back to article Boffins exfiltrate data by blinking hard drives' LEDs

That roll of tape you use to cover the Webcam? Better use some of it on your hard-drive LED, because it can be a data exfiltration vector. Exfiltration experts from Ben-Gurion University of the Negev's Cyber Security Research Center have added to previous techniques like fan modulation, GSM transmissions, or listening to the …

  1. LaeMing
    Happy

    An Arduino usb beetle brightly flashing "F**K OFF" might be another solution.

    http://www.dx.com/p/cjmcu-beetle-leonardo-usb-atmega32u4-mini-development-board-for-arduino-black-384544

  2. Sandtitz Silver badge
    Happy

    What next?

    'Micro changes in air density', developed by someone named Ash.

    1. Sampler

      Re: What next?

      In that scenario I here the only fix is to nuke it from orbit, it's the only way to be sure...

  3. Phil Kingston

    Surely there's easier ways to get a grant for the drone they coveted?

  4. scrubber
    Joke

    Security

    My airgapped computer now also has to be lightgapped?

    Stealing NSA secrets is becoming more hassle than it's worth.

    1. Loud Speaker

      Paranoid much?

      Its a terabyte drive, and the bit rate is one per second.

      I leave it as an exercise to the reader to compute how long the dump will take.

  5. Anonymous Coward
    Anonymous Coward

    If malware had a way IN to the PC via your network..

    ...then there is a way OUT for any data it collects.

    Malware via email & web site are perfect channels to use to get the data back out.

    1. Sampler

      Re: If malware had a way IN to the PC via your network..

      But if it had a way in from being a usb drive left in the car park labelled "dave's porn stash", this is one feasible exit strategy..

    2. Anonymous Coward
      Anonymous Coward

      Re: If malware had a way IN to the PC via your network..

      Well, not necessarily, I work in offices where the network shuts down at 7PM, all ports go inactive to prevent anyone gaining access to PCs or servers and I suppose to prevent anything phoning home when it might not be noticed.

  6. jake Silver badge

    Unfortunately for the "reasearchers" ...

    ... if you can run code that guarantees a HDD LED blinking in exactly the pattern required to use it as a signal, you have root access to the hardware already, thus making umpteen other way of stealing the data available to you.

    In this scenario, das blinkinlites is just flash; the real hack is getting root in the first place.

    1. diodesign (Written by Reg staff) Silver badge

      Re: Root access

      It's not always about root access. You might be able to game the OS to blink the light when you want as a user-mode process. But anyway, it's not about that. It's about getting information out of an infected air-gapped system. In theory. It's literally an academic exercise ;)

      C.

      1. jake Silver badge

        Re: Root access

        "You might be able to game the OS"

        No guarantee in a "might". Pointless exercise. If you're compromising a system that absolutely, positively has to be overnight compromised, and you are likely only going to have one shot at code delivery, the phrase "Well, Boss, I might be able to ..." had probably better not be uttered.

        Hell, in that scenario, turning four pixels on and off in opposite corners of the screen while your fictitious drone videos them from a handy window would more likely to go unnoticed than a HDD thrashing for no apparent reason. With better bandwidth, I might add. LOTS more bandwidth if make it a single pixel using one of 8 different colo(u)rs. Or 4 pixels, each using one of 16 different colo(u)rs ... Or simply dump the data to the same thumbdrive that compromised the system in the first place, giving the forensics dude/tte a handy case of Occam's Proscenium (to coin a phrase). "Look, Boss, they exited stage right without lifting the curtain! Sic 'em!"

        1. Anonymous Coward
          Anonymous Coward

          Re: Root access

          Flashing pixels can't be relied on if users shut down LCD monitors 'to save energy' as they're still exhorted to in many public sector offices. Oddly they're allowed to lock their PCs and leave them running though.

          1. My other car is an IAV Stryker

            Re: Root access

            "Oddly they're allowed to lock their PCs and leave them running though."

            It's often requested by IT so us (l)users get our patches overnight.

        2. Adam 1

          Re: Root access

          > your fictitious drone videos them from a handy window would more likely to go unnoticed than a HDD thrashing for no apparent reason

          Nonsense. It's simple to mask. Simply call the executable svchost.exe and no-one will bat an eyelid when it randomly consumes all the system resources.

          You are treating this attack vector as if it is a fairy tale, but remember stuxnet was a weapon that accidentally got out but it was designed to take out Iran's nuclear enrichment capabilities on air gapped systems. It is not beyond comprehension to imagine a machine that is not air gapped but is fire walled off. Sometimes the observer just needs a private key so they can MitM on the legitimate channel without detection. This sort of bandwidth could send out a private key sub second with no packets apparently leaving the network.

        3. Martin an gof Silver badge

          Re: Root access

          Hell, in that scenario, turning four pixels on and off in opposite corners of the screen...

          How about flashing the keyboard LEDs?

          M.

      2. Dan 55 Silver badge

        Re: Root access

        How does the malware get on the airgapped machine in the first place?

        If it's sending someone in there to plug in a USB memory stick, you might as well copy off what you want anyway.

        If USB is disabled and there's a compiler, you'll have to enter and compile your malware at the keyboard, in which case you might as well snap photos of the data you want on the screen.

        If you want to do it just because it's cool, furtle the PC speaker to output the sound as a Spectrum tape saving noise so it's cooler still and get more bandwidth while you're at it.

