back to article LCD pwn System: How to modulate screen brightness to covertly transmit data from an air-gapped computer... slowly

Boffins from Ben-Gurion University of the Negev and Shamoon College of Engineering in Israel have come up with yet another TEMPEST-style attack to exfiltrate data from an air-gapped computer: leaking binary signals invisibly by slightly modulating the light coming off its monitor. TEMPEST, or Telecommunications Electronics …

  1. ExampleOne

    I have some CRT displays to sell you

    1. Anonymous Coward
      Black Helicopters

      I think those could be detected in the next state with the size of their magnetron.

      1. BebopWeBop

        I remember seeing that being demonstrated by the EM group at the University of York in the 80s - several rooms away even then.

        1. Anonymous Coward
          Anonymous Coward

          Was done at defcon...

          as a joke, with a radio, from an lcd/laptop display. :P

  2. BebopWeBop


    Although despite the bandwidth and location issues, I am sure there are applications that might use this to signal simple interactions with a piece of software of interest. Nice lateral thinking from Ben-Gurion.

    1. My other car WAS an IAV Stryker

      Re: Smashing

      Ben-Gurion University...

      The moment I read the headline I assume it was this bunch (again).

    2. eldakka Silver badge

      Re: Smashing

      Yeah, the bit-rate wouldn't need to be that high if, instead of trying to download the database all their spies, all you are trying to do is get the login credentials so you can come back later to login using those credentials to download the database onto a USB stick.

  3. W.S.Gosset Silver badge

    S(n)ide feature

    They could add that the red pixels which are varying, draw out a rude symbol, eg flipping the bird.

    So it will be subliminally flipping the bird to the person who's being fleeced.

    1. Blazde

      Re: S(n)ide feature

      That really sounds like a job for the blue pixels

  4. Pascal Monett Silver badge

    Another 007 scheme ?

    Or would it be more Wiley Coyote ?

    Obviously, nobody's going to wonder what that guy is doing two desks back, holding his smartphone at their back while not moving at all for over an hour. Or, nobody is wondering what that smartphone is doing poised on a stand facing someone's screen when it never was there before. Given that smartphones are generally grafted to the hands of their owners, a smartphone on a desk on its own would be very, very weird.

    A webcam not facing its owner ? Even weirder. Honestly, I can't think of one seemingly innocent string of circumstances where this tech would not be at risk of discovery. This reminds me of that drone spy that would, eventually, get data from a photocopier - it just had to have line-of-sight, meaning it would be very visible through the window and everyone would be wondering what the hell it was doing there.

    1. Anonymous Coward

      Re: Another 007 scheme ?

      You seemingly have never heard of tape.

    2. Graham Cobb Silver badge

      Re: Another 007 scheme ?

      I am sure there are plenty of air-gapped machines with a security camera pointing at them. Some control rooms have camera monitoring either because they are normally unmanned or just for security (or later incident analysis).

    3. adam 40 Silver badge

      Re: Another 007 scheme ?

      You seemingly have never heard of leaving your smartphone on a desk attached to - a charger.

      1. Loyal Commenter

        Re: Another 007 scheme ?

        In front of a (presumably sensitive) air-gapped machine in TEMPEST conditions? Nope.

        I would hazard a guess that TEMPEST includes not taking your phone into the room with you, and quite possibly not the building, or indeed the site.

        1. Blazde

          Re: Another 007 scheme ?

          I'd venture there are a fair few air-gapped systems out there that aren't going the whole hog on anti-TEMPEST.

          Iran published photographs from the supposedly air-gapped Natanz facility computer room with dozens of people milling around and the place looked.. highly ordinary. It's not implausible that a short video clip published in similar circumstances could leak a passhrase or other short string from a screen which was otherwise free of sensitive information.

          1. eldakka Silver badge

            Re: Another 007 scheme ?

            The old "write the password of the day on this operations room whiteboard, then hold a press conference using the whiteboard as a background" trick?

    4. David Shaw

      Re: Another 007 scheme ?

      I designed a covert comms channel based exactly on this principle

      what that guy is doing two desks back, holding his smartphone at their back while not moving at all for over an hour not moving , much, for an hour or two

      but not for an office situation, just exfiltrating data across a national border or similar

      relied on a few keen anglers and the usual PVdF piezo-acoustic transducers, possibly fish/bait shaped

      I wonder if it was ever used (stego digital acoustic monitoring of all waterways surely IS implemented chaps?)

  5. Jason Bloomberg Silver badge

    Ben-Gurion University

    These guys sure are a one-trick pony.

