Four methods hackers use to steal data from air-gapped computers

Air-gapped computers are seen as high-value targets, so considerable research has gone into taking data from them -- without a network connection. Here's what you need to know.
Written by Robin Harris, Contributor

Researchers have devised numerous ways to extract data from computer systems by developing covert channels. These channels fall into four general groups:

  • Electromagnetic (the earliest attack vector)
  • Acoustic (beyond speakers, modulated fan and disk drive noise can be used)
  • Thermal (very low speeds possible)
  • Optical (a hot area, where speeds up to 4k bps have been demonstrated)

Electromagnetic (EM) channels range from eavesdropping on the EM radiation from the memory bus, to leakage from USB ports and cables. EM was the first channel widely explored and used, and has made EM shielding a common preventative measure.

Acoustic channels have become popular with a advent of hackable smartphones whose microphones can pick up audio signals that humans can't differentiate from background hum. The latest area is the use of ultrasonic sounds, whose higher frequencies are both inaudible and offer greater bandwidth.

Thermal hacks have been demonstrated, but with bandwidth measured in a few tens of bits per second over a short distance. It isn't clear that thermal transmission will ever find a practical covert use.

A more recent focus has been optical transmission. With the advent of widespread - and easily hacked -- surveillance cameras, the ubiquitous LEDs on almost every system can transmit significant amounts of data.

There are three classes of LED used in today's computer equipment.

  • unmodulated LEDs that indicate device state, such as power on.
  • time modulated LEDs that indicate device activity levels.
  • modulated LEDs that indicate the content of the data being processed.

The human eye has a hard time detecting flickers much above 60Hz, so human users won't know if an LED is being used covertly or not. Of course, many consumer devices, such as the new iPhone X, are equipped with infrared (IR) LEDs that are designed to transmit or receive data invisibly.

Leaky LEDs

Many network devices use LEDs to indicate data activity, which, with a large enough sample, can indicate the traffic passing through them. If the device can be hacked -- and what isn't, these days? -- the LEDs can transmit much more specific data.

Storage drive activity LEDs have demonstrated transmission speeds up to 4k bps using surveillance cameras as optical receivers. This is fast enough to handle encryption keys, keystroke logging, and text and binary files.

Drive lights flicker in operation normally, so users are unlikely to notice any additional flickering during data transmission.

As drives have microprocessors embedded in their controllers, they are eminently hackable.

Printer LEDs have also been recently demonstrated to offer covert channel capability. Basically, if it has an LED and a microprocessor, it can be hacked.

Unmodulated state indicators

But what about using the least promising LED type: unmodulated state indicators?

In a recent paper, Exfiltration of Data from Air-gapped Networks via Unmodulated LED Status Indicators researchers Zhou et al., demonstrated that ordinary keyboard LEDs -- such cap and num locks -- can be used to exfiltrate data using IP cameras, without users being any the wiser.

As with any communications channel, the signal encoding method is key to getting the most performance and reliability from the limited bandwidth. The obvious method, On-Off Keying (OOK), presents a zero when off and a 1 when on. The problem is that surveillance cameras usually run at 15 frames per second, which hobbles data bandwidth. And, of course, users may wonder why their keyboard LEDs are flicking on and off for no apparent reason.

"In our approach, we use Binary Frequency Shift Keying (B-FSK) to modulate the signal. We can use one flicker frequency f0 to encode a logical zero(0), and use another flicker frequency f1 to encode a logical one."

But that leaves one more problem: how do you simulate flicker frequencies when the LED should be either on or off -- i.e. it is not a modulated LED to begin with? The team found that by turning a normally on LED off with a duration of less than 50ms, the human eye cannot detect the flicker. Thus two different flicker patterns can be presented from an apparently always-on LED.

The major downside to this method is that the bit rates are on the order of 12 bits per second. But if the data is high value, such as an encryption key, that may be all that is needed.

The Storage Bits take

Storage vendors often talk about encrypting data at rest, so you can't steal a drive and access its data. But that's not the big problem, especially if you're striping data across multiple drives. The problem is when data is in motion, being typed, displayed, or processed.

LEDs are amazing devices, but clearly their use in computer screens, keyboards, switches, and drives, is a security issue. Given their ubiquity, any facility under surveillance is at risk.

If only we put as much energy into security as we do hacking!

Courteous comments welcome, of course. The paper has a good intro to data exfiltration methods, which I borrowed from.

Editorial standards