> For our attacker model, we assume that an initial compromise has happened on the target device through the software supply-chain similar to the incidents at SolarWinds [8] and CodeCov [7]. For example, a regular update of the device’s firmware might unnoticeably add the necessary code for sending and receiving data through a built-in LED.
I mean, sure, if you have the ability to compromise the airgapped device by running code on it then you could presumably be doing a lot of things besides just leveraging potential LED line of sight.
The air-gap is specifically to prevent exfiltration of data. The air-gapped systems I have worked on had literally zero checking on software added to the system. But all the USB and media ports had super glue in them. An exploit that can't talk to the outside world is not terribly useful in the general case, although it's become lucrative with the rise of ransomware.
Stuxnet was reportedly a USB stick delivery, but this could be media speculation.
I am however interested in the low volume high frequency range sound of "static" that appears over speakers _only_ if the volume is turned up to the max in an otherwise silent office. I've had this occur on one Netherlands based website so far in the last few days, but did it come from the Netherlands based website or was it already on my system waiting for activation when visiting websites without any obvious ties back to the US?
If you didnt have your speakers on max in a silent environment, only your mobile phone would pick it up not you (if you have a mobile phone), so is this some sort of malware which can jump from one device to another like a self contained virus of sorts and is it bringing data back to base, a few bytes at a time over time?
Its a clever exploit because most people have their mobile on their desk, and if they dont have speakers some will be listening to music on their headphones so will never be alerted to the communication taking place within smartphone sound frequency ranges.
ts exploiting human behaviour and exploiting the abilities of smart phones, not your usual bit of malware.
I have also noticed Windows with all its security measures on max is able to control the bridging settings for network adaptors in VMware, which can then prevent a WMware version of Kali and wireshark from working properly in promiscuous mode, making it harder to analyse network traffic on a machine.
It's been a few years for me. But at the time, write anything you want to bring in to DVD-R (write-once). Including system updates, documentation, open-source libs, etc.
Lots of systems rely on air gaps heavily, and then aren't too worried what the software on the machines is up to. For example, if you are running a nuclear power plant and need a printer, you probably aren't going to be hiring a team of printer firmware developers. You're just going to buy an off-the-shelf non-wifi printer, and use it offline.
Speaking with respect to non-nuclear builds, this is exactly how the military operates. USS and USNS vessels utilize off the shelf hardware for airgapped systems routinely, though USB device usage is strictly prohibited. In practice however, many unofficial semi-airgapped networks exist Equipment may require specialized software that is not purchased, but licensed and can only be operated by a service technician. The tech brings a preloaded laptop of questionable provenance and initiates a firmware/software update and reboot. Every company is vetted to some degree and employs background investigation, to what effect is hard to determine.
The operating part of the network for safety critical installation is shielded from the rest of the network by a physical diode. This printer can receive data but can’t send anything back.
> you probably aren't going to be hiring a team of printer firmware developers. You're just going to buy an off-the-shelf non-wifi printer, and use it offline.
In such a scenario, you're also probably never, ever going to be manually updating the printer's firmware.
Facts! But seriously, if we're talking about the realistic risks printers pose in most environments, it is not having data exfiltrated via LED signaling or other vanity supply chain injection attacks; the number one risk is by having staff not dispose of sensitive documents properly, whether it's leaving them out on their desk or just chucking them in the bin, or taking them home with them, etcetera.
Vanity attacks with branded names like this "Lasershark" sound sexy and appealing, because they invoke James Bond-style gadgetry and accompanying delusions of grandeur, but real life is decidedly more prosaic: someone is going to discover infinitely more intelligence while expanding exponentially less time and energy by just good old fashioned dumpster diving than by designing and successfully implementing a novel airgap exfiltration methodology.
Agreed, this kind of thing always seems like a post-grad expirement to get grant money from the bureaucratic fear mongers. I had to sit through a symposium on quantum messaging with qubits via encrypted laser transmission. It was literally line-of-sight and required impossibly expensive field equipment....
