LED-it-GO: Leaking (A Lot of) Data from Air-Gapped Computers via the (Small) Hard Drive LED

In this paper we present a method that allows attackers to covertly leak data from isolated, air-gapped computers. Our method utilizes the hard disk drive (HDD) activity LED which exists in most of today’s desktop PCs, laptops, and servers. We show that a malware can indirectly control the HDD LED, turning it on and off rapidly (up to 5800 blinks per second) – a rate that exceeds the visual perception capabilities of humans. Sensitive information can be encoded and leaked over the LED signals, which can then be received remotely by different kinds of cameras and light sensors (Demonstration video: https://www.youtube.com/watch?v=4vIu8ld68fc). Compared to other LED methods, our method is unique, because it is also covert; the HDD activity LED routinely flickers frequently, and therefore the user may not be suspicious of changes in its activity. We discuss attack scenarios and present the necessary technical background regarding the HDD LED and its hardware control. We also present various data modulation methods and describe the implementation of a user-level malware that doesn’t require a kernel component. During the evaluation, we examined the physical characteristics of different colored HDD LEDs (red, blue, and white) and tested different types of receivers: remote cameras, ‘extreme’ cameras, security cameras, smartphone cameras, drone cameras, and optical sensors. Finally, we discuss hardware and software countermeasures for such a threat. Our experiment shows that sensitive data can successfully be leaked from air-gapped computers via the HDD LED at a maximum bit rate of 120 bit/s (bits per second) when a video camera is used as a receiver, and 4000 bit/s when a light sensor is used for the reception. Notably, the maximal speed is 10 times faster than the existing optical covert channels for air-gapped computers. These rates allow rapid exfiltration of encryption keys, keystroke logging, and text and binary files.

[1]  A. Mahneke FLICKER FUSION THRESHOLDS , 1956 .

[2]  R. J. Potts Emission security , 1989 .

[3]  Markus G. Kuhn,et al.  Soft Tempest: Hidden Data Transmission Using Electromagnetic Emanations , 1998, Information Hiding.

[4]  David A. Umphress,et al.  Information leakage from optical emanations , 2002, TSEC.

[5]  Markus G. Kuhn,et al.  Compromising Emanations , 2002, Encyclopedia of Cryptography and Security.

[6]  Greg Kroah-Hartman,et al.  Drivers En Linux/ Linux Device Drivers , 2005 .

[7]  Martin Vuagnoux,et al.  Compromising Electromagnetic Emanations of Wired and Wireless Keyboards , 2009, USENIX Security Symposium.

[8]  Stamatis Karnouskos,et al.  Stuxnet worm impact on industrial cyber-physical system security , 2011, IECON 2011 - 37th Annual Conference of the IEEE Industrial Electronics Society.

[9]  Stefan Schmid,et al.  An LED-to-LED Visible Light Communication system with software-based synchronization , 2012, 2012 IEEE Globecom Workshops.

[10]  Nitesh Saxena,et al.  A closer look at keyboard acoustic emanations: random passwords, typing styles and decoding techniques , 2012, ASIACCS '12.

[11]  Nils Ole Tippenhauer,et al.  Low-complexity Visible Light Networking with LED-to-LED communication , 2012, 2012 IFIP Wireless Days.

[12]  Michael Hanspach,et al.  On Covert Acoustical Mesh Networks in Air , 2014, J. Commun..

[13]  Mordechai Guri,et al.  Exfiltration of information from air-gapped machines using monitor's LED indicator , 2014, 2014 IEEE Joint Intelligence and Security Informatics Conference.

[14]  Luke Deshotels,et al.  Inaudible Sound as a Covert Channel in Mobile Devices , 2014, WOOT.

[15]  Mordechai Guri,et al.  AirHopper: Bridging the air-gap between isolated networks and mobile phones using radio frequencies , 2014, 2014 9th International Conference on Malicious and Unwanted Software: The Americas (MALWARE).

[16]  Kim-Kwang Raymond Choo,et al.  Bridging the Air Gap: Inaudible Data Exfiltration by Insiders , 2014, AMCIS.

[17]  Mordechai Guri,et al.  GSMem: Data Exfiltration from Air-Gapped Computers over GSM Frequencies , 2015, USENIX Security Symposium.

[18]  Mordechai Guri,et al.  BitWhisper: Covert Signaling Channel between Air-Gapped Computers Using Thermal Manipulations , 2015, 2015 IEEE 28th Computer Security Foundations Symposium.

[19]  Mordechai Guri,et al.  USBee: Air-gap covert-channel via electromagnetic emission from USB , 2016, 2016 14th Annual Conference on Privacy, Security and Trust (PST).

[20]  Mordechai Guri,et al.  VisiSploit: An Optical Covert-Channel to Leak Data through an Air-Gap , 2016, ArXiv.

[21]  Andrei Costin,et al.  Security of CCTV and Video Surveillance Systems: Threats, Vulnerabilities, Attacks, and Mitigations , 2016, TrustED@CCS.

[22]  Mordechai Guri,et al.  Fansmitter: Acoustic Data Exfiltration from (Speakerless) Air-Gapped Computers , 2016, ArXiv.

[23]  Chaouki Kasmi,et al.  Air-gap Limitations and Bypass Techniques: “Command and Control” using Smart Electromagnetic Interferences , 2016 .

[24]  Stefan Katzenbeisser,et al.  Covert channels using mobile device's magnetic field sensors , 2016, 2016 21st Asia and South Pacific Design Automation Conference (ASP-DAC).

[25]  Mordechai Guri,et al.  DiskFiltration: Data Exfiltration from Speakerless Air-Gapped Computers via Covert Hard Drive Noise , 2016, ArXiv.

[26]  Diego F. Aranha,et al.  Platform-agnostic Low-intrusion Optical Data Exfiltration , 2017, ICISSP.