CTRL-ALT-LED: Leaking Data from Air-Gapped Computers Via Keyboard LEDs

@article{Guri2019CTRLALTLEDLD,
  title={CTRL-ALT-LED: Leaking Data from Air-Gapped Computers Via Keyboard LEDs},
  author={Mordechai Guri and Boris Zadov and Dima Bykhovsky and Yuval Elovici},
  journal={2019 IEEE 43rd Annual Computer Software and Applications Conference (COMPSAC)},
  year={2019},
  volume={1},
  pages={801-810}
}
  • Mordechai Guri, B. Zadov, Y. Elovici
  • Published 10 July 2019
  • Computer Science
  • 2019 IEEE 43rd Annual Computer Software and Applications Conference (COMPSAC)
Using the keyboard LEDs to send data optically was proposed in 2002 by Loughry and Umphress [1] (Appendix A). In this paper we extensively explore this threat in the context of a modern cyber-attack with current hardware and optical equipment. In this type of attack, an advanced persistent threat (APT) uses the keyboard LEDs (Caps-Lock, Num-Lock and Scroll-Lock) to encode information and exfiltrate data from airgapped computers optically. Notably, this exfiltration channel is not monitored by… 

ETHERLED: Sending Covert Morse Signals from Air-Gapped Devices via Network Card (NIC) LEDs

  • Mordechai Guri
  • Computer Science
    2022 IEEE International Conference on Cyber Security and Resilience (CSR)
  • 2022
TLDR
A new technique named ETHERLED is presented, allowing attackers to leak data from air-gapped networked devices such as PCs, printers, network cameras, embedded controllers, and servers, using documented methods or undocumented firmware commands.

Brightness: Leaking Sensitive Data from Air-Gapped Workstations via Screen Brightness

TLDR
This paper introduces an optical covert channel in which an attacker can leak sensitive information from air-gapped computers through manipulations on the screen brightness, invisible to users.

Exfiltrating data from air-gapped computers via ViBrAtIoNs

AiR-ViBeR: Exfiltrating Data from Air-Gapped Computers via Covert Surface ViBrAtIoNs

TLDR
The results show that data can be exfiltrated from air-gapped computer to a nearby smartphone on the same table, or even an adjacent table, via vibrations, and a set of countermeasures are proposed for this new type of attack.

Glowworm Attack: Optical TEMPEST Sound Recovery via a Device's Power Indicator LED

TLDR
The Glowworm attack is presented, an optical TEMPEST attack that can be used by eavesdroppers to recover sound by analyzing optical measurements obtained via an electro-optical sensor directed at the power indicator LED of various devices.

POWER-SUPPLaY: Leaking Data from Air-Gapped Systems by Turning the Power-Supplies Into Speakers

TLDR
The developed malware can exploit the computer power supply unit (PSU) to play sounds and use it as an out-of-band, secondary speaker with limited capabilities, and the POWER-SUPPLaY code can operate from an ordinary user-mode process and doesn't need any hardware access or special privileges.

GAIROSCOPE: Injecting Data from Air-Gapped Computers to Nearby Gyroscopes

TLDR
The experiments show that attackers can exfiltrate sensitive information from air-gapped computers to smartphones located a few meters away via Speakers-to-Gyroscope covert channel via GAIROSCOPE, an ultrasonic covert channel that doesn’t require a microphone on the receiving side.

LaserShark: Establishing Fast, Bidirectional Communication into Air-Gapped Systems

TLDR
By aiming lasers at already built-in LEDs and recording their response, this work is the first to enable a long-distance, bidirectional, and fast covert communication channel for air-gapped systems without any additional hardware on-site.

SATAn: Air-Gap Exfiltration Attack via Radio Signals From SATA Cables

  • Mordechai Guri
  • Computer Science
    2022 19th Annual International Conference on Privacy, Security & Trust (PST)
  • 2022
TLDR
The results show that attackers can use the SATA cable to transfer a brief amount of sensitive information from highly secured, air-gap computers wirelessly to a nearby receiver.

References

SHOWING 1-10 OF 35 REFERENCES

LED-it-GO: Leaking (A Lot of) Data from Air-Gapped Computers via the (Small) Hard Drive LED

TLDR
A method that allows attackers to covertly leak data from isolated, air-gapped computers via the hard disk drive (HDD) activity LED, and shows that sensitive data can successfully be leaked via the HDD LED at a maximum bit rate that allows rapid exfiltration of encryption keys, keystroke logging, and text and binary files.

xLED: Covert Data Exfiltration from Air-Gapped Networks via Switch and Router LEDs

TLDR
It is shown how attackers can covertly leak sensitive data from air-gapped networks via the row of status LEDs on networking equipment such as LAN switches and routers through different modulation and encoding schemas, along with a transmission protocol.

LCD TEMPEST Air-Gap Attack Reloaded

  • Mordechai GuriMatan Monitz
  • Computer Science
    2018 IEEE International Conference on the Science of Electrical Engineering in Israel (ICSEE)
  • 2018
TLDR
It is found that malware can covertly leak data from air-gapped computers to a nearby RF receiver via the electromagnetic emission through an analysis of the frequency range, effective distance and the bandwidth of this covert-channel.

Optical air-gap exfiltration attack via invisible images

Making USB Great Again with USBFILTER

TLDR
The proposed USBFILTER system provides a level of granularity and extensibility that reduces the uncertainty of USB connectivity and ensures unauthorized devices are unable to communicate with the host.

ODINI: Escaping Sensitive Data From Faraday-Caged, Air-Gapped Computers via Magnetic Fields

TLDR
This paper shows how attackers can bypass Faraday cages and air-gaps in order to leak data from highly secure computers and introduces a malware codenamed ‘ODINI’ that can control the low frequency magnetic fields emitted from the infected computer by regulating the load of the CPU cores.

An optical covert-channel to leak data through an air-gap

TLDR
VisiSploit is introduced, a new type of optical covert channel which, unlike other optical methods, is also stealthy and shows that malicious code on a compromised computer can obtain sensitive data and project it onto a computer LCD screen, invisible and unbeknownst to users.

BitWhisper: Covert Signaling Channel between Air-Gapped Computers Using Thermal Manipulations

TLDR
This paper demonstrates BitWhisper, a method of bridging the air-gap between adjacent compromised computers by using their heat emissions and built-in thermal sensors to create a covert communication channel, which supports bidirectional communication and requires no additional dedicated peripheral hardware.