Reg comments46

Your data: Stolen through PIXELS

Can't detect what you can't see, Oz hacker says

Kiwicon Data loss prevention has been dealt a coup de grace with the development of a client-less system that can suck corporate data through monitors.

The research, to be detailed in a proof of concept at the Kiwicon hackerfest in Wellington on Friday December 12, bypasses all detection methods, its developer says.

The attack requires only that an attacker have physical access (but not necessarily authority to access) to a target machine, and install an off-the-shelf HDMI recording device and an Arduino keyboard.

So far, there's no way to prevent it, according to Ian Lattler in conversation with El Reg.

A local security governance bod at a blue chip company subsequently told Vulture South the technique which has been upgraded from previous incarnations quietly revealed in International Computer Security Symposium left no traces for real time security systems or forensics to analyse, and requires no installation.

"The attack means data can be extracted through the screen," Latter said ahead of his presentation.

"This works on the assumption that you have access to a computer but not access to the data, and these tools allow you to take the data outside of the target systems.

"The whole point of the client-less version is that there is no indicators of compromise on the application server or QR codes."

Previous incarnations spun sensitive data into QR codes using an agent installed on the target machine allowing both the codes and the installed agent to be to be potentially detected.

He previously made available a TGXf client that generated the QR codes and Android and iOS applications that could interpret the information on mobile devices.

His latest clientless TGXf version worked by using Bash to turn data into text that was funnelled and captured through video output and turned back into its initial state using optical character recognition.

It differed Latter said from existing work including 2012 research by NeoHapsis Labs that focused on HTML5 and JavaScript encoding which depended on a web browser and required access to raw video.

Latter who had built and reviewed corporate perimeters for major companies tipped off CERT Australia and the Office of the Australian Information Commissioner to his creation warning that it could result in Privacy Act breaches of outsourcing arrangements because it allowed offshore staff to siphon sensitive data.

There was virtually nothing the office or organisations could do to prevent the attacks, however.

"If this attack was done well, you would not see the attack itself," Latter said. "What I think you'd find is a loss of effectiveness of your organisation."

Latter's proof of concept to be demonstrated at the Wellington conference used an AverMedia Game Capture II device popular with video game players to save plays, and could capture 1920x1080 at 30 frames per second to MP4. ®

Sponsored: The Joy and Pain of Buying IT - Have Your Say


Biting the hand that feeds IT © 1998–2017