I have some CRT displays to sell you
LCD pwn System: How to modulate screen brightness to covertly transmit data from an air-gapped computer... slowly
Boffins from Ben-Gurion University of the Negev and Shamoon College of Engineering in Israel have come up with yet another TEMPEST-style attack to exfiltrate data from an air-gapped computer: leaking binary signals invisibly by slightly modulating the light coming off its monitor. TEMPEST, or Telecommunications Electronics …
COMMENTS
-
Thursday 6th February 2020 11:06 GMT Pascal Monett
Another 007 scheme ?
Or would it be more Wiley Coyote ?
Obviously, nobody's going to wonder what that guy is doing two desks back, holding his smartphone at their back while not moving at all for over an hour. Or, nobody is wondering what that smartphone is doing poised on a stand facing someone's screen when it never was there before. Given that smartphones are generally grafted to the hands of their owners, a smartphone on a desk on its own would be very, very weird.
A webcam not facing its owner ? Even weirder. Honestly, I can't think of one seemingly innocent string of circumstances where this tech would not be at risk of discovery. This reminds me of that drone spy that would, eventually, get data from a photocopier - it just had to have line-of-sight, meaning it would be very visible through the window and everyone would be wondering what the hell it was doing there.
-
-
-
Thursday 6th February 2020 16:30 GMT Blazde
Re: Another 007 scheme ?
I'd venture there are a fair few air-gapped systems out there that aren't going the whole hog on anti-TEMPEST.
Iran published photographs from the supposedly air-gapped Natanz facility computer room with dozens of people milling around and the place looked.. highly ordinary. It's not implausible that a short video clip published in similar circumstances could leak a passhrase or other short string from a screen which was otherwise free of sensitive information.
-
-
-
Thursday 6th February 2020 15:26 GMT David Shaw
Re: Another 007 scheme ?
I designed a covert comms channel based exactly on this principle
what that guy is doing two desks back, holding his smartphone at their back while not moving at all for over an hour not moving , much, for an hour or two
but not for an office situation, just exfiltrating data across a national border or similar
relied on a few keen anglers and the usual PVdF piezo-acoustic transducers, possibly fish/bait shaped
I wonder if it was ever used (stego digital acoustic monitoring of all waterways surely IS implemented chaps?)
-
Thursday 6th February 2020 13:28 GMT Jason Bloomberg
Ben-Gurion University
These guys sure are a one-trick pony.
As I have said in the past; they seem to have created a long list of all possible mechanisms to facilitate exfiltration and then set about releasing them one at a time.
I guess it keeps their names in the headlines. But it really is making me bored.
-
Thursday 6th February 2020 13:53 GMT Loyal Commenter
Re: Ben-Gurion University
Their methods all seem to have one thing in common:
Step 1) Gain access to a protected system and install malware on it
Step 2) Come up with some wacky way to exfiltrate the data from the already compromised computer that is orders of magnitude less difficult than getting the malware onto the computer in the first place...
-
Thursday 6th February 2020 15:18 GMT Graham Cobb
Re: Ben-Gurion University
Yes, that is what they do. But it is very important.
Compromising a computer is hard, but it only has to happen once. If you spend enough money you can get the computer compromised.
But if your goal is to get data, you need some way for the data to get to you. Normally it is important that it is timely and it is, of course, very valuable if you can do it without the compromise being discovered (otherwise you have to spend all that money again to compromise the new system -- and the target will be watching it more carefully this time). And, if it is really air-gapped, then something like this or one of their other exploits is going to be required.
It is also useful to know that things like this have been tried and to understand how effective it is -- in this case it is likely that this will never be used as it is so slow and there are much faster mechanisms which may not be much more difficult to set up.
Don't forget that one of their techniques (ultrasonic data encoding) has even been turned into commercial software: mobile phone apps detecting what TV you are watching by detecting ultrasonic information in ads. It may be running on your phone right now.
-
Thursday 6th February 2020 16:12 GMT Loyal Commenter
Re: Ben-Gurion University
The point I was alluding to was that if you can compromise the computer to get the malware on, why not use the same mechanism for getting the data off?
For instance, if the machine is air-gapped, you must be getting the malware on via an external storage device. If you can get it in once, undetected, to get the malware on, the odds are you can get it in a second time to get the data off again.
Similarly, if the malware gets on via something like a poisoned link in an email, that presupposes network access, in which case that sounds like a far more likely route out again. Ignoring, of course, the fact that the access to that dodgy link would probably be spotted right away by any half-competent network monitoring, and the machine scrubbed.
