xLED: Covert Data Exfiltration from Air-Gapped Networks via Switch and Router LEDs

IEEE Trans.Inform.Forensic Secur.

Zadov

Bykhovsky

et al. 2020

Self Cite

In this paper we provide an implementation, evaluation, and analysis of PowerHammer, a malware (bridgeware [1]) that uses power lines to exfiltrate data from air-gapped computers. In this case, a malicious code running on a compromised computer can control the power consumption of the system by intentionally regulating the CPU utilization. Data is modulated, encoded, and transmitted on top of the current flow fluctuations, and then it is conducted and propagated through the power lines. This phenomena is known as a 'conducted emission'. We present two versions of the attack. Line level powerhammering: In this attack, the attacker taps the in-home power lines 1 that are directly attached to the electrical outlet. Phase level power-hammering: In this attack, the attacker taps the power lines at the phase level, in the main electrical service panel. In both versions of the attack, the attacker measures the emission conducted and then decodes the exfiltrated data. We describe the adversarial attack model and present modulations and encoding schemes along with a transmission protocol. We evaluate the covert channel in different scenarios and discuss signal-to-noise (SNR), signal processing, and forms of interference. We also present a set of defensive countermeasures. Our results show that binary data can be covertly exfiltrated from air-gapped computers through the power lines at bit rates of 1000 bit/sec for the line level power-hammering attack and 10 bit/sec for the phase level power-hammering attack. Power stationStep up transformerStep down transformerStep down transformer Residential building 22kV output 400 kV 132 kV 11 kV Fig. 1: A (simplified) schematic diagram of the electricity network C. Exfiltration through Power LinesIn this paper, we present a new type of electric (current flow) covert channel. The method, dubbed PowerHammer, enables attackers to exfiltrate information from air-gapped networks through AC power lines. We show that a malware running on a computer can regulate the power consumption of the system by controlling the workload of the CPU. Binary data can be modulated on the changes of the current flow, propagated through the power lines, and intercepted by an attacker. We present two versions of the attack. In line level power-hammering the adversary taps the power cables feeding the transmitting computer. In phase level power-hammering the adversary taps the power lines at the phase level, in the main electrical service panel. Using a non-invasive tap, the attacker measures the emission conducted on the power cables. Based on the signal received, the transmitted data is demodulated and decoded back to a binary form.

Section: Opticalmentioning

confidence: 99%

PowerHammer: Exfiltrating Data From Air-Gapped Computers Through Power Lines

IEEE Trans.Inform.Forensic Secur.

Zadov

Bykhovsky

et al. 2020

Self Cite

“…They showed that a malware can indirectly control the hard drive LED at a rate of 5800Hz which exceeds the visual perception capabilities of humans. In 2018, Guri et al demonstrated a malware which can leak data from air-gapped networks via switch and router LEDs [18]. Guri et al presented a covert channel for leaking data through air-gaps using IR (Infrared) light and security cameras [19].…”

Section: B Opticalmentioning

confidence: 99%

“…In this paper we also examine an optical sensor capable of sensing the light emitted from the keyboard LEDs. Such sensors are used extensively in VLC (visible light communication) and LED to LED communication [18]. Notably, optical sensors are capable of sampling LED signals at high rates, enabling data reception at a higher bandwidth than a typical video camera.…”

Section: B Receivermentioning

confidence: 99%

CTRL-ALT-LED: Leaking Data from Air-Gapped Computers Via Keyboard LEDs

2019 IEEE 43rd Annual Computer Software and Applications Conference (COMPSAC)

Zadov

Bykhovsky

et al. 2019

Self Cite

Using the keyboard LEDs to send data optically was proposed in 2002 by Loughry and Umphress [1] (Appendix A). In this paper we extensively explore this threat in the context of a modern cyber-attack with current hardware and optical equipment. In this type of attack, an advanced persistent threat (APT) uses the keyboard LEDs (Caps-Lock, Num-Lock and Scroll-Lock) to encode information and exfiltrate data from airgapped computers optically. Notably, this exfiltration channel is not monitored by existing data leakage prevention (DLP) systems. We examine this attack and its boundaries for today's keyboards with USB controllers and sensitive optical sensors. We also introduce smartphone and smartwatch cameras as components of malicious insider and 'evil maid' attacks. We provide the necessary scientific background on optical communication and the characteristics of modern USB keyboards at the hardware and software level, and present a transmission protocol and modulation schemes. We implement the exfiltration malware, discuss its design and implementation issues, and evaluate it with different types of keyboards. We also test various receivers, including light sensors, remote cameras, 'extreme' cameras, security cameras, and smartphone cameras. Our experiment shows that data can be leaked from air-gapped computers via the keyboard LEDs at a maximum bit rate of 3000 bit/sec per LED given a light sensor as a receiver, and more than 120 bit/sec if smartphones are used. The attack doesn't require any modification of the keyboard at hardware or firmware levels.

“…In 2017, Guri et al presented LED-it-GO, a covert channel that uses the hard drive indicator LED in order to exfiltrate data from air-gapped computers [32]. Guri et al also presented a method for data exfiltration from air-gapped networks via router and switch LEDs [30]. Data can also be leaked optically through fast blinking images or low contrast bitmaps projected on the LCD screen [21].…”

Section: Opticalmentioning

confidence: 99%

MOSQUITO: Covert Ultrasonic Transmissions Between Two Air-Gapped Computers Using Speaker-to-Speaker Communication

2018 IEEE Conference on Dependable and Secure Computing (DSC)

Solewicz

Elovici

2018

Self Cite

In this paper we show how two (or more) airgapped computers in the same room, equipped with passive speakers, headphones, or earphones can covertly exchange data via ultrasonic waves. Microphones are not required. Our method is based on the capability of a malware to exploit a specific audio chip feature in order to reverse the connected speakers from output devices into input devices -unobtrusively rendering them microphones [29]. We discuss the attack model and provide technical background and implementation details. We show that although the reversed speakers/headphones/earphones were not originally designed to perform as microphones, they still respond well to the near-ultrasonic range (18kHz to 24kHz). We evaluate the communication channel with different equipment, and at various distances and transmission speeds, and also discuss some practical considerations. Our results show that the speaker-tospeaker communication can be used to covertly transmit data between two air-gapped computers positioned a maximum of nine meters away from one another. Moreover, we show that two (microphone-less) headphones can exchange data from a distance of three meters apart. This enables 'headphones-to-headphones' covert communication, which is discussed for the first time in this paper.