Stealing Data from Infected Computer’s Blinking LED

This may sound strange, and to an extent startling as well. A hacker could steal data from your system (which would already have a malware in it) by just sending a drone and getting it to watch your computer’s blinking LED.

A group of security researchers at the Ben-Gurion University in Beersheba, Israel demonstrated how this can be carried out. They sent a small quadcopter drone one evening early in 2017 from the parking lot of the University and flew it towards a nearby building. They then trained the drone’s built-in camera on a desktop computer’s tiny blinking LED inside an office on the third floor of that building and managed to silently draw out from the system an optical stream of all the secrets stored within the system to the camera in the drone. As the LED hard drive indicator that flickers on a Windows computer is a normal thing and as there is no physical presence of anyone inside the building, there is no scope for any suspicion and the drone with the camera soon flies away after having stolen all the data inside the already infected system.

Well, seems like a scene out of a sci-fi movie or a series like Mr. Robot, isn’t it? But this is no fiction, it’s very much real today and hackers could use this strategy to steal data from computers after infecting them with malware using other methods. That’s what the researchers at the cybersecurity lab in the Ben-Gurion University wanted to demonstrate.

This kind of hacking is done by defeating the security protection that’s technically known as an “air gap”. In a release dated February 22, 2017, WIRED explains the hacking technique in detail. The release says, “A group of researchers at Ben-Gurion’s cybersecurity lab has devised a method to defeat the security protection known as an “air gap,” the safeguard of separating highly sensitive computer systems from the internet to quarantine them from hackers. If an attacker can plant malware on one of those systems—say, by paying an insider to infect it via USB or SD card—this approach offers a new way to rapidly pull secrets out of that isolated machine. Every blink of its hard drive LED indicator can spill sensitive information to any spy with a line of sight to the target computer, whether from a drone outside the window or a telescopic lens from the next roof over.”

The team of researchers who probed this hacking technique has been headed by Dr. Mordechai Guri, Head of R&D. WIRED quotes Dr. Guri as saying, “If an attacker has a foothold in your air-gapped system, the malware still can send the data out to the attacker. We found that the small hard drive indicator LED can be

controlled at up to 6,000 blinks per second. We can transmit data in a very fast way at a very long distance.” A Ben-Gurion University press release dated 23 February, 2017 reads, “Researchers at BGU’s Cyber Security Research Center have demonstrated that data can be stolen from an isolated “air-gapped” computer’s hard drive reading the pulses of light on the LED drive using various types of cameras and light sensors.”

The press release further says, “Air-gapped computers are isolated — separated both logically and physically from public networks — ostensibly so that they cannot be hacked over the Internet or within company networks. These computers typically contain an organization’s most sensitive and confidential information.”.

Dr. Mordechai Guri and his team of researchers, as mentioned above, decided to make use of the hard-drive activity LED lights found on most computers. They found that once a computer is infected with a malware, the HDD LED can be controlled using the malware. It can be turned on and off rapidly (thousands of flickers per second), thereby beating human visual perception capabilities. Thus, it becomes possible to encode and leak highly sensitive information over the fast LED signals, which can then be received and recorded by cameras or light sensors.

Though air-gapped systems are considered impenetrable, it has already been proved that enterprising hackers can access them as well. The WIRED report explains, “An air gap, in computer security, is sometimes seen as an impenetrable defense. Hackers can’t compromise a computer that’s not connected to the internet or other internet-connected machines, the logic goes. But malware like Stuxnet and the Agent.btz worm that infected American military systems a decade ago have proven that air gaps can’t entirely keep motivated hackers out of ultra-secret systems—even isolated systems need code updates and new data, opening them to attackers with physical access.”

Once an air-gapped system is infected, there are different ways to extract data out of it. Dr. Guri and his team of researchers have already demonstrated different methods of extracting data out of air-gapped systems. Exploiting the hard-drive LED is highly effective, as it’s a stealthier, higher-bandwidth and longer-distance form of extracting data from air-gapped systems.

WIRED explains, “By transmitting data from a computer’s hard drive LED with a kind of morse-code-like patterns of on and off signals, the researchers found they could move data as fast as 4,000 bits a second, or close to a megabyte every half

hour. That may not sound like much, but it’s fast enough to steal an encryption key in seconds. And the recipient could record those optical messages to decode them later; the malware could even replay its blinks on a loop, Guri says, to ensure that no part of the transmission goes unseen.”

Since the LED is always blinking as part of the searching and indexing, the data theft always remains unseen.

The researchers have suggested different countermeasures that can help prevent such exfiltration. This includes keeping air-gapped computers in secure rooms and away from windows, placing film over the glass in buildings, using protective software to block such attempts etc. The best thing to do would be to cover the LED itself.