means. As for the LEDs on keyboards, this assumes one has a keyboard attached. (Many servers do not have individual keyboards, they are accessed either by large KVMs or administrated via a console port or network connection.)
Not something to get too worked up about. Much better to focus on hardening the OS, locking down USB ports so malware is more difficult to inject, having an e
Re:Well no shit (Score:5, Interesting)
Wouldn't having the system controlled via a network connection kind of defeat the purpose of an air-gapped computer? 8^)
Yes I realize the network can be an isolated standalone network but the computer itself is no longer air-gapped.
Even if a keyboard is connected there are several keyboards without LEDs. If the keyboard does have LEDs and they are blinking sporadically I think I would be inclined to replace that keyboard (no typical for those LEDs to blink incessantly).
Re: (Score:3)
dude, they blink so fast, to the human eye it looks flat static, or half dim. But to a camera sensor that can do 120fps, it can see a modulated bit stream of at least half that, 60bps.
Re: (Score:2)
"Even if a keyboard is connected there are several keyboards without LEDs."
If I'm near enough to see the keyboard, I'll just use it and read from the screen.
Oh, I see, they mean a secure server in a building made of glass.
Re: (Score:3, Insightful)
Not only that but the attackers must have a camera or other recording device in line of sight of the infected machine to bridge the air gap so they could just record images or documents displayed on the monitor.
Re:Well no shit (Score:5, Funny)
If a bad actor manages to get that level of access, there are probably easier ways to do this.
"Hey, does anyone know where this cat 5e cable that's running from the centrifuge controller into the air duct came from?"
Re: (Score:2)
"Hey, does anyone know where this cat 5e cable that's running from the centrifuge controller into the air duct came from?"
Sorry, my bad. The Internet was running hot and I figured running it through the air duct would cool it down. Just let me remove this little dongle at the end and I'll get the cable out of your way.
Re: (Score:2)
Wait a minute... I thought the Internet was wireless?
Re: (Score:2)
Of course it is. It's a series of tubes.
fast blinking looks flat to the human eye (Score:4, Insightful)
Get a clue people
Flash an LED fast enough and it looks static to the human eye.
Hell, you could do this to the HARD DISK LED, and you wouldnt care would you or do it to the MOUSE laser.
Faster than 30fps LED looks static to human eyes.
Air gaps easy to bridge (Score:2)
Re:Air gaps easy to bridge (Score:5, Insightful)
It is also not worth noting the new discovery that keyboard LEDs can be used to leak data, since that was a thing decades ago. As were a lot of other observable phenomena, including, IIRC, fan speeds or floppy disk access sounds. As was tempest from CRT displays or the CPU. Yes, people actually played music by running code with specific timing constants, which could be picked up on an AM radio. And one fascinating exhibit at a college computer fair was the use of a massive Calcomp flatbed plotter playing classical music in multi-part harmony. (If you can transmit tones, you can send data encoded as those tones, obviously.)
Re: (Score:2)
This was invented decades ago anyway. Back in the 80s we used keyboard LEDs for debugging. When the kernel crashed you could see the error code tapped out in Morse code on the numlock LED.
*A* USB (Score:1)
Re: (Score:3)
Correct. You should have used "an unicycle" as your example, though.
Re: (Score:2)
or "University", for that matter :)
Re: (Score:3)
An hero.
Re: (Score:3)
It's a meme. Years ago, some teenager committed suicide after his iPod was stolen (probably more to it than that), and one of his friends wrote a tribute to him on MySpace IIRC that said "he was truly an hero". The interwebz made "an hero" mean "commit suicide".
Neal Stephenson described this in 1999 (Score:2, Insightful)
in his novel Cryptonomicon, and i'm pretty certain someone must have had the idea waaaay before that.
No, he didn't. (Score:2)
He described a mechanism of reading the contents of a screen from a distance by scanning the electromagnetic radiation it creates.
In the book, the character creates a tool to display random content over the screen to foil the eavesdroppers.
Unfortunately, the system he refers to - sometimes known as TEMPEST - only works on CRTs, not on the LCD screen of the laptop as he depicts.
Re: (Score:2)
Modern LCDs vary backlight intensity for dynamic contrast applications, sometimes with local dimming. This would change the power draw of the LCD panel, which would change the power draw, which would presumably have some effect on the EM given off by the power cabling/circuitry/etc. I'd imagine that could be measured somehow?
Re: (Score:2)
Stephenson described TEMPEST, but he also included using blinking LEDs to exfiltrate information. In a chapter after the initial introduction of TEMPEST, the main character is put in a position where he believes people are going to use it to read his computer screen. To get out the secret information he needs, he has the keyboard lights on his laptop blink it to him in Morse code. He then creates a fake message with incorrect information to display on his screen so the enemy will think he's revealed his
Re: (Score:2)
In that they literally say this in the research paper, yes.
But you'd know that if you clicked the links.
Old news (Score:1)
I remember I think it was you could read the MFM or RLL activity LEDs as they were tied to the serial write/read/something head of the drive. I think that was also the case for a lot of stuff to be honest (Serial port activity, etc, etc) so there's really nothing new here.
