Want to read Slashdot from your mobile device? Point it at m.slashdot.org and keep reading!

 



Forgot your password?
typodupeerror
×
Security

Academics Steal Data From Air-Gapped Systems Via a Keyboard's LEDs (zdnet.com) 112

The Caps Lock, Num Lock, and Scroll Lock LEDs on a keyboard can be used to exfiltrate data from a secure air-gapped system, academics from an Israeli university have proved. From a report: The attack, which they named CTRL-ALT-LED, is nothing that regular users should worry about but is a danger for highly secure environments such as government networks that store top-secret documents or enterprise networks dedicated to storing non-public proprietary information. he attack requires some pre-requisites, such as the malicious actor finding a way to infect an air-gapped system with malware beforehand. CTRL-ALT-LED is only an exfiltration method. But once these prerequisites are met, the malware running on a system can make the LEDs of an USB-connected keyboard blink at rapid speeds, using a custom transmission protocol and modulation scheme to encode the transmitted data. A nearby attacker can record these tiny light flickers, which they can decode at a later point, using the same modulation scheme used to encode it.
This discussion has been archived. No new comments can be posted.

Academics Steal Data From Air-Gapped Systems Via a Keyboard's LEDs

Comments Filter:
  • Well no shit (Score:5, Insightful)

    by OverlordQ ( 264228 ) on Wednesday July 10, 2019 @03:47PM (#58904058) Journal

    finding a way to infect an air-gapped system with malware beforehand.

    Whaaaat, you mean if somebody gets malware on a computer they have access to the computer?

    • by Anonymous Coward

      Yep, and we can modulate the fan speed, CPU temperature, make clicks on the speaker, etc. to send information via non-network means. As for the LEDs on keyboards, this assumes one has a keyboard attached. (Many servers do not have individual keyboards, they are accessed either by large KVMs or administrated via a console port or network connection.)

      Not something to get too worked up about. Much better to focus on hardening the OS, locking down USB ports so malware is more difficult to inject, having an e

      • Re:Well no shit (Score:5, Interesting)

        by Rhipf ( 525263 ) on Wednesday July 10, 2019 @06:05PM (#58904866)

        Wouldn't having the system controlled via a network connection kind of defeat the purpose of an air-gapped computer? 8^)

        Yes I realize the network can be an isolated standalone network but the computer itself is no longer air-gapped.

        Even if a keyboard is connected there are several keyboards without LEDs. If the keyboard does have LEDs and they are blinking sporadically I think I would be inclined to replace that keyboard (no typical for those LEDs to blink incessantly).

        • dude, they blink so fast, to the human eye it looks flat static, or half dim. But to a camera sensor that can do 120fps, it can see a modulated bit stream of at least half that, 60bps.

        • "Even if a keyboard is connected there are several keyboards without LEDs."

          If I'm near enough to see the keyboard, I'll just use it and read from the screen.

          Oh, I see, they mean a secure server in a building made of glass.

    • Re: (Score:3, Insightful)

      by jimbolauski ( 882977 )

      Not only that but the attackers must have a camera or other recording device in line of sight of the infected machine to bridge the air gap so they could just record images or documents displayed on the monitor.

      • by 93 Escort Wagon ( 326346 ) on Wednesday July 10, 2019 @04:43PM (#58904414)

        If a bad actor manages to get that level of access, there are probably easier ways to do this.

        "Hey, does anyone know where this cat 5e cable that's running from the centrifuge controller into the air duct came from?"

        • by bob4u2c ( 73467 )

          "Hey, does anyone know where this cat 5e cable that's running from the centrifuge controller into the air duct came from?"

          Sorry, my bad. The Internet was running hot and I figured running it through the air duct would cool it down. Just let me remove this little dongle at the end and I'll get the cable out of your way.

    • It's also worth noting that, since the advent of WiFi, having an "air-gap" doesn't really mean much.
      • by Obfuscant ( 592200 ) on Wednesday July 10, 2019 @05:23PM (#58904650)
        No, it isn't worth noting that. If you have your computer connected to the internet via WiFi is it not air-gapped. Air-gapped doesn't mean you have no physical connection, it means you have no internet connection of any kind.

        It is also not worth noting the new discovery that keyboard LEDs can be used to leak data, since that was a thing decades ago. As were a lot of other observable phenomena, including, IIRC, fan speeds or floppy disk access sounds. As was tempest from CRT displays or the CPU. Yes, people actually played music by running code with specific timing constants, which could be picked up on an AM radio. And one fascinating exhibit at a college computer fair was the use of a massive Calcomp flatbed plotter playing classical music in multi-part harmony. (If you can transmit tones, you can send data encoded as those tones, obviously.)