    As I have said in the past; they seem to have created a long list of all possible mechanisms to facilitate exfiltration and then set about releasing them one at a time.

    I guess it keeps their names in the headlines. But it really is making me bored.

    1. Loyal Commenter

      Re: Ben-Gurion University

      Their methods all seem to have one thing in common:

      Step 1) Gain access to a protected system and install malware on it

      Step 2) Come up with some wacky way to exfiltrate the data from the already compromised computer that is orders of magnitude less difficult than getting the malware onto the computer in the first place...

      1. Graham Cobb Silver badge

        Re: Ben-Gurion University

        Yes, that is what they do. But it is very important.

        Compromising a computer is hard, but it only has to happen once. If you spend enough money you can get the computer compromised.

        But if your goal is to get data, you need some way for the data to get to you. Normally it is important that it is timely and it is, of course, very valuable if you can do it without the compromise being discovered (otherwise you have to spend all that money again to compromise the new system -- and the target will be watching it more carefully this time). And, if it is really air-gapped, then something like this or one of their other exploits is going to be required.

        It is also useful to know that things like this have been tried and to understand how effective it is -- in this case it is likely that this will never be used as it is so slow and there are much faster mechanisms which may not be much more difficult to set up.

        Don't forget that one of their techniques (ultrasonic data encoding) has even been turned into commercial software: mobile phone apps detecting what TV you are watching by detecting ultrasonic information in ads. It may be running on your phone right now.

        1. Loyal Commenter

          Re: Ben-Gurion University

          The point I was alluding to was that if you can compromise the computer to get the malware on, why not use the same mechanism for getting the data off?

          For instance, if the machine is air-gapped, you must be getting the malware on via an external storage device. If you can get it in once, undetected, to get the malware on, the odds are you can get it in a second time to get the data off again.

          Similarly, if the malware gets on via something like a poisoned link in an email, that presupposes network access, in which case that sounds like a far more likely route out again. Ignoring, of course, the fact that the access to that dodgy link would probably be spotted right away by any half-competent network monitoring, and the machine scrubbed.

          I don't want to downplay the cleverness of all the various side-channel data exfiltration techniques but I do question their usefulness and applicability, considering that the target is either going to be in a windowless basement somewhere, with the sort of security that carries rifles, in which case, good luck seeing the screen, or accessing anything that can see it, or the target isn't going to be secure in the first place.

          This kind of limits the usefulness to situations where not only do you manage to physically access the air-gapped machine to compromise it, but you also somehow manage to compromise other security aspects around it (camera systems, etc.), in which case, as the number of required exploits rises, so does the possibility of discovery. Good old-fashioned rubber-hose cryptography becomes the easiest route over the James Bond stuff.

          1. Graham Cobb Silver badge

            Re: Ben-Gurion University

            This isn't to get at data on the PC concerned -- it is to get at information that PC handles in the future.

            Sometimes compromising is easy (evil maid attack is the easiest, but there are many other attacks such as social engineering, or sending in fake "maintenance" people) but what you are interested in is a feed of whatever the device is monitoring. That is what this research is about.

            I'm not saying these techniques are common, or even that this particular one is useful, but they are important. When you need them, you really need them (or need to prevent them).

            Don't forget who these guys are. Read the Wikipedia article on Stuxnet if you have forgotten how important seemingly innocuous air-gapped control systems can be.

          2. Anonymous Coward
            Anonymous Coward

            Re: Ben-Gurion University

            You may be able to compromise the computer before it is put into service (ie, during the build phase or during shipping from the manufacturer). You may also be able to compromise a third party who does have access to the computer after it is put into service (air gapped computers need patches, too).

            I've been sent out to a few data centers that allowed vendors to bring removable media onto the secure data center floor, but then the media had to be disposed in a secure media shredder bin before leaving. A few of them even made me hand the thumb drive over to the guard before you entered the area to prevent slight of hand tricks - they would insert and remove the drive from the target device themselves and then walk it over to the disposal bin.

    2. fobobob

      Re: Ben-Gurion University

      Next up: Method of data exfiltration involving the modulation of the user's head scratching and/or wincing from frustration. A calibrated skin cell/dandruff detector hidden on the user's chair provides feedback of the user's state.

  6. Evil Auditor Silver badge

    Haven't really followed these guys. But I'd think you get a higher bit rate with a flickering power (or other) LED. Works even if the monitor is in power saving mode. But I'm sure some guy's done that lang before.