I remember using the Num Lock led of my keyboard on linux and on OSX for disk activity - there's been lots of hacks out for that, so using the LED for stuff you wouldn't normally isn't exactly new.
New hack! Writing pixels to a computer
Re: (Score:2)
On the other hand, most modems tied the RX/TX LEDs directly to the data lines, and a few papers were published showing that you can optically read the serial line via the LEDs.
Re: (Score:2)
No camera policy (Score:5, Insightful)
The military already knows this attack vector, and if you bring a smartphone or camera into a secure area, it can be destroyed.
Re: (Score:2)
it can be destroyed
Will be. FTFY
Re: (Score:2)
Re: No camera policy (Score:2)
Re: (Score:2)
So someone is able to infect the computer with malware, but then instead of using a much more efficient extraction method like the same flash drive they installed the malware from or a QR code on screen, they decide to flash the data out via the keyboard LEDs at around 2 bps.
Exfiltrating a Word document takes them about two days of filming the keyboard with their phone.
Re: (Score:2)
Re: (Score:2)
A CCTV camera that can see the keyboard LEDs, but not the operator's fingers typing in the password.
Re: (Score:2)
Entirely possible. The camera sees the computer, but when a user comes to log in, the way they stand blocks the view of the keyboard.
The malware logs the key, then when it detects the computer isn't being used, it can then blink the data out, assuming there's no one standing in front.
Camera then records blinking with no one standing in front of keyboard.
Computers don't have to transmit the information they wa
Re: (Score:2)
That's some highly specific malware.
Re: (Score:1)
fuck off cunt
Re: (Score:2)
What about smartwatches with ambient light sensors in them? Bit of an oversight that one,
There's a lieutenant or other officer at the door when you leave, and if he thinks your 'watch' with a light sensor is suspicious, it will be destroyed.
set the wayback machine for 2002 (Score:5, Informative)
https://www.researchgate.net/p... [researchgate.net]
Re: (Score:3)
I remember this. I seem to remember it being an issue with what we'd now call low-speed serial lines (T1s or fractions Ts) and status LEDs on routers or CSU-DSUs that literally blinked with every bit transmitted on the line.
I suspect this particular thing would be not possible with "modern" high speed data circuits as I'm sure the LED is not actually synchronous with the data line.
My guess is that on older equipment, though, the actual comm circuitry might literally have been electrically synced with RX/TX
Re: (Score:3)
My guess is that on older equipment, though, the actual comm circuitry might literally have been electrically synced with RX/TX lights.
That was often the case.
A note to academics (Score:2)
Security rule #1 (Score:5, Insightful)
Re: (Score:2)
Working on projects in these places requires some sort of security clearance where you are investigated and monitored. But even people with security clearances can be compromised by foreign actors. And many people without security
Re: (Score:2)
Re: (Score:2)
You can't even see that 120 Hz monitor refresh rate, let alone an LED modulated at a few 100 kHz.
Any output (Score:1)
What about the monitor? (Score:2)
I could show passwords on the screen.
Don't forget TEMPEST.... (Score:2)
I recall in the mid 80's a colleague demonstrated to our boss that he could read the computer screen (CRT) inside the lab on his oscilloscope with a scanning setup about 20 feet outside the lab. Needless to say they had to build a semi-SCIF for the Top secret SIGNIT work the company was doing.
The same dude then developed a SIGINT technique a few months later. Which was classified Top Secret. Except he only had a Secret clearance. We kept telling him he had to report to the nurse for brain surgery.
Industrial systems have 1000 similar attacks (Score:1)
Re: (Score:2)
janitors / cleaning crew can get places some late (Score:2)
janitors / cleaning crew can get in places sometime late at night when no other people are in the office.
Re: (Score:2)
yes and they could plant bombs in your building, waltz off with hard drives and important documents and put cameras in washroom stalls....
I'm losing sleep over this issue
Re: (Score:2)
Beep boop boop beep beep beep. Why don't you just tell me what your secret data is!
When you hear it in Kramer's voice it is pretty funny :)
Horse fucking hockey (Score:5, Interesting)
To say monitoring my caps lock and num lock are going to be an issue is flat out scare mongering. I don't care how low the bandwidth of those flickering LEDs are, if someone can somehow monitor them then your entire room is hopelessly compromised.
turn keyboard over defeats led blinkery (Score:1)
...allows everyone to see "password001" taped to post-it under keyboard.
If your close enough to see the light blinking (Score:3)
Surely taking a quick pic of a couple of QR codes is less obtrusive than standing around for hours recording a led blinking.
I've known about this for years (Score:2)
There were some low end (possibly toy) electronic organizers that had a 1-way sync that worked via either flashing keyboard LEDs or the monitor. This keyboard LED vulnerability dates back to the IBM AT which was the first IBM PC to have the ability to change the Caps/Num/Scroll lock state.
What's next - the bios beep? (Score:2)
It's neat they can use the light to send information, it's less practical than Ethan Hunt dangling from wires to get the data.