Air-gapped computers aren't physically connected to any network and so should be protected from remote hackers. However, Stuxnet showed air-gaps can be breached. Besides that, an insider could always insert a USB drive into an air-gapped computer.
Security researchers from Israel's Ben Gurion University have just demonstrated that if an attacker did manage to infect an air-gapped computer, they could steal data semi-remotely at their leisure by using a camera to capture signals from the LED lights of its hard-disk drive (HDD).
The LEDs flicker when the drive is undergoing read and write operations, but can be made to transmit data visually.
As Wired reports, the malware that the researchers devised can force an HDD LED to blink 6,000 times per second. If those lights are visible from a window, a camera-equipped drone or telescopic lens can capture the signals at a distance.
The researchers explain in a new paper that data can be leaked from HDD LEDs at a rate of 4kbps. That speed is incredibly slow by today's USB standards, but it's more than enough to steal encryption keys or text and binary files. According to the researchers, it's an impressive 10 times faster than previous optical covert channels for leaking data from air-gapped computers.
"We found that the small hard-drive indicator LED can be controlled at up to 6,000 blinks per second. We can transmit data in a very fast way at a very long distance," Ben-Gurion researcher Mordechai Guri told Wired.
The beauty of the attack is that HDD LED lights blink anyway, making it easy to conceal that the infected machine is actually transmitting data.
"Our method compared with other LED exfiltration is unique, because it is also covert," Guri said. "The hard-drive LED flickers frequently, and therefore the user won't be suspicious about changes in its activity."
Guri's other malware-based attacks on air-gapped computers has shown that data can be leaked from a computer's speakers and fans, FM waves, and heat.
The encoding scheme they used to transfer data from the HDD LEDs is called on-off keying, which is just one method of visible light communication.
The researchers tested a number of camera devices to steal data from LEDs, and point out that if an organization hoped to prevent such an attack by pointing a video surveillance camera at the air-gapped computer, the camera itself could be compromised.
Their tests looked at an entry-level Nikon DSLR, a high-end security camera, a GoPro Hero5, a Microsoft LifeCam, a Samsung Galaxy S6, Google's Glass, and a Siemens Photdiode sensor.
The Siemens sensor had by far the highest bit rate of nearly 4kbps, while the Galaxy S6 and GoPro Hero5 had bandwidths of 60 bits per second and 120 bits per second, respectively.
While they did not comprehensively test the distance at which LED light can be reliably captured to analyze signals, they noted that they have been able to identify LED signals from 20 meters away outside the building.
Fortunately, there are a number of cheap methods to counter this attack. Of the procedural methods, these include banning cameras, covering the LED, disconnecting the LED, and shielding windows.
Alternatively, organizations could install signal jammers, or software, or a camera to monitor LED activity.