Do we bet that such technique will appear in the next season of Mr. Robot?
A team of researchers of the Cyber Security Research Center at Ben-Gurion University of the Negev in Israel have disclosed a new technique that can be used to exfiltrate data from air-gapped computers reading the pulses of light on the HDD LED.
An air gap, air wall or air gapping is a network security measure employed on one or more computers to ensure that a secure computer network is physically isolated from unsecured networks, such as the public Internet or an unsecured local area network.
Many desktop and laptop computers have an HDD activity indicator, which blinks when data is being read from or written to the disk.
So, activity of the HDD LED can be controlled by a software using specific read/write operations: these LEDs can blink up to 6,000 times per second, which allows for high data transmission rates, translating the LED’s blink into binary code.
For example, a malware that is installed on the target can exfiltrate data using this method.
Led by Dr. Mordechai Guri, Head of R&D at the Cyber Security Research Center, the research team utilized the hard-drive (HDD) activity LED lights that are found on most desktop PCs and laptops. The researchers found that once malware is on a computer, it can indirectly control the HDD LED, turning it on and off rapidly (thousands of flickers per second) — a rate that exceeds the human visual perception capabilities. As a result, highly sensitive information can be encoded and leaked over the fast LED signals, which are received and recorded by remote cameras or light sensors.
Obviously, the attacker must find a way to observe the targeted device’s activity LED, either using a local hidden camera, a compromised security camera, a high-resolution camera that can capture images from outside the building, or a camera mounted on a drone, like the proof-of-concept video published by researchers:
Quick mitigation: duct tape on the HDD LED!