xLED: Covert Data Exfiltration from Air-Gapped Networks via Router LEDs

Guri, Mordechai; Zadov, Boris; Daidakulov, Andrey; Elovici, Yuval

doi:10.48550/arxiv.1706.01140

Cited by 8 publications

(11 citation statements)

References 0 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…Loughry and Umphress proposed using the PC keyboard LEDs (caps-lock, num-lock and scroll-lock) to modulate data [19]. In 2017, Guri et al presented a covert channel that uses the hard drive indicator LED [13] and router LEDs [20] in order to leak data from air-gapped computers and networks. VisiSploit [21] is another optical covert channel in which data is leaked through fast blinking images or low contrast bitmaps projected on the computer screen.…”

Section: Related Workmentioning

confidence: 99%

MAGNETO: Covert channel between air-gapped systems and nearby smartphones via CPU-generated magnetic fields

Guri

2021

Future Generation Computer Systems

Self Cite

View full text Add to dashboard Cite

Section: Related Workmentioning

confidence: 99%

MAGNETO: Covert channel between air-gapped systems and nearby smartphones via CPU-generated magnetic fields

Guri

2021

Future Generation Computer Systems

Self Cite

View full text Add to dashboard Cite

“…In 2002, Loughry and Umphress proposed a malicious code that exfiltrates data by blinking the Caps Lock, Num Lock, and Scroll Lock LEDs on the PC keyboard [29]. More recently, Guri et al presented a covert channel that uses the hard drive indicator LED [30] the router LEDs [31] in order to leak data from air-gapped computers and networks. VisiSploit [32] is another optical based covert channel in which data is leaked through fast blinking images or low contrast bitmaps projected on the computer screen.…”

Section: B Acoustic Optical and Thermalmentioning

confidence: 99%

“…Note that several APTs discovered in the last decade are capable of infecting air-gapped networks [40], e.g., Turla [41], RedOctober [42], and Fanny [43]. As a part of the targeted attack, the adversary may infiltrate BitWhisper [35] Optical Hard drive LED (LED-it-GO) [30] VisiSploit (invisible pixels) [32] Keyboard LEDs [30] Router LEDs [31] Infrared (IR) aIR-Jumper (security cameras & infrared) [34] Implanted infrared LEDs [33] the air-gapped networks using social engineering, supply chain attacks, or insiders. Receiver Implantation.…”

Section: Magneticmentioning

confidence: 99%

ODINI: Escaping Sensitive Data From Faraday-Caged, Air-Gapped Computers via Magnetic Fields

Guri

Zadov

Elovici

2020

IEEE Trans.Inform.Forensic Secur.

Self Cite

View full text Add to dashboard Cite

Air-gapped computers are computers which are kept isolated from the Internet, because they store and process sensitive information. When highly sensitive data is involved, an air-gapped computer might also be kept secluded in a Faraday cage. The Faraday cage prevents the leakage of electromagnetic signals emanating from various computer parts, which may be picked up by an eavesdropping adversary remotely. The air-gap separation, coupled with the Faraday shield, provides a high level of isolation, preventing the potential leakage of sensitive data from the system. In this paper, we show how attackers can bypass Faraday cages and air-gaps in order to leak data from highly secure computers. Our method is based on an exploitation of the magnetic field generated by the computer's CPU. Unlike electromagnetic radiation (EMR), low frequency magnetic radiation propagates though the air, penetrating metal shielding such as Faraday cages (e.g., compass still works inside Faraday cages). Since the CPU is an essential part of any computer, our covert channel is relevant to virtually any device with a CPU: desktop PCs, servers, laptops, embedded systems and Internet of Things (IoT) devices. We introduce a malware code-named 'ODINI' that can control the low frequency magnetic fields emitted from the infected computer by regulating the load of the CPU cores. Arbitrary data can be modulated and transmitted on top of the magnetic emission and received by a magnetic receiver ('bug') placed nearby. We provide technical background and examine the characteristics of the magnetic fields. We implement a malware prototype and discuss the design considerations along with the implementation details. We also show that the malicious code does not require special privileges (e.g., root) and can successfully operate from within isolated virtual machines (VMs) as well. We present signal generation, transmission algorithms, and discuss data encoding and modulation schemes. We analyze the covert channel and evaluate it on various types of computers. Finally, we propose different types of defensive countermeasures such as signal detection and signal jamming to cope with this type of threat.

show abstract

“…In 2017, Guri et al presented LED-it-GO, a covert channel that uses the hard drive indicator LED in order to exfiltrate data from air-gapped computers [32]. Guri et al also presented a method for data exfiltration from air-gapped networks via router and switch LEDs [30]. Data can also be leaked optically through fast blinking images or low contrast bitmaps projected on the LCD screen [21].…”

Section: Opticalmentioning

confidence: 99%

“…Thermal BitWhisper [26] (heat emission) Optical LED-it-GO [32] (hard drive LED) VisiSploit [21] (invisible pixels) Keyboard LEDs [37] Router LEDs [30] Optical (infrared) aIR-Jumper [19] (security cameras & infrared) which prevents passing any signal from output to input.…”

Section: E Acousticmentioning

confidence: 99%

MOSQUITO: Covert Ultrasonic Transmissions Between Two Air-Gapped Computers Using Speaker-to-Speaker Communication

Guri

Solewicz

Elovici

2018

2018 IEEE Conference on Dependable and Secure Computing (DSC)

Self Cite

View full text Add to dashboard Cite

In this paper we show how two (or more) airgapped computers in the same room, equipped with passive speakers, headphones, or earphones can covertly exchange data via ultrasonic waves. Microphones are not required. Our method is based on the capability of a malware to exploit a specific audio chip feature in order to reverse the connected speakers from output devices into input devices -unobtrusively rendering them microphones [29]. We discuss the attack model and provide technical background and implementation details. We show that although the reversed speakers/headphones/earphones were not originally designed to perform as microphones, they still respond well to the near-ultrasonic range (18kHz to 24kHz). We evaluate the communication channel with different equipment, and at various distances and transmission speeds, and also discuss some practical considerations. Our results show that the speaker-tospeaker communication can be used to covertly transmit data between two air-gapped computers positioned a maximum of nine meters away from one another. Moreover, we show that two (microphone-less) headphones can exchange data from a distance of three meters apart. This enables 'headphones-to-headphones' covert communication, which is discussed for the first time in this paper.

show abstract

xLED: Covert Data Exfiltration from Air-Gapped Networks via Router LEDs

Cited by 8 publications

References 0 publications

MAGNETO: Covert channel between air-gapped systems and nearby smartphones via CPU-generated magnetic fields

MAGNETO: Covert channel between air-gapped systems and nearby smartphones via CPU-generated magnetic fields

ODINI: Escaping Sensitive Data From Faraday-Caged, Air-Gapped Computers via Magnetic Fields

MOSQUITO: Covert Ultrasonic Transmissions Between Two Air-Gapped Computers Using Speaker-to-Speaker Communication

Contact Info

Product

Resources

About