    1. My other car WAS an IAV Stryker

      Flashing LEDs

      Same group, about three years ago...

      El Reg article on hard drive LEDs

      El Reg article on router LEDs

    2. Charles 9

      I believe CTRL-ALT-LED is based on that. Thing is, this technique works even with a user logged in unless the user in question regularly handles things in the red spectrum. Plus it can work indirectly (meaning the camera doesn't have to directly see the screen; the reflection off a wall IIRC is enough, and most facilities don't have flat black walls).

  7. John H Woods Silver badge

    Reminds me of Cryptonomicon ...

    Where, IIRC, the protagonist anxious to retrieve data in secret, despite being under surveillance, creates a program to blink the CAPS LOCK key in Morse code.

  8. W T Riker

    Timex/Microsoft Datalink watch

    Sounds a bit like the Timex/Microsoft Datalink watch from 1994, where a series of flashing horizontal lines on a CRT monitor were sensed by an optical sensor on the watch.

    1. ben kendim

      Re: Timex/Microsoft Datalink watch

      Absolutely, first thing that crossed my mind!

      I had one and in 1995. When receiving a security briefing, I told the briefer I had one, and that we should update the briefing materials to talk about these watches.

      She was not delighted at the prospect... :-) :-)

  9. redpawn

    Is my computer infected?

    The brightness of my laptop screen is quite inconsistent especially in the corners, the fan kick on at random times, each key sounds a bit different when pressed and my ears ring after using it for long periods of time.

    1. Evil Auditor Silver badge

      Re: Is my computer infected?

      Nah, you're just paranoid.

  10. c1ue

    To be fair, you could do a lot with the combination of frequency modulated data and using G and B pixels.

  11. Doctor Syntax Silver badge

    "It also requires a device capable of picking up the emanations from the infiltrated target machine – a nearby video camera in this instance."

    The nearby video camera could be exfiltrating data by other means.

    1. Evil Auditor Silver badge

      The nearby video camera could be exfiltrating data by other means.

      Indeed. "We recorded you masturbating while watching porn. Now send us all the data or else..."

  12. IGotOut Silver badge


    Many here have mentioned a security camera pointing at the screen.

    If you have a camera looking at the screen (or even with the potential to) on a secure computer, you have far bigger security issues to worry about.

    1. Richard 12 Silver badge

      Re: Eh?

      As TFA says, this exfiltration technique assumes the camera is not pointing at the screen.

      It uses the glow reflected off the user's face or a nearby wall.

      That is, as they say, The Whole 'Ing Point.

      1. Loyal Commenter

        Re: Eh?

        It's also assuming a high refresh rate for that security camera.

        I don't know about you, but when I've seen security camera footage, it's often in greyscale, and at about 1 FPS. If you're monitoring a secure area to audit access, I'd say you'd be unlikely to spec anything better than that, simply due to the storage requirements. If your camera is recording at 1 FPS, then this technique has a hard limit of 1 BPS, that's 7.5 bytes a minute, and that's presupposing that this is the only thing causing ambient light levels to change.

        I get that this is clever, and this it could conceivably be used to exfiltrate data, albeit at a very slow rate. I still think a more efficient attack vector is to use the same vector you did to get your malware onto the device in the first place (e.g. an infected pen drive) to get the data out again at a later date, once you've collected it.

        1. Graham Cobb Silver badge

          Re: Eh?

          Sure, reasonable analysis.

          However, would you (or a person who is just now deciding to deliberately downgrade the spec of their new operations room security camera) have done that analysis if this research had not been published?

          We need people to not just idly think about threats but test them so we can make informed decisions (as we all know, security decisions are not about removing threats - they are about trying to keep them more expensive than the value gained).

  13. Frumious Bandersnatch

    Somewhere ...

    some guy is practising his semaphore moves ... in a pinafore ... far from prying eyes.

  14. EnviableOne Silver badge

    speed issues

    Correct me if i'm wrong but could we not tripple the data rate by using the G and B pixels at the same time?

    1. Ian 55

      Re: speed issues

      Because of the sensitivity of (non-colour blind) human eyes to green, that risks being more noticeable. It also makes picking it up off the wall harder.

  15. Grinning Bandicoot

    Coloring outside the lines

    Among other of my hobbies is reading fiction set in the future. I am very surprised to note that Lois McMaster Bujold used in a '96 novel a screen reading technique as a plot device but maybe that Ben Gurion being under siege must check any and all far fetched or not attacks that possible. However, it appears to be not noted.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like