I don’t think you have a realistic appreciation for what kind of resources are available to interested parties. I would think that the classic “Mossad or not Mossad” threat model might be a good starting point.
Air gapped networks and hardware are interesting to powerful organizations. Don’t underestimate the base for “impossibly expensive”
I’m not familiar with this for the iPod, but the Magic Lantern team has dumped firmware from Canon cameras by using an LED as a bit-banged serial interface.
But I don’t know how much of a realistic threat it poses, because in order to control GPIO LEDs the computer already needs to be pwned. Magic Lantern dumped firmware via LED because there wasn’t a known serial link or display driver or anything like that to make it easier.
But it’s a camera, and it’s not designed to be airtight air-gapped. Running arbitrary code is certainly discouraged, but to my knowledge Canon has never fought against consensual hacking of their cameras. (I say “consensual,” because there have been, say, Wi-Fi exploits found and patched, but that’s probably not the way a camera owner would try to get in.)
Anyway, this boils down to the definition of an air gap, because any input/output device is bridging it. A printer was mentioned, of course printing sensitive information is a bridge across the gap. And if the machine has GPIO LEDs then that’s a bridge, too. But what about a hidden camera pointing at the monitor? Frankly the monitor itself is a serious exfiltration risk across the air gap, no?
So as always in security, at some point we have to say “good enough,” and consider it as safe as can be.
Adding noise helps, but an attacker can trade bitrate for noise immunity.
Probably the only way of keeping data secure would be to heavily insulate (noise, thermal, RF, power, etc) the room so that any signal would take weeks to pass through the insulation, and then rotate your key material more often than that. Opening the door would have to dump power to the room before the door can be opened so an attacker couldn't leak data out when people entered/left.
rotating the keys quicker than they can be exfiltrated, and expanded.
similar to the original reason password rotation exists - that the hashes of passwords to all users were known to all parties, and were assumed cracked after a certain timeframe - passwords were required to be changed before that cyclic window.
similarly, captcha's for high-sensitive sites embed the domain in the captcha, and only allow the captcha for a small timeframe. it then has a delay to show/fetch the captcha challenge, and must be completed/expires quickly. this reduces the chance of a MitM attack or a phishing attack to nil.
ultimately, if you want to prevent information leakage, you'll have to create a event horizon surrounding the secret. and even then, Hawking predicts that black holes sweat, so even then, your 2^^8^^8 key is still derivable from collecting and de-entrophizing the sweated muons of a photon-sphere.
*: unless you use reversible computing to generate the secret, then reverse the computation, but keep the result. this prevents people in the future from collecting information on current wave-states, barring entanglement.
measure the heat of the room via remote sensing, power consumption, AC/air frequency analysis.
If you can get access to the same AC power circuit, or something that's not too far upstream, you could also look at the power consumption directly by watching for very small voltage drops and/or phase shifts. Extra credit if you modulate the data to be exfiltrated with a Gold code or a similar sequence that facilitates recovery below the noise floor.
Bandwidth won't be great but it'll beat IP over HVAC.
While LEDs are designed to emit light and can thus
unnoticeably encode information through high-frequency flickering,
their ability to also perceive light is largely unknown in the
security community. In particular, by directing a laser on the LEDs
of office devices, we induce a measurable current in the hardware that can be picked up by its firmware and used to receive incoming
data.
They are firing a laser at an LED under the following assumptions.
1. They already have arbitrary code execution on the device but want to open a bidirectional communication channel. 2. It is possible to reprogram the GPIO port to function as an input (not always possible, since ports may be output only). 3. They can induce a large enough current through firing a laser at the LED to exceed the GPIO threshold voltage for said port. 4. They have a suitable line of sight to the LED, ie. it is both facing them and not recessed, and there is no oblique or low-opacity window between them and the air-gapped asset. 5. They can get close enough to launch the attack.
