Sign Me Up For
The Free Assessment


Malware steals data by using a drone to watch the LED blink on computer

Just like what you might expect from a spy movie, they have developed  a malware that transmits data by blinking the LED lights on the computer and the data is being captured using a drone’s video camera.

The drone has been trained to interpret the blinking LED lights from a desktop computer’s hard drive LED indicator. This is very surprising since a lot of people expect that light to be really active so it would be easily ignored. However, this could be a threat in the future and is something very real. A steady stream of blinking lights could act as a form of information transmission similar to someone winking out via Morse code. Basically it could definitely be some sort of optical stream that can easily be read via a trained drone’s camera watching the lights blink through a glass window.

Yes there is a working malware-drone system and a video of it doing the said feat. A group of researchers at Ben-Gurion’s cybersecurity lab has devised a method to defeat the security protection known as an “air gap,” the safeguard of separating highly sensitive computer systems from the internet to quarantine them from hackers. This infiltration method needs someone to have physical access to attach a USB flash driver or some form of storage media to infect the computer, possibly an insider. Although it is a proof of concept, once infected, the hard drive LED indicator can secretly transmit data to a spy who has a line of sight to view the LED signal. They say that it also works using a telescopic lens to view from afar.

Up to now, an air gap seemed to be an impenetrable defense, but this one takes the icing on the cake. Hackers cannot compromise a computer that is not connected to the internet or other-internet connected machines, or mostly called a stand alone computer.

It has been debunked that a stand alone system is impenetrable. Malware like Stuxnet and Agent.btz worm infected American military systems a decade ago.

Motivated hackers are not hindered by this situation of a stand alone system, yet they are more curious and craftier one they devise a way. It did not stop them to try to deliver the payload to obtain ultra-secret systems.

They just patiently wait. Even isolated systems need code updates and new data. This is a given. Thus once the time is right and parameters are met, this instance opens them to attackers with physical access.

Once the stand alone system is compromised, they find ingenious ways to extract the data despite being without internet. One way they did it is via electromagnetic emanations to acoustic and heat signaling techniques—many developed by the same Ben-Gurion researchers who generated the new LED-spying trick.

This method of exploiting the LED light indicator on the computer, it is potentially unnoticeably stealthier. Could also be a higher bandwidth long distance transmission mechanism. For starters, they can use the Morse code or Morse code like pattern and theoretically can move data as fast as 4,000 bits per second. It might not be that fast but is fast enough to relay and steal data such as passwords, encryption keys. The beauty of it is they can record the blinking pattern and just decode it some other time later. It can be played multiple times to verify integrity of data captured.

The technique also isn’t as limited in range as other clever systems that transmit electromagnetic signals or ultrasonic noises from speakers or a computer’s fans. And compared to other optical techniques that use the computer’s screen or keyboard light to secretly transmit information, the hard-drive LED indicator—which blinks anytime a program accesses the hard drive—routinely flashes even when a computer is asleep. Any malware that merely gains the ability of a normal user, rather than deeper administrative privileges, can manipulate it. The team used a Linux computer for their testing, but the effects should be the same on a Windows device.

“The LED is always blinking as it’s doing searching and indexing, so no one suspects, even in the night,” says Guri. “It’s very covert, actually.”

The researchers found that when their program read less than 4 kilobytes from the computer’s storage at a time, they could cause the hard drive’s LED indicator to blink for less than a fifth of a millisecond. They then tried using those rapid fire blinks to send messages to a variety of cameras and light sensors from an “infected” computer using a binary system of data encoding known as “on-off-keying,” or OOK. They found that a typical smartphone camera can at most receive around 60 bits per second due to its lower frame rate, while a GoPro camera captured as much as 120 bits per second. A Siemens photodiode sensor was far better suited to their high-frequency light sensing needs, though, and allowed them to hit their 4,000 bits per second maximum transmission rate.

The malware is almost undetectable since human eyes are not normally capable of picking up everything compared to a light sensor.

They malware developers can manipulate how fast the LED light blinks to transmit the data to fool the human eye.

The good news, however, for anyone security-sensitive enough to worry about the researchers’ attack—and anyone who air gaps their computers may be just that sensitive—is that the Ben Gurion researchers point to clear countermeasures to block their hard drive LED exfiltration method. They suggest keeping air-gapped machines in secure rooms away from windows, or placing film over a building’s glass designed to mask light flashes. They also note that protective software on a target machine could randomly access the hard drive to create noise and jam any attempt to send a message from the computer’s LED.

But the simplest countermeasure by far is simply to cover the computer’s LED itself. Once, a piece of tape over a laptop’s webcam was a sign of paranoia. Soon, a piece of tape obscuring a computer’s hard drive LED may be the real hallmark of someone who imagines a spy drone at every window.

Check the video below showing proof of concept execution:


Written by

No Comments Yet.

Leave a Reply


[contact-form-7 id="5555" title="Mobile Form"]