Skip to main content

LED-it-GO: Leaking (A Lot of) Data from Air-Gapped Computers via the (Small) Hard Drive LED

  • Conference paper
  • First Online:
Detection of Intrusions and Malware, and Vulnerability Assessment (DIMVA 2017)

Abstract

In this paper we present a method that allows attackers to covertly leak data from isolated, air-gapped computers. Our method utilizes the hard disk drive (HDD) activity LED which exists in most of today’s desktop PCs, laptops, and servers. We show that a malware can indirectly control the HDD LED, turning it on and off rapidly (up to 5800 blinks per second) – a rate that exceeds the visual perception capabilities of humans. Sensitive information can be encoded and leaked over the LED signals, which can then be received remotely by different kinds of cameras and light sensors (Demonstration video: https://www.youtube.com/watch?v=4vIu8ld68fc). Compared to other LED methods, our method is unique, because it is also covert; the HDD activity LED routinely flickers frequently, and therefore the user may not be suspicious of changes in its activity. We discuss attack scenarios and present the necessary technical background regarding the HDD LED and its hardware control. We also present various data modulation methods and describe the implementation of a user-level malware that doesn’t require a kernel component. During the evaluation, we examined the physical characteristics of different colored HDD LEDs (red, blue, and white) and tested different types of receivers: remote cameras, ‘extreme’ cameras, security cameras, smartphone cameras, drone cameras, and optical sensors. Finally, we discuss hardware and software countermeasures for such a threat. Our experiment shows that sensitive data can successfully be leaked from air-gapped computers via the HDD LED at a maximum bit rate of 120 bit/s (bits per second) when a video camera is used as a receiver, and 4000 bit/s when a light sensor is used for the reception. Notably, the maximal speed is 10 times faster than the existing optical covert channels for air-gapped computers. These rates allow rapid exfiltration of encryption keys, keystroke logging, and text and binary files.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Subscribe and save

Springer+ Basic
EUR 32.99 /Month
  • Get 10 units per month
  • Download Article/Chapter or eBook
  • 1 Unit = 1 Article or 1 Chapter
  • Cancel anytime
Subscribe now

Buy Now

Chapter
USD 29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD 39.99
Price excludes VAT (USA)
  • Available as EPUB and PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD 54.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

Similar content being viewed by others

References

  1. Federation of American Scientists. http://fas.org/irp/program/disseminate/jwics.htm

  2. MCAFEE. Defending Critical Infrastructure Without Air Gaps and Stopgap Security, 14 August 2015. https://blogs.mcafee.com/executive-perspectives/defending-critical-infrastructure-without-air-gaps-stopgap-security/

  3. Karnouskos, S.: Stuxnet worm impact on industrial cyber-physical system security. In: IECON 2011-37th Annual Conference on IEEE Industrial Electronics Society (2011)

    Google Scholar 

  4. SECURELIST, Agent.btz: a Source of Inspiration? 12 March 2014. https://securelist.com/blog/virus-watch/58551/agent-btz-a-source-of-inspiration/

  5. Knowlton, B.: Military Computer Attack Confirmed, 25 August 2010. http://www.nytimes.com/2010/08/26/technology/26cyber.html?_r=2&adxnnl=1&ref=technology&adxnnlx=1423562532-hJL+Kot1FP3OEURLF9hjDw

  6. Goodin, D., Group, K.E.: How “omnipotent” hackers tied to NSA hid for 14 years—and were found at last. ars technica (2015)

    Google Scholar 

  7. ICS-CERT. Malware infections in the conrol environment (2012)

    Google Scholar 

  8. Stasiukonis, S.: Social-Engineering-the-USB-Way (2006). http://www.darkreading.com/attacks-breaches/social-engineering-the-usb-way/d/d-id/1128081?

  9. Mordechai, G., Kedma, G., Kachlon, A., Elovici, Y.: AirHopper: bridging the air-gap between isolated networks and mobile phones using radio frequencies. In: 2014 9th International Conference on Malicious and Unwanted Software: The Americas (MALWARE), IEEE, 2014, pp. 58–67

    Google Scholar 

  10. Kuhn, M.G., Anderson, R.J.: Soft tempest: hidden data transmission using electromagnetic emanations. In: Aucsmith, D. (ed.) IH 1998. LNCS, vol. 1525, pp. 124–142. Springer, Heidelberg (1998). doi:10.1007/3-540-49380-8_10

    Chapter  Google Scholar 

  11. Kuhn, M.G.: Compromising Emanations: Eavesdropping Risks of Computer Displays. University of Cambridge, Computer Laboratory (2003)

    Google Scholar 

  12. Vuagnoux, M., Pasini, S.: Compromising electromagnetic emanations of wired and wireless keyboards. In: USENIX Security Symposium (2009)

    Google Scholar 

  13. Guri, M., Kachlon, A., Hasson, O., Kedma, G., Mirsky, Y., Elovici, Y.: GSMem: data exfiltration from air-gapped computers over GSM frequencies. In: 24th USENIX Security Symposium (USENIX Security 15), Washington, D.C. (2015)