It's neat but the characterisation of the sensing potential of LEDs as relatively unknown is laughable.
It's been known as far back as Forest Mims seminal books on circuits.
You would probably (not?) be surprised by the number of government buildings actively using classified data on computers that ignore the 2 major rules: 1) never have a monitor visible from outside of the building and (2) keep your window blinds closed. I spent a decade watching people actively ignore that rule.
Wouldn't be the first time someone's put ultra-sensitive equipment in a glass box so they could "show it off to all the executives who come through". :)
Lots of electronics in industrial environments (eg. ATEX ratings) in potentially explosive environments typically have this problem. But magnetic transfer is far lower data rate than this.
Behind pane-of-glass is not good enough, unfortunately. You typically have counter-measures in place to detect when someone is firing a laser at your exterior glass windows to exfiltrate data/IP. I assume it can/does happen.
> You typically have counter-measures in place to detect when someone is firing a laser at your exterior glass windows to exfiltrate data/IP. I assume it can/does happen.
It does, either in films or intelligence lore, but not for all intents and purposes, in regular life (regular life including corporate espionage). As for counter-measures: curtains.
Unless you were working for an intelligence agency, if your organization was sold TSCM against laser-based surveillance, then the organization was taken for a ride by the security contractor; you weren't also sold birds of prey to protect against UAS too, were you? (Yeah, that's a thing too [1]).
It's a bit like being sold flood protection insurance if your data warehouse is in the desert. In other words, it just doesn't happen realistically, and there are a million and one other much more practical technical surveillance counter measures to spend a likely very-limited security budget on.
This specific entity has suffered billions in losses due to IP theft in the past.
When your unit of accounting is such that six figures is a rounding error, they can afford it. And for good reason.
I wouldn't expect you to have knowledge of their operations. The only reason I do is because I was close with the head of security. But I will make sure to pass along your expert advice next time I'm there.
No reason to get weirdly defensive. The reality is that realistically no one in the corporate espionage sector uses lasers to either exfiltrate or infiltrate data, because there are a million easier ways to do so which aren't a nightmare to implement. There has been a very, very, very tiny amount of times lasers have been employed for state espionage, let alone corporate espionage.
That's a question that I can't accurately answer as I wasn't privileged with that info. I was aware of countermeasures in large part because I built the software that helped run the place.
Did all of the countermeasures help? Yes, probably quite often. Were they bullet-proof? Absolutely not, and the director of security would have told you so.
Flood insurance in the desert may be a bad example. There is a reason Arizona has the "stupid motorist" law and it has to do with soil dynamics in rain in the desert.
Sure, the analogy is imperfect, but the point is if you just spend a sizable chunk of your physec budget to guard against a virtually-unused attack vector, you now have that much less to spend to guard against much more common threats like a break-in.
I briefly skimmed the paper; it looks like they're using pwm but not at its full potential. I would use it also as a synchronization mean, that is, the attacker points the led/laser and receiver to the target led, the attacker sends a signal like say a 10% modulated pwm, save for a 50% wide start bit which marks the start of the word being transmitted, then the bits are modulated like 10% for 1 and 20% for 0, or the other way around. Basically, the attacker talks 20% of each cycle, and listens the remaining 80%.
The target led can be then read to detect those signals and sync itself to the signal received so that when replying it just modulates the led during the remaining time of each duty cycle. The attacker just by maintaining the link will receive both the echo of its transmission and the target's reply.
That's just an idea, however, I'm not implying I could be able to implement it effectively:).
Tech workers: The only piece of technology in my house is a printer and I keep a gun next to it so I can shoot it if it makes a noise I don't recognize.”
Honestly I’m starting to operate under the assumption that anything can be hacked with enough focus and determination. Obscurity isn’t such a bad defense in the long run.
To this I respond with the only valuable treat matrix for an individual I've ever seen.
