Stealing Data From Air-Gapped Systems
July 12, 2019
ZD Net – The Caps Lock, Num Lock, and Scroll Lock LEDs on a keyboard can be used to exfiltrate data from a secure air-gapped system (computers that are not networked or connected to the internet), researchers from Ben-Gurion University have proved.
The attack, which they named CTRL-ALT-LED, is nothing that regular users should worry about but is a danger for highly secure environments such as government networks that store top-secret documents or enterprise networks dedicated to storing non-public proprietary information.
The attack requires some prerequisites, such as the malicious actor finding a way to infect an air-gapped system with malware beforehand. CTRL-ALT-LED is only an exfiltration method.
But once these prerequisites are met, the malware running on a system can make the LEDs of a USB-connected keyboard blink at rapid speeds, using a custom transmission protocol and a modulation scheme to encode the transmitted data.
A nearby attacker can record these tiny light flickers, which they can decode at a later point, using the same modulation scheme used to encode it.
The research team behind this exfiltration method says it tested the CTRL-ALT-LED technique with various optical capturing devices, such as a smartphone camera, a smartwatch’s camera, security cameras, extreme sports cameras, and even high-grade optical/light sensors.
Some attacks require an “evil maid” scenario, where the attacker needs to be physically present to record the LED flickers—either using his smartphone or smartwatch.
However, other scenarios are more doable, with the attacker taking over CCTV surveillance systems that have a line of sight on the keyboard LEDs.
Keyboard LED transmissions can also be scheduled at certain intervals of the day when users aren’t around. This also makes it easier for attackers to sync recordings or place optical recorders or cameras near air-gapped targets only at the time they know the LEDs will be transmitting stolen info.