    • by AmiMoJo ( 196126 )

      This was invented decades ago anyway. Back in the 80s we used keyboard LEDs for debugging. When the kernel crashed you could see the error code tapped out in Morse code on the numlock LED.

  • by Anonymous Coward
    I'm sorry, but it is *A* USB, not an USB. You don't say an yogurt, or an Yugo, or an yellow flower. It sounding like a "Y" supersedes the "an before a vowel" rule.
    • Correct. You should have used "an unicycle" as your example, though.

    • by PPH ( 736903 )

      An hero.

  • by Anonymous Coward

    in his novel Cryptonomicon, and i'm pretty certain someone must have had the idea waaaay before that.

    • He described a mechanism of reading the contents of a screen from a distance by scanning the electromagnetic radiation it creates.

      In the book, the character creates a tool to display random content over the screen to foil the eavesdroppers.

      Unfortunately, the system he refers to - sometimes known as TEMPEST - only works on CRTs, not on the LCD screen of the laptop as he depicts.

      • by Guspaz ( 556486 )

        Modern LCDs vary backlight intensity for dynamic contrast applications, sometimes with local dimming. This would change the power draw of the LCD panel, which would change the power draw, which would presumably have some effect on the EM given off by the power cabling/circuitry/etc. I'd imagine that could be measured somehow?

      • by rgmoore ( 133276 )

        Stephenson described TEMPEST, but he also included using blinking LEDs to exfiltrate information. In a chapter after the initial introduction of TEMPEST, the main character is put in a position where he believes people are going to use it to read his computer screen. To get out the secret information he needs, he has the keyboard lights on his laptop blink it to him in Morse code. He then creates a fake message with incorrect information to display on his screen so the enemy will think he's revealed his

    • In that they literally say this in the research paper, yes.

      But you'd know that if you clicked the links.

  • by Anonymous Coward

    I remember I think it was you could read the MFM or RLL activity LEDs as they were tied to the serial write/read/something head of the drive. I think that was also the case for a lot of stuff to be honest (Serial port activity, etc, etc) so there's really nothing new here.

    I remember using the Num Lock led of my keyboard on linux and on OSX for disk activity - there's been lots of hacks out for that, so using the LED for stuff you wouldn't normally isn't exactly new.

    New hack! Writing pixels to a computer

    • I'm pretty sure MFM/RLL used the drive select signal for the disk activity light. The data rate would be too fast to allow the LED to appear bright, unless you used a pulse stretcher, which would wipe out the data acquisition possibility.

      On the other hand, most modems tied the RX/TX LEDs directly to the data lines, and a few papers were published showing that you can optically read the serial line via the LEDs.

  • No camera policy (Score:5, Insightful)

    by phantomfive ( 622387 ) on Wednesday July 10, 2019 @03:58PM (#58904126) Journal
    The attack vector is an employee with a camera on a phone or watch reading the light pulses getting data out of a top secret area (think of Chelsea Manning).

    The military already knows this attack vector, and if you bring a smartphone or camera into a secure area, it can be destroyed.
    • it can be destroyed

      Will be. FTFY

      • Nah, that is the threat, but some of the guards will try to examine your phone for any pictures if they think it was a mistake.
    • by AmiMoJo ( 196126 )

      So someone is able to infect the computer with malware, but then instead of using a much more efficient extraction method like the same flash drive they installed the malware from or a QR code on screen, they decide to flash the data out via the keyboard LEDs at around 2 bps.

      Exfiltrating a Word document takes them about two days of filming the keyboard with their phone.

      • Comment removed based on user account deletion
        • by AmiMoJo ( 196126 )

          A CCTV camera that can see the keyboard LEDs, but not the operator's fingers typing in the password.

          • by tlhIngan ( 30335 )

            A CCTV camera that can see the keyboard LEDs, but not the operator's fingers typing in the password.

            Entirely possible. The camera sees the computer, but when a user comes to log in, the way they stand blocks the view of the keyboard.

            The malware logs the key, then when it detects the computer isn't being used, it can then blink the data out, assuming there's no one standing in front.

            Camera then records blinking with no one standing in front of keyboard.

            Computers don't have to transmit the information they wa

  • by trb ( 8509 ) on Wednesday July 10, 2019 @04:03PM (#58904150)
    • I remember this. I seem to remember it being an issue with what we'd now call low-speed serial lines (T1s or fractions Ts) and status LEDs on routers or CSU-DSUs that literally blinked with every bit transmitted on the line.