Threat: Ex-girlfriend/boyfriend breaking into your email account and publicly releasing your correspondence with the My Little Pony fan club
Solution: Strong Passwords
Threat: Organized criminals breaking into your email account and sending spam using your identity
Solution: Strong passwords + common sense (don’t click on unsolicited herbal Viagra ads that result in keyloggers and sorrow)
Threat: The Mossad doing Mossad things with your email account
Solution:
◆ Magical amulets?
◆ Fake your own death, move into a submarine?
◆ YOU’RE STILL GONNA BE MOSSAD’ED UPON
All credit to James Mickens for the above.
My point being that if someone is that committed to compromising your air gapped system they're going to find a way. Especially if they can just slip the janitor $10,000 to put a USB labelled "Barely Legal Gone Wild" into the machine while vaccumming.
> Especially if they can just slip the janitor $10,000 to put a USB labelled "Barely Legal Gone Wild" into the machine while vaccumming.
Part of Defensive Depth includes vetting and requiring the janitor who cleans the SCIF to themselves also hold a security clearance.
Your cited example is also why Counterintelligence is a thing. It's not enough to trust your processes; you also have to probe them.
When I was in the military I met a guy whose job was to pentest (among other things) nuclear weapons facilities and NORAD defense installations, specifically their computer equipment. He had some pretty wild stories; suffice it to say the ladder trick doesn't work when you are trying to access an ICBM solo.
> Part of Defensive Depth includes vetting and requiring the janitor who cleans the SCIF to themselves also hold a security clearance.
Sure, but no amount of vetting is going to be perfect. Maybe the vetting missed something, maybe some circumstance changed between now and the most recent re-up, maybe instead of $10k it's $10M, etc.
A better solution is to physically disable the USB ports.
Everyone will break. Even the janitor who passed clearance. Threaten his wife, see how long he cares about his clearance. When the government was trying to break me I was all macho, "I ain't saying shit", until the second they threatened to hurt my wife, then I was a little bitch who would have woofed and begged for treats had they asked.
There are security testers in DC with a good track record of getting into government buildings. "Who are you and what are you doing here?" "I've brought chocolate cake." "Oooo!!"
My old boss was very disturbed when we explained to him that our small business with one IT guy can't really defend against state-level actors who are intent on getting into our systems.
I wonder how hard it would be to make this dual use and have it working as a laser microphone that can detect the sound vibrations on materials like glass windows?
Suddenly non contact blackout blinds become useful even in a conservatory!
If you're going to try this at home, it is important to know that LEDs work as photodiodes only when the impinging light is of a higher energy that the photons the LED emits normally.
A given LED color below will only detect colors to the right of it
Infrared < Red < Orange < Yellow < Green < Blue < Ultraviolet
Back in the 1990s I breadboarded an alarm circuit that used a normal cheap bicolor LED as both transmitter and receiver, feeding some BiFET op amps. I could detect a bicycle reflector to about 6 feet
> While LEDs are designed to emit light and can thus
unnoticeably encode information through high-frequency flickering, their ability to also perceive light is largely unknown in the
security community. In particular, by directing a laser on the LEDs
of office devices, we induce a measurable current in the hardware
that can be picked up by its firmware and used to receive incoming
data.
I'd guess that means that going forward security conscious people will be putting tape or covers over not only their cameras but also over their LEDs.
In high security settings the buildings have no windows or have fake windows to keep external laser signals out so that's not new. That's been true since about the time someone figured out you can reconstruct audio from the doppler of a laser reflected off windows.
> or at least line of sight to the machine for this?
Correct, and not just line of sight, but static line of sight. The potential scenario here is something like if there is a desk phone on someone's desk visible from the window that you want to monitor (and you also manage to successfully install custom firmware on the phone).
Hmm I was under the impression that this attack was for spying on airgapped systems. I have never heard of an airgapped phone, unless it’s just for internal purposes.