    Google Scholar 

  14. Hanspach, M., Goetz, M.: On covert acoustical mesh networks in air. J. Commun. 8, 758–7647 (2013)

    Google Scholar 

  15. Halevi, T., Saxena, N.: A closer look at keyboard acoustic emanations: random passwords, typing styles and decoding techniques. In: ACM Symposium on Information, Computer and Communications Security (2012)

    Google Scholar 

  16. Guri, M., Monitz, M., Mirski, Y., Elovici, Y.: BitWhisper: covert signaling channel between air-gapped computers using thermal manipulations. In: 2015 IEEE 28th Computer Security Foundations Symposium (CSF) (2015)

    Google Scholar 

  17. Flicker fusion threshold. https://en.wikipedia.org/wiki/Flicker_fusion_threshold

  18. Guri, M., Monitz, M., Elovici, Y.: USBee: air-gap covert-channel via electromagnetic emission from USB (2016). arXiv:1608.08397 [cs.CR]

  19. Funtenna. https://github.com/funtenna

  20. Matyunin, N., Szefer, J., Biedermann, S., Katzenbeisser, S.: Covert channels using mobile device’s magnetic field sensors. In: 2016 21st Asia and South Pacific Design Automation Conference (ASP-DAC) (2016)

    Google Scholar 

  21. Kasmi, C., Esteves, J.L., Valembois, P.: Air-gap limitations and bypass techniques: command and control using smart electromagnetic interferences. In: Botconf (2015)

    Google Scholar 

  22. Hanspach, M., Goetz, M.: On covert acoustical mesh networks in air (2014). arXiv preprint arXiv:1406.1213

  23. Lee, E., Kim, H., Yoon, J.W.: Attack, various threat models to circumvent air-gapped systems for preventing network. Inf. Secur. Appl. 9503, 187–199 (2015)

    Google Scholar 

  24. O’Malley, S.J., Choo, K.-K.R.: Bridging the air gap: inaudible data exfiltration by insiders. In: Americas Conference on Information Systems (2014)

    Google Scholar 

  25. Guri, M., Solewicz, Y., Daidakulov, A., Elovici, Y.: Fansmitter: acoustic data exfiltration from (speakerless) air-gapped computers (2016). arXiv:1606.05915

  26. Guri, M., Solewicz, Y., Daidakulov, A., Elovici, Y.: DiskFiltration: data exfiltration from speakerless air-gapped computers via covert hard drive noise (2016). arXiv:1608.03431

  27. Guri, M., Kedma, G., Kachlon, A., Elovici, Y.: AirHopper: bridging the air-gap between isolated networks and mobile phones using radio frequencies. In: 9th IEEE International Conference on Malicious and Unwanted Software (MALCON 2014), Puero Rico, Fajardo (2014)

    Google Scholar 

  28. Loughry, J., Umphress, A.D.: Information leakage from optical emanations. ACM Trans. Inf. Syst. Secur. (TISSEC) 5(3), 262–289 (2002)

    Article  Google Scholar 

  29. Sepetnitsky, V., Guri, M., Elovici, Y.: Exfiltration of information from air-gapped machines using monitor’s LED indicator. In: Joint Intelligence & Security Informatics Conference (JISIC-2014) (2014)

    Google Scholar 

  30. S.G.SC Magazine UK. Light-based printer attack overcomes air-gapped computer security. 17 October 2014. http://www.scmagazineuk.com/light-based-printer-attack-overcomes-air-gapped-computer-security/article/377837/

  31. Lopes, A.C., Aranha, D.F.: Platform-agnostic low-intrusion optical data exfiltration. In: 3rd International Conference on Information Systems Security and Privacy (ICISSP 2017), Porto (2016)

    Google Scholar 

  32. Griffith, S.: How to make a computer screen INVISIBLE, dailymail, October 2013. http://www.dailymail.co.uk/sciencetech/article-2480089/How-make-screen-INVISIBLE-Scientist-shows-make-monitor-blank-using-3D-glasses.html. Accessed May 2016

  33. Guri, M., Hasson, O., Kedma, G., Elovici, Y.: VisiSploit: an optical covert-channel (2016). arXiv:1607.03946 [cs.CR]

  34. Deshotels, L.: Inaudible sound as a covert channel in mobile devices. In: USENIX Workshop for Offensive Technologies (2014)

    Google Scholar 

  35. Gostev, A.: Agent.btz: a Source of Inspiration? SecureList, 12 March 2014. http://securelist.com/blog/virus-watch/58551/agent-btz-a-source-of-inspiration/

  36. GReAT team. A Fanny Equation: I am your father, Stuxnet, Kaspersky Labs’ Global Research & Analysis Team, 17 February 2015 https://securelist.com/blog/research/68787/a-fanny-equation-i-am-your-father-stuxnet/

  37. Goodin, D.: Meet badBIOS, the mysterious Mac and PC malware that jumps airgaps. ars technica, 31 October 2013. http://arstechnica.com/security/2013/10/meet-badbios-the-mysterious-mac-and-pc-malware-that-jumps-airgaps/

