LED-it-GO - Data Security Risk
Wandering around the internet, I came across a curious study of computer security experts from an Israeli university. They created a malware (Malware), the purpose of which is to transfer data to a camera located in the line of sight from an offline computer. The goal was to simulate a hacker attack and the possibility of transmitting data from an infected computer using the hard disk activity LED. The technology, in my opinion, is somewhat Hollywood, but nonetheless interesting.
The authors called their study "LED-it-GO: Data from Air-Gapped Computers via Hard Drive LED". The technical side is to use a LED that reflects the activity of the drive installed in the computer as a source of data, which it transmits by its blinking.
It lights up with every read or write operation performed by the drive. There can be several such LEDs, for example, one for each disk in the server or network storage. Desktop computers use one common light source for all drives. As a rule, it is located on the front panel, and for laptops, on the top panel next to the keyboard or on the front face.
The signal is generated by turning the LED on and off. It is controlled by the motherboard, and no way to directly control it was found. Therefore, developers had to control the duration and frequency of switching on the LED, referring to the disk to read or write blocks of the desired length. In order not to leave any traces in the system, only the read operation was used.
')
Information was transmitted in two types of packets: constant length and variable. Each packet is preceded by an 8-bit header. In the case of a fixed packet length, 256 bits of data followed the checksum. With a variable packet length between the header and the data itself, the length of the data block was transmitted.
Fixed-length packets are preferable when transferring a small amount of data, such as a password, an encryption key, etc. Variable-length packets allow you to transfer whole files.
The researchers used different types of cameras and LEDs of different colors - red, white, blue. The maximum transmission rate that the LED could provide with its luminescence was 4000 bits per second. At the same time, it was found that blue LEDs provide the strongest light signal.
Different cameras were used to read the LED signals: GoPro, entry-level SLR cameras, webcams, smart phones, Google Glass glasses. It was experimentally found that the majority of these cameras can recognize signals at speeds up to 15 bits per second. At the same time, GoPro Hero5 allowed receiving a signal at speeds up to 120 bits per second.
In the test, the readable signal from the system unit installed in the room was read using a camera mounted on the drone, which recorded the generated information through a window. The results can be seen in the video provided by the developers.
The developers claim that, since the disk activity indicator flashes frequently and rather chaotically, adding additional flashes to it is unlikely to be noticeable. At the same time, during data transmission, the LED flashes so often that it seems to the human eye that it is constantly on.
The difficulty of detecting such an attack is that some kind of LED, or even several, always flashes in the computer, and no one, as a rule, pays any attention to this. With a transfer rate of up to 4000 bps, even the transfer of large files, in principle, becomes possible.
If the computer is connected to the world wide web, then it is much easier to use this connection to steal data rather than bother with LEDs and cameras.
Another thing computers that store important data and do not have such a connection. True, there are 2 problems:
• Typically, these computers are installed in rooms without windows, without placing other electronic devices nearby.
• It is necessary to somehow infect such a computer with a virus (Malware). It is not possible to do it in the usual way (via a file attached to a mail message, a downloaded file, etc.).
If there are windows in the room, then you can protect against this method of information theft if you stick or turn off the LEDs, install a system for monitoring the activity of LEDs, or make the windows visually impermeable when looking outside the room where computers are installed. Also, do not use surveillance cameras that can be used to read information in this way.
→ Source
LED-it-GO. Using light signals to steal data
The authors called their study "LED-it-GO: Data from Air-Gapped Computers via Hard Drive LED". The technical side is to use a LED that reflects the activity of the drive installed in the computer as a source of data, which it transmits by its blinking.
It lights up with every read or write operation performed by the drive. There can be several such LEDs, for example, one for each disk in the server or network storage. Desktop computers use one common light source for all drives. As a rule, it is located on the front panel, and for laptops, on the top panel next to the keyboard or on the front face.
The signal is generated by turning the LED on and off. It is controlled by the motherboard, and no way to directly control it was found. Therefore, developers had to control the duration and frequency of switching on the LED, referring to the disk to read or write blocks of the desired length. In order not to leave any traces in the system, only the read operation was used.
')
Information was transmitted in two types of packets: constant length and variable. Each packet is preceded by an 8-bit header. In the case of a fixed packet length, 256 bits of data followed the checksum. With a variable packet length between the header and the data itself, the length of the data block was transmitted.
Fixed-length packets are preferable when transferring a small amount of data, such as a password, an encryption key, etc. Variable-length packets allow you to transfer whole files.
Test results
The researchers used different types of cameras and LEDs of different colors - red, white, blue. The maximum transmission rate that the LED could provide with its luminescence was 4000 bits per second. At the same time, it was found that blue LEDs provide the strongest light signal.
Different cameras were used to read the LED signals: GoPro, entry-level SLR cameras, webcams, smart phones, Google Glass glasses. It was experimentally found that the majority of these cameras can recognize signals at speeds up to 15 bits per second. At the same time, GoPro Hero5 allowed receiving a signal at speeds up to 120 bits per second.
In the test, the readable signal from the system unit installed in the room was read using a camera mounted on the drone, which recorded the generated information through a window. The results can be seen in the video provided by the developers.
LED-it-GO - an attack that is difficult to recognize
The developers claim that, since the disk activity indicator flashes frequently and rather chaotically, adding additional flashes to it is unlikely to be noticeable. At the same time, during data transmission, the LED flashes so often that it seems to the human eye that it is constantly on.
The difficulty of detecting such an attack is that some kind of LED, or even several, always flashes in the computer, and no one, as a rule, pays any attention to this. With a transfer rate of up to 4000 bps, even the transfer of large files, in principle, becomes possible.
The goal is a computer not connected to the Internet
If the computer is connected to the world wide web, then it is much easier to use this connection to steal data rather than bother with LEDs and cameras.
Another thing computers that store important data and do not have such a connection. True, there are 2 problems:
• Typically, these computers are installed in rooms without windows, without placing other electronic devices nearby.
• It is necessary to somehow infect such a computer with a virus (Malware). It is not possible to do it in the usual way (via a file attached to a mail message, a downloaded file, etc.).
If there are windows in the room, then you can protect against this method of information theft if you stick or turn off the LEDs, install a system for monitoring the activity of LEDs, or make the windows visually impermeable when looking outside the room where computers are installed. Also, do not use surveillance cameras that can be used to read information in this way.
→ Source
Source: https://habr.com/ru/post/322732/
All Articles