The Caps Lock, Num Lock, and Scroll Lock LEDs on a keyboard can be used to exfiltrate data from a secure air-gapped system, academics from an Israeli university have proved.
The attack, which they named CTRL-ALT-LED, is nothing that regular users should worry about but is a danger for highly secure environments such as government networks that store top-secret documents or enterprise networks dedicated to storing non-public proprietary information.
How CTRL-ALT-DEL works
The attack requires some pre-requisites, such as the malicious actor finding a way to infect an air-gapped system with malware beforehand. CTRL-ALT-LED is only an exfiltration method.
But once these prerequisites are met, the malware running on a system can make the LEDs of an USB-connected keyboard blink at rapid speeds, using a custom transmission protocol and modulation scheme to encode the transmitted data.
A nearby attacker can record these tiny light flickers, which they can decode at a later point, using the same modulation scheme used to encode it.
The research team behind this exfiltration method says it tested the CTRL-ALT-LED technique with various optical capturing devices, such as a smartphone camera, a smartwatch's camera, security cameras, extreme sports cameras, and even high-grade optical/light sensors.
Some attacks require an "evil maid" scenario, where the attacker needs to be physically present to record the LED flickers -- either using his smartphone or smartwatch.
However, other scenarios are more doable, with the attacker taking over CCTV surveillance systems that have a line of sight of the keyboard LEDs.
Keyboard LED transmissions can also be scheduled at certain intervals of the day when users aren't around. This also makes it easier for attackers to sync recordings or place optical recorders or cameras near air-gapped targets only at the time they know the LEDs will be transmitting stolen info.
During experiments, the research team -- from the Ben-Gurion University of the Negev in Israel -- said they've recorded exfiltration speeds of up to 3000 bit/sec per LED when they used sensitive light sensors, and around 120 bit/sec speeds when they used a normal smartphone camera.
Speeds varied depending on the camera's sensitivity and distance from the keyboard. Keyboard models didn't play a role in exfiltration speeds, and no vendor had keyboards that were more vulnerable to this exfiltration method than others. Bit error rates in recovering the stolen data varied between acceptable 3% rates to larger 8% values.
But the technique the Ben Gurion research crew tested with modern hardware isn't actually new. A research paper published in 2002 first warned that data exfiltration via keyboard LEDs was technically possible.
Furthermore, the same Ben Gurion team was also behind similar research in the past. The first is called LED-it-GO, an exfiltration technique that uses hard drive LEDs, and the second is xLED, a similar method that exfiltrates data from routers and switches using their status lights.
As this article stated right at the beginning, regular users have nothing to fear from the technique described in this article. Malware usually has far better and faster methods of stealing data from infected computers. This is something that administrators of air-gapped networks need to take into consideration.
The Ben-Gurion team listed various countermeasures against this attack in their white paper, titled "CTRL-ALT-LED: Leaking Data from Air-Gapped Computers Via Keyboard LEDs."
The research team will present their findings next week, on July 18, at the COMPSAC conference, held in Milwaukee, Wisconsin, USA.
More vulnerability reports:
- Adobe tackles vulnerabilities in Dreamweaver, Experience Manager, Bridge
- Tor Project to fix bug used for DDoS attacks on Onion sites for years
- Vulnerabilities found in GE anesthesia machines
- Backdoor found in Ruby library for checking for strong passwords
- Microsoft July 2019 Patch Tuesday fixes zero-day exploited by Russian hackers
- Logitech wireless USB dongles vulnerable to new hijacking flaws
- KRACK attack: Here's how companies are responding CNET
- Top 10 app vulnerabilities: Unpatched plugins and extensions dominate TechRepublic