  38. Khimji, I.: TripWire. The Malicious Insider, March 2015. http://www.tripwire.com/state-of-security/security-awareness/the-malicious-insider/. Accessed 09 May 2016

  39. TechTarget, Evil maid attack. http://searchsecurity.techtarget.com/definition/evil-maid-attack

  40. Costin, A.: Security of CCTV and video surveillance systems: threats, vulnerabilities, attacks, and mitigations. In: TrustED ‘16 Proceedings of the 6th International Workshop on Trustworthy Embedded Devices, New York (2016)

    Google Scholar 

  41. 9 Investigates hacked surveillance cameras across Central Florida, 3 Nov 2016 http://www.wftv.com/news/9-investigates/9-investigates-hacked-surveillance-cameras-across-central-florida/463226966. Accessed 12 Apr 2017

  42. Brant, T.: Samsung security cameras hacked again. pcmag, 18 January 2017. http://www.pcmag.com/news/351120/samsung-security-cameras-hacked-again. Accessed 12 Apr 2017

  43. thehackernews. Two arrested for hacking washington CCTV cameras before trump inauguration. 02 February 2017. http://thehackernews.com/2017/02/cctv-camera-hacking.html

  44. Schmid, S., Corbellini, G., Mangold, S., Gross, T.R.: An LED-to-LED visible light communication system with software-based synchronization. http://www.bu.edu/smartlighting/files/2012/10/Schmid_.pdf

  45. Giustiniano, D., Tippenhauer, N.O., Mangold, S.: Low-complexity visible light networking with LED-to-LED communication. In: 2012 IFIP Wireless Days (WD) (2012)

    Google Scholar 

  46. phys.org. Siemens Sets New Record for Wireless Data Transfer using White LEDs. 21 January 2010. https://phys.org/news/2010-01-siemens-wireless-white.html. Accessed 30 Jan 2017

  47. http://man7.org/linux/man-pages/man3/fseek.3.html

  48. http://man7.org/linux/man-pages/man3/fopen.3p.html

  49. (Unix), dd. https://en.wikipedia.org/wiki/Dd_(Unix). Accessed 01 July 2016

  50. sourceforge.net, 17 June 2015. https://sourceforge.net/projects/hdparm/. Accessed 01 July 2016

  51. Linux Programmer’s Manual. http://man7.org/linux/man-pages/man2/open.2.html

  52. CreateFile function. MICROSOFT. https://msdn.microsoft.com/en-us/library/aa363858(VS.85).aspx

  53. https://en.wikipedia.org/wiki/Visible_light_communication

  54. http://www.analog.com/media/en/technical-documentation/data-sheets/AD549.pdf

  55. NI-9223, C Series Voltage Input Module. http://sine.ni.com/nips/cds/view/p/lang/en/nid/209139

  56. https://www.thorlabs.com/thorproduct.cfm?partnumber=PDA100A

  57. http://www.seagate.com, http://www.seagate.com. SEGATE. http://www.seagate.com/em/en/tech-insights/advanced-format-4k-sector-hard-drives-master-ti/

  58. Rubini, A., Corbet, J., Kroah-Hartman, J.: Interrupt handling. In: Linux Device Drivers. O’Reilly (2005)

    Google Scholar 

  59. Russinovich, M.E., Ionescu, A., Solomo, D.A.: Understanding the windows I/O system. MICROSOFT, 09 September 2012. https://www.microsoftpressstore.com/articles/article.aspx?p=2201309&seqNum=3

  60. McNamara, J.: The complete, unofficial tempest information page (1999). http://www.jammed.com/~jwa/tempest.html

  61. USAF. AFSSI 7700: Communications and information emission security. Secretary of the Air Force (2007)

    Google Scholar 

  62. Anderson, R.J.: Emission security. In: Security Engineering, 2nd edn. Wiley Publishing, Inc., pp. 523–546 (2008)

    Google Scholar 

  63. ZDNET. Surveillance cameras sold on Amazon infected with malware. April 2016. http://www.zdnet.com/article/amazon-surveillance-cameras-infected-with-malware/

  64. https://www.signalsdefense.com/products

Download references

Author information

Authors and Affiliations

Authors

Corresponding authors

Correspondence to Mordechai Guri , Boris Zadov or Yuval Elovici .

Editor information

Editors and Affiliations

Rights and permissions

Reprints and permissions

Copyright information

© 2017 Springer International Publishing AG

About this paper

Cite this paper

Guri, M., Zadov, B., Elovici, Y. (2017). LED-it-GO: Leaking (A Lot of) Data from Air-Gapped Computers via the (Small) Hard Drive LED. In: Polychronakis, M., Meier, M. (eds) Detection of Intrusions and Malware, and Vulnerability Assessment. DIMVA 2017. Lecture Notes in Computer Science(), vol 10327. Springer, Cham. https://doi.org/10.1007/978-3-319-60876-1_8

Download citation

  • DOI: https://doi.org/10.1007/978-3-319-60876-1_8

  • Published:

  • Publisher Name: Springer, Cham

  • Print ISBN: 978-3-319-60875-4

  • Online ISBN: 978-3-319-60876-1

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics