Friday, March 17, 2017

Blinking LEDs May Comprise Air-Gapped Networks

According to a group of researchers from Ben-Gurion University of the Negev’s Cyber Security Research Center, lights—HDD LEDs to be specific—may pose a cybersecurity threat in the near future. DeepDotWeb explains, continually, the need for airtight security. Especially when using the darknet. However, “airtight” security with VPNs, Tor, or encrypted messaging apps on an air-gapped network would leave room for this LED exfiltration of data.

LED methods are not necessarily new to the sector. Various PoCs and implementations landed in research papers or demonstration videos. However, for many obvious reasons, such techniques remain impractical to the advanced attacker and impossible to an amateur one.
Mordechai Guri, Boris Zadov, Eran Atias, and Yuval Elovici—the researchers behind the project—explained that malware made the hard disk drive LED blink 5,800 times every second. The rate at which the LED blinks is far greater than the human eye can catch and even if the eye could, the brain would not know what to do with the visual input. 

Speed. Our measurements show that the HDD LED can be controlled and adjusted to operate at a relatively fast speed (over 4000Hz). Therefore, we were able to transmit messages at a faster speed than other LEDs methods were able to achieve. This rate allowed the exfiltration of an encryption key of 4096 bits in a matter of minutes (and even seconds), depending on the receiver

Visibility. When the HDD LED blinks for short period of time, humans may not be able to perceive its activity. Moreover, at high speeds (e.g., above 400Hz), the LED flickering is invisible to humans, making the channel more covert.

In alignment with modern studies, the ability to see—or not see—is viewable as a temporal phenomenon. “Objects appear to be continuously present over time. Yet the duration of external events are typically longer than that of a single sensory ‘sample’ such as a fixation,” one Stack Exchange [skeptics] user explained. 

In addition, the researchers explained, HDD LEDs routinely blink. If a victim caught a glimpse of a flash, he or she would likely not pay any attention to the blinking. Especially in an air-gapped network environment. Entities use the networks for complete network isolation. This generally means no connectivity to the rest of the organization or group’s network and especially no connectivity to the outside world. Military systems, critical infrastructure, and major banking corporations have often taken advantage of this type of networking. Perhaps the most memorable example is that of the Stuxnet worm.

Iran built an air-gapped network environment but an outside party created malware that needed no remote deployment. Once inside the air-gapped network— physical storage mediums—the malware propagated access the network and then “reportedly ruined almost one fifth of Iran’s nuclear centrifuges.” Years later, we still have no clue who executed the attack, officially. No country has taken credit for bringing down the nuclear program. However, both Israel and the United States fell under suspicion as the primary attached.

Guri, Zadov, Atias, and Elovici explained that manipulating the hard drive via LED proved quite simple, given the lack of proper API. Malware simply needs to execute code that allows the r+w process to trigger in a way that flashes the LEDs at the high rate. On the other end, the outside entity needs a device capable of picking up these signals. As you can see, the researchers demonstrated the procedure with a camera on a quadcopter. They mentioned GoPro cameras, along with several others, on the PDF papers.