      I suspect this particular thing would be not possible with "modern" high speed data circuits as I'm sure the LED is not actually synchronous with the data line.

      My guess is that on older equipment, though, the actual comm circuitry might literally have been electrically synced with RX/TX

      • by mcl630 ( 1839996 )

        My guess is that on older equipment, though, the actual comm circuitry might literally have been electrically synced with RX/TX lights.

        That was often the case.

  • I guess the disk LED on laptops/PCs can be used in the same vein though it might be a tad harder since there's disk activity you cannot control.
  • Security rule #1 (Score:5, Insightful)

    by Locke2005 ( 849178 ) on Wednesday July 10, 2019 @04:20PM (#58904254)
    If malicious actors have physical access to your hardware, assume your system has already been compromised.
    • As has been pointed out previously, "air gapped" has somewhat of a nebulous definition these days but usually refers to "secure compartmentalized information facilities." These are places where the machines may be networked to each other (LAN) but no wide area network (WAN).

      Working on projects in these places requires some sort of security clearance where you are investigated and monitored. But even people with security clearances can be compromised by foreign actors. And many people without security

      • TEMPEST security requires RF shielding. Does it require light shielding too? Seems like it should require blocking emission of ALL frequencies. Having displays visible through windows is a big no-no even in most businesses... and yet my display at Microsoft is clearly visible through the window I'm next to.
  • This really doesn't seem that ground breaking. I hope there wasn't a lot of resources put into proving this. Given the malware has to be injected into the system, an attacker could use any output mechanism. Some crafty ways I can think of is encoding the data to the screen using modified wallpapers, screensaver, or lock screen; a seemingly invisible widow which encodes only specific pixels; or how about very subtle cursor deviations encoded into normal cursor movement? One could blink the network cards ACT
  • I could show passwords on the screen.

  • I recall in the mid 80's a colleague demonstrated to our boss that he could read the computer screen (CRT) inside the lab on his oscilloscope with a scanning setup about 20 feet outside the lab. Needless to say they had to build a semi-SCIF for the Top secret SIGNIT work the company was doing.

    The same dude then developed a SIGINT technique a few months later. Which was classified Top Secret. Except he only had a Secret clearance. We kept telling him he had to report to the nurse for brain surgery.

  • Any computer that controls an actuator (a motor, a servo, lights, a cooling system, a tank stirrer, a substation, etc.) could be used to exfiltrate data b y modulating the control of the actuator. Any computer with a sensor (accelerometer, gyro, temperature, light, camera, etc.) can be used to receive the data.
    • by Lehk228 ( 705449 )
      doesn't even need to be this, if you pulse power consumption you can send signals back through the incoming power lines, and if it's a low speed modulation it won't get blocked by the fancy line filters, sure 1/4hz modulation is slow as heck but if your malware is well targetted the data you really need can get to you
  • janitors / cleaning crew can get in places sometime late at night when no other people are in the office.

    • yes and they could plant bombs in your building, waltz off with hard drives and important documents and put cameras in washroom stalls....

      I'm losing sleep over this issue

  • Horse fucking hockey (Score:5, Interesting)

    by Snotnose ( 212196 ) on Wednesday July 10, 2019 @06:40PM (#58905032)
    I've had top secret before. When you are in that environment you have tons of precautions. Like your windows have curtains to prevent Bad Guys (tm) from shining lasers on your windows to eavesdrop.
    To say monitoring my caps lock and num lock are going to be an issue is flat out scare mongering. I don't care how low the bandwidth of those flickering LEDs are, if someone can somehow monitor them then your entire room is hopelessly compromised.
  • ...allows everyone to see "password001" taped to post-it under keyboard.

  • by anarcobra ( 1551067 ) on Wednesday July 10, 2019 @07:12PM (#58905170)
    I think you might be close enough to see the screen and whatever is displayed on it.
    Surely taking a quick pic of a couple of QR codes is less obtrusive than standing around for hours recording a led blinking.
  • There were some low end (possibly toy) electronic organizers that had a 1-way sync that worked via either flashing keyboard LEDs or the monitor. This keyboard LED vulnerability dates back to the IBM AT which was the first IBM PC to have the ability to change the Caps/Num/Scroll lock state.

  • The next attack vector is the bios speaker beeping in a frequency that cannot be heard by humans but can be picked up by a listening device outside the room... assuming the computer has been compromised.

    It's neat they can use the light to send information, it's less practical than Ethan Hunt dangling from wires to get the data.

Don't tell me how hard you work. Tell me how much you get done. -- James J. Ling

Working...