Academics steal data from air-gapped systems using screen brightness variations

Israeli researchers use quick flickers in LCD screen brightness to encode and exfiltrate data.

Academics from Israel have detailed and demoed a new method for stealing data from air-gapped computers.

The method relies on making small tweaks to an LCD screen's brightness settings. The tweaks are imperceptible to the human eye, but can be detected and extracted from video feeds using algorithmical methods.

This article describes this innovative new method of stealing data, but readers should be aware from the start that this attack is not something that regular users should worry about, and are highly unlikely to ever encounter it.

Named BRIGHTNESS, the attack was designed for air-gapped setups -- where computers are kept on a separate network with no internet access.

Air-gapped computers are often found in government systems that store top-secret documents or enterprise networks dedicated to storing non-public proprietary information.

Creative hackers might find a way to infect these systems -- such as using an infected USB thumb drive that's plugged into these systems -- but getting data out of air-gapped networks is the harder part.

This is where a team of academics at the Ben-Gurion University of the Negev in Israel have specialized themselves. For the past few years, they've been studying ways of extracting data from already-infected air-gapped systems.

Past academic research into the field includes data exfiltration techniques like:

  • LED-it-Go - exfiltrate data from air-gapped systems via an HDD's activity LED
  • USBee - force a USB connector's data bus give out electromagnetic emissions that can be used to exfiltrate data
  • AirHopper - use the local GPU card to emit electromagnetic signals to a nearby mobile phone, also used to steal data
  • Fansmitter - steal data from air-gapped PCs using sounds emanated by a computer's GPU fan
  • DiskFiltration - use controlled read/write HDD operations to steal data via sound waves
  • BitWhisper - exfiltrate data from non-networked computers using heat emanations
  • Unnamed attack - uses flatbed scanners to relay commands to malware infested PCs or to exfiltrate data from compromised systems
  • xLED - use router or switch LEDs to exfiltrate data
  • aIR-Jumper - use a security camera's infrared capabilities to steal data from air-gapped networks
  • HVACKer - use HVAC systems to control malware on air-gapped systems
  • MAGNETO & ODINI - steal data from Faraday cage-protected systems
  • MOSQUITO - steal data from PCs using attached speakers and headphones
  • PowerHammer - steal data from air-gapped systems using power lines
  • CTRL-ALT-LED - steal data from air-gapped systems using keyboard LEDs

How the "BRIGHTNESS" attack works

The new BRIGHTNESS attack is similar to all the methods described above. The steps are described below:

  1. Infect air-gapped system.
  2. Malware running on the infected computer collects the data it wants to steal.
  3. Malware alters a screen's color settings to modify the brightness level.
  4. The brightness level is adjusted up/down in order to relay a 0/1 binary pattern that transmits a file, one bit at a time.
  5. A nearby attack records the screen of the infected computer.
  6. The video is analyzed and the file is reconstructed by analyzing the variations in the screen's brightness.

The research team said it tested the BRIGHTNESS attack in several configurations. Researchers say they had the best results by modifying the Red color pixels with around 3% from their normal settings.

brightness-pixel.png

Image: Ben-Gurion University of the Negev, Israel

This small change is invisible to the human eye due to the high refresh rates on modern LCD screens, but can be picked up by modern high-resolution video cameras that often come with webcams, smartphones, laptops, or security camera equipment.

BRIGHTNESS attack is really slow

However, transmitting data this way is extremely slow. Researchers reported maximum speeds of 5-10 bits/second, which is an incredibly low transmission speed -- among the lowest of all the air-gap exfiltration attacks listed earlier in this article.

brightness-speed.png

Image: Ben-Gurion University of the Negev, Israel

This speed means the attack might be useful for stealing a small encryption key but don't hold your breath for exfiltrating a 1GB ZIP archive without the risk of getting detected.

The research team says that the easiest way to twarth BRIGHTNESS attacks is to apply polarized film on top of computer screens.

"The user gets a clear view while humans and cameras at a distance would view a darkened display," they said.

More on this technique is available in a research paper titled "BRIGHTNESS: Leaking Sensitive Data from Air-Gapped Workstations via Screen Brightness."