The idea would be to covertly compromise an air-gapped system and ex-filtrate data from it over time while it remains in use. Maybe you've compromised it before it has any useful data, or maybe you want remote control of an agent like stuxnet, so that you can launch an attack at the time of your chooosing.
IIRC the Apple Newtons used a thermocoupler integrated into the LCD to help keep the contrast adjusted to the user-set level as the temperature of the device changed. There was at least one application that would read the current contrast setting of the screen and infer the temperature. I don't remember it being super accurate but it worked.
The Newtons had grayscale LCDs with manually adjusted contrast. The MP130 and later also had an electro-luminescent backlight but it was not always active. So the user contrast setting was very important to maintain for screen visibility.
The display processor would have to have some way to turn off the backlight LEDs and then sense the voltage generated by the laser. It is unlikely that the signal would be able to get back through whatever power device controlled the backlight power to get to a processor pin. The rest of the LED strings would probably load the signal down.
You wouldn't need to turn the backlight off, but yes, you'd need to do complicated processing on the display CPU which is already at its limit doing screen ops.
In practice the backlight would be off because the input/output pin on the controller would need to be switched to the input mode from the output mode. If the backlight was driven, that drive current would swamp out the current induced by the LED(s). See Appendix E [1]. This attack only works in very specific circumstances.
It would be possible to measure it while on with the right hardware. It's unlikely, yes, but chips are moving to more generality and it is kind of reasonable that we would see such overdesigned chips at some point (analog + high density IO for screen in same reusable package).
Really unlikely. What's realistically possible though is to turn speakers into microphones through firmware or software, depending on your audio card. You're welcome for having yet another thing to be paranoid about.
A telescope looking through a proper window at nighttime could be enough. Some LEDs are powerful enough to illuminate a large chunk of an otherwise dark room.
I think it's common to have multiple systems on different airgapped networks in the same room. So if one of the networks were compromised this could let you pivot to another network. Or if they're both compromised it would give a way to exfil from one to the other.
This is what I am wondering. This attack has been known for quite awhile.
That being said it might be enough just to compromise ANY system within the air gapped network - and then escalate from there. Data could still be routed through the computer with line of site (although now we are talking about an increasingly sophisticated automated hack)
> In the SCIFs I have been in, if there even are windows, the blinds remain drawn at all times.
Windows are discouraged in SCIF construction, though not outright against spec. Aside from visual controls like blinds/curtains, IR/RF controls like RF film over the glass panes are also mandatory.
There goes my office windows.
Next up: how thermal control systems can be exploited to enhance band-gap transition probability to covertly cause bit-flips in air-gapped facilities. Vacuum it is.
Why not just use the fan as a speaker and modulate fan noise is that too slow? The response time on the led to get a clear one or zero would be pretty slow too
There are some pretty simple hardware mitigations that would render this and similar attacks nearly impossible and they only add pennies to the design.
This does not help with the initial compromise, but they demonstrate that with a software-only change, you can use existing LEDs as receivers in addition to senders!
One caveat to note is the LED needs to be connected to a GPIO port that the software can control.
That leads to the obvious question for high-value systems that may be targeted - presumably fixed systems not laptops/notebooks/tablets - are the activity/power LEDs commonly connected via software-controlled GPIOs or mostly part of the electronic circuit only ?
They are usually connected to software controlled GPIOs, or at least should be assumed to be connected to them. What is not normal (for now) is analog peripherals hanging off of arbitrary pins or even being on the chip.
Looks like it's all doable digitally.
For a lot of chips changing the purpose of a pin may not be possible unless you are a nation state and have all of the design info on an ASIC.
The pre-print goes over the infiltration process - basically you shoot a laser at an LED on the air-gapped system, it induces a current, and you measure that current.
I mean, sure, if you have the ability to compromise the airgapped device by running code on it then you could presumably be doing a lot of things besides just leveraging potential LED line of sight.