Short Bytes: A paper published by an Israeli team of researchers elaborates a new method of covertly leaking information from an air-gapped computer. Titled as LED-it-GO, the attack involves compromising the LED notification light on a computer’s HDD using malware to make it blink in as per the desired pattern. A camera fitted on a drone can be used to understand the pattern revealing information in binary form.Stealing data from an air-gapped – completely disconnected from the network – computer is not a new thing. Last year, a team led by Mordechai Guri from the Ben Gurion University, Israel demoed a USB device to breach security on an air-gapped computer.
Guri and his new team have published another research on stealing data from isolated air-gapped computers. The method is more high-tech than the USBee in their previous paper and involves a camera-connected drone.
According to the new research paper, the attack, titled LED-it-GO, requires infecting the target PC with malware. It is easy to do so for a person having physical access to the air-gapped PC. The malware tweaks the LED notification lights present on the PCs hard drive. The LEDs can be configured to blink (turn on and off) around 5800 times per second – a rate beyond the visual perception capabilities of the humans.
The blinking LED can be used to transmit information. The researchers use a data decoding method used as On-Off Keying to understand the LED blinking patterns using the camera. The ON state represents a binary 1 and the OFF state is a binary 0.
If the LED is visible through a window, which can be possible for many desktop computers and even laptops. The pattern can be captured at a distance of severals from the window using a drone fitted with a camera.
And it’s not just the drone; the team has tested a bunch of camera devices which can be taken near the blinking LED. An entry-level Nikon DSLR, GoPro Hero 5, Galaxy S6, Google Glass, and a Seimens Photodiode sensor.
The maximum data bandwidth 4,000 bit/s is achievable in the case of Seimens sensor, whereas, for Hero5 it is 120 bit/s and SGS 6 it is 60 bit/s. Fairly small as per modern standards but it can allow an attacker to covertly transfer confidential information like passwords, encryption keys, etc.
Even the security cameras facing a computer can be hacked to performed this attack. Preventive measure against such attacks can be as simple as putting a tape on the LED, or monitoring the LED activity, or even cutting off the LED cables.
Here is a video showing how the attack works:
Do you have something to add? Drop your thoughts and feedback.