I don't want to downplay the cleverness of all the various side-channel data exfiltration techniques but I do question their usefulness and applicability, considering that the target is either going to be in a windowless basement somewhere, with the sort of security that carries rifles, in which case, good luck seeing the screen, or accessing anything that can see it, or the target isn't going to be secure in the first place.
This kind of limits the usefulness to situations where not only do you manage to physically access the air-gapped machine to compromise it, but you also somehow manage to compromise other security aspects around it (camera systems, etc.), in which case, as the number of required exploits rises, so does the possibility of discovery. Good old-fashioned rubber-hose cryptography becomes the easiest route over the James Bond stuff.
-
Thursday 6th February 2020 19:23 GMT Graham Cobb
Re: Ben-Gurion University
This isn't to get at data on the PC concerned -- it is to get at information that PC handles in the future.
Sometimes compromising is easy (evil maid attack is the easiest, but there are many other attacks such as social engineering, or sending in fake "maintenance" people) but what you are interested in is a feed of whatever the device is monitoring. That is what this research is about.
I'm not saying these techniques are common, or even that this particular one is useful, but they are important. When you need them, you really need them (or need to prevent them).
Don't forget who these guys are. Read the Wikipedia article on Stuxnet if you have forgotten how important seemingly innocuous air-gapped control systems can be.
-
Thursday 6th February 2020 22:39 GMT Anonymous Coward
Re: Ben-Gurion University
You may be able to compromise the computer before it is put into service (ie, during the build phase or during shipping from the manufacturer). You may also be able to compromise a third party who does have access to the computer after it is put into service (air gapped computers need patches, too).
I've been sent out to a few data centers that allowed vendors to bring removable media onto the secure data center floor, but then the media had to be disposed in a secure media shredder bin before leaving. A few of them even made me hand the thumb drive over to the guard before you entered the area to prevent slight of hand tricks - they would insert and remove the drive from the target device themselves and then walk it over to the disposal bin.
-
-
-
-
-
-
Thursday 6th February 2020 15:49 GMT My other car WAS an IAV Stryker
-
Thursday 6th February 2020 16:02 GMT Charles 9
I believe CTRL-ALT-LED is based on that. Thing is, this technique works even with a user logged in unless the user in question regularly handles things in the red spectrum. Plus it can work indirectly (meaning the camera doesn't have to directly see the screen; the reflection off a wall IIRC is enough, and most facilities don't have flat black walls).
-
-
-
Thursday 6th February 2020 21:23 GMT ben kendim
Re: Timex/Microsoft Datalink watch
Absolutely, first thing that crossed my mind!
I had one and in 1995. When receiving a security briefing, I told the briefer I had one, and that we should update the briefing materials to talk about these watches.
She was not delighted at the prospect... :-) :-)
-
-
-
-
Friday 7th February 2020 10:32 GMT Loyal Commenter
Re: Eh?
It's also assuming a high refresh rate for that security camera.
I don't know about you, but when I've seen security camera footage, it's often in greyscale, and at about 1 FPS. If you're monitoring a secure area to audit access, I'd say you'd be unlikely to spec anything better than that, simply due to the storage requirements. If your camera is recording at 1 FPS, then this technique has a hard limit of 1 BPS, that's 7.5 bytes a minute, and that's presupposing that this is the only thing causing ambient light levels to change.
I get that this is clever, and this it could conceivably be used to exfiltrate data, albeit at a very slow rate. I still think a more efficient attack vector is to use the same vector you did to get your malware onto the device in the first place (e.g. an infected pen drive) to get the data out again at a later date, once you've collected it.
-
Friday 7th February 2020 11:52 GMT Graham Cobb
Re: Eh?
Sure, reasonable analysis.
However, would you (or a person who is just now deciding to deliberately downgrade the spec of their new operations room security camera) have done that analysis if this research had not been published?
We need people to not just idly think about threats but test them so we can make informed decisions (as we all know, security decisions are not about removing threats - they are about trying to keep them more expensive than the value gained).
-
-
-
-
Tuesday 11th February 2020 05:41 GMT Grinning Bandicoot
Coloring outside the lines
Among other of my hobbies is reading fiction set in the future. I am very surprised to note that Lois McMaster Bujold used in a '96 novel a screen reading technique as a plot device but maybe that Ben Gurion being under siege must check any and all far fetched or not attacks that possible. However, it appears to be not noted.