How to leak data from an air-gapped PC – using, er, a humble scanner
Security researchers propose old-school gear as a covert command & control conduit
Cybercriminals managed to infect a PC in the design department of Contoso Ltd through a cleverly crafted spear-phishing campaign. Now they need a way to communicate with the compromised machine in secret.
Unfortunately, they know Contoso's impenetrable network defenses will detect commands sent to their malware.
To avoid detection, they have to send data through a channel not monitored by the company's IT security system, the Hyper IronGuard WallShield 2300, with its "military-grade" two-ply data leakage protection technology.
They consider several potential covert transmission techniques – inaudible sound, modulated light, even thermal manipulation of hardware – but none of these appear to be practical given their budgetary limitations and modest intellects.
Then one member of the three-person group recalls hearing about a security paper, "Oops!...I think I scanned a malware" [PDF], published earlier in March by researchers from two Israeli universities, Ben-Gurion University of the Negev and the Weizmann Institute of Science.
The other hackers are skeptical at first, but as they learn about the proposed technique, they become more open to trying it, particularly because it can be done with a drone. All of them love drones.
The researchers, Ben Nassi and Yuval Elovici from Ben-Gurion University and Adi Shamir from the Weizmann Institute, describe a method for creating a covert communication channel between a compromised computer inside an organization and a scanner on the same network that happens to be near an external window.
The technique involves shining an external light, such as a laser or an infrared beam, through the window (or hijacking a manipulable internal light source) so that the illumination alters the scanner output to produce a digital file containing the desired command sequence.
To do so, the light must be connected to a micro-controller that modulates the binary-encoded commands from the server into light flashes that register with the scanner's sensors.
"Since the entire scanning process is influenced by the reflected light, interfering with the light that is illuminated on the pane will result in a different electrical charge which will therefore be parsed to a different binary representation of the scanned material," the paper explains.
The researchers describe setting a drone to hover outside a third-floor office window at a time when installed malware in the target organization had been instructed to begin scanning. With a transmission rate of 50 milliseconds per bit, they infiltrated the command "d x.pdf" to delete a test PDF file. The command sequence took 3.2 seconds to transmit using a laser mounted on the drone.
The cyber thieves spend several days preparing to carry out their plan. But during the final rehearsal, one of them realizes it won't work because the attack requires the scanner to be at least partially open to register incoming light.
Although Contoso's precious secrets remain beyond their reach, all three soon get recruited by a Silicon Valley drone startup focused on pet transportation. ®