  7. Doctor_Wibble
    Paris Hilton

    For the slow cameras...

    You might be able to get data at a faster rate if you set the aperture to a minumum and the exposure to maximum - it's a light you are taking pictures of, remember - and have the camera on something that moves, so you end up with a bar code of sorts.

    The camera would need to be mounted on something that can go up-and-down a bit and moving along type movement but presumably not rolling or spinning.

    1. Sampler

      Re: For the slow cameras...

      You're recording on or off, so you want the exposure to be at a minimum, the most images the camera can do in a second, such as the sixty of a mobile phone mentioned in the article.

      Long exposure and panning to create "bar-code patterns" of off and on would increase delay because you'd have to have a start and end marker because you wouldn't know if you're beginning and ending marks were off's and there'd be no way to sync with the recording device in the first place so it knows to start panning with the start marker and stop, take the next picture with the end marker.

      Plus delay inbetween start and end to reposition for next pan (though, I suppose you could pan back, there's still a shutter/process wait between strings).

      1. Doctor_Wibble
        Gimp

        Re: For the slow cameras...

        Then stick it on the end of a *really* fast vibrator and use a suitably robust stream encoding and crank the transmission speed up to the limit of legibility. The question is whether 60 masses of lots of bits but with errors is better or worse than 60 guaranteed-correct single bits.

        They don't have to be synchronised with the camera, like when hearing morse code tapping on the pipe from the basement - you easily can pick it up after a letter or two, e.g. '... yoghurt too deep no snorkel handcuffs too heavy' etc.

        1. Anonymous Coward
          Anonymous Coward

          Re: For the slow cameras...

          Doctor, you are an evil genius. You get an upper for mentioning vibrator in a serious manner, AND this might work as you can use the frequency of the vibrations as the carrier for the signal perturbations. It's so crazy, it just might work! Cue the A-Team Theme Song!

  8. Frank Bitterlich
    Boffin

    I don't buy it (yet)...

    Well, so they've published this little script that can convert data into HDD access and thus say that it can be used to exfiltrate data. Not exactly rocket science, you could probably do that with 3 lines of C code.

    First of all, if you can access the disk in a certain pattern, that doesn't mean that the HDD light will actually reflect that access 1:1 - there's a lot of other stuff going on at any given time, so the actual output you get will contain a lot of noise - most of the time the noise will probably completely cancel out your data.

    And then I could probably think about a dozen more ways to do this with more reliability (although they may require a deeper level of access that this example.) They would include: Using the Caps Lock light; subtle changes in screen brightness; or screen gamma; screen steganography (using a row of pixels along one edge of the screen); sound output (very low/high frequencies); diskette drive "music"... you name it.

    So - good that somebody is doing this research; but you won't see me rushing to the hardware store for a roll of masking tape anytime soon.

  9. HAL-9000

    air gap

    One minor detail, a truly air gapped system won't get infected with the malware unless assisted by something with stuxnet like capabilities, and/or lax protocols allowing the pluging of USB's, or forgetting to disable all wireless comms at the driver level etc.. All the demos seem to presume the air gapped system is infected in the first place, apparently the trivial bit is infecting such systems. Perhaps I'm missing something really obvious.

    1. Charles 9

      Re: air gap

      Yes, how do you get data in and out of an airgapped system in the first place, especially if the data is not of the type to be easily grokked by the Eyeball Mk I. Otherwise, you've got yourself the equivalent of the PC in the ground: sure, you can't infect it, but you can't USE it, either.

    2. Anonymous Coward
      Anonymous Coward

      Re: air gap

      A truly air gapped system is pretty pointless as it is a blank drive with no OS or interaction. At some point you are going to install an OS, an application, and probably data. At other points you may update said OS, application and/or data. At any of those points is when you pull of infection. So yeah, you're counting on lax protocols at some point. Also, what's one thing you do to a non-air gapped computer when it becomes infected? Normally it is to disable networking so that you can stop the flow of information out.

  10. Anonymous Coward
    Anonymous Coward

    I'm thinking some clever optics and a GBIC might offer some possibilities...

    Of course that could be mitigated by changing the hard disk LEDs for blue ones or with a pair of wirecutters and removing them entirely.

    1. Anonymous Coward
      Anonymous Coward

      Spoilers:

      Any of the physical access hacking stunts are performed by droves of nanobots, who secretly entered the data centers piggybacking on the bread of the sandwiches that the admins bring in for lunch! They then set off reconfiguring the necessary components to pull of the data heist! Such methods used are:

      * rewiring LEDs to point to open spaces for nanodrones to capture with their nanocameras

      * splicing into fiber optic cables and secretly adding NSA style light splitters

      * disassembling unused hardware in the servers, like old floppy drives, and rewiring them McGyver style so they can be used as a data transmitter, like when the Professor on Gilligan's Island rewired a consumer AM/FM radio into a Iridium Satellite Transceiver and handset. Good times!

      * self-assembling into tiny stick men and waving miniature signal flags at their data capture drones

      * and many many more

      Order today! Operators are standing by!

  11. Stevie

    Bah!

    Now they're just taking the piss, right?

  12. Ian 55
    Black Helicopters

    Now I know

    Why the Tivo keeps spinning up its hard drive even when its not 'on' and it's also not recording anything.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like