The normal way to steal data from a compromised computer is to retrieve it over a network. If that computer isn’t connected to one, it gets a little trickier.
Researchers at Ben-Gurion University of the Negev have made a name for themselves figuring out how to get data out of air-gapped computers. They’ve dreamed up ways to communicate using speakers, blinking LEDs in PCs, infrared lights in surveillance cameras, and even computer fans.
Now, they’ve figured out a way to retrieve data from a disconnected computer by altering its LCD display’s pixel density just enough for a nearby camera to pick it up.
In a paper published this month, the researchers describe what they call an “optical covert channel” which cameras can detect, but which users cannot. They use one of the three colours in LCD pixels which normally combine to give the pixel a range of hues.
Their technique adjusts the red colour component in pixels on the screen by 3%, which is apparently not enough for users to notice. A camera located six metres from the 19-inch screen was nevertheless able to detect the difference.
Optical exfiltration techniques have cropped up before, they explain, but most of them have been easily detectable by users. Conversely, an attacker could theoretically use this one even while a user was working at the compromised machine.
We say “theoretically” because in practice there are a lot of challenges involved in this attack. The first is that the computer has to be compromised in the first place, which means getting to its physical location. Then, you could infect it with a USB stick, but if you’ve reached that point, presumably you could just copy the data to the stick.
The other issue is bit rate. If you’re old enough to remember dial-up internet connections, spare a thought for anyone trying to use this technique, which makes them look like broadband. The researchers achieved transmission speeds of five bits per second with their brightness-tweaking tricks. Switching LCD colours is enough to send a single bit, but it takes time to do that, and for the camera to pick it up.
Abraham Lincoln’s Gettysburg address was notoriously brief, but by our calculations, it would still take over 38 minutes to beam it from screen to camera as ASCII text. Maybe you could use a different character format, or compress it.
Someone could exploit this vulnerability using an ‘evil maid’ attack in which someone with access to the computer’s room pointed a camera at it. To counter that, the researchers suggest restricting physical access to air-gapped machines. The bit rate is also subject to the camera’s view of and distance from the screen, along with the display’s brightness, so if things weren’t positioned just right, you’d be waiting four score and seven years to retrieve any significant data.
Short pieces of information like passwords and private keys would be more tractable for a temporary camera. On the other hand, a covert optical channel could continue beaming information as long as a static camera could see the screen and the computer was turned on.
Ultimately, this is interesting academic research, with the emphasis on ‘academic’. Perhaps some three-letter agency might use this in a Mission Impossible-style scenario, but, just like the flickering pixel in the display of the researchers’ hypothetical compromised computer, we can’t really see it.
Beratung Consulting are dedicated to Security solutions and are a trusted Sophos Partner.
