62 research outputs found
xLED: Covert Data Exfiltration from Air-Gapped Networks via Router LEDs
In this paper we show how attackers can covertly leak data (e.g., encryption
keys, passwords and files) from highly secure or air-gapped networks via the
row of status LEDs that exists in networking equipment such as LAN switches and
routers. Although it is known that some network equipment emanates optical
signals correlated with the information being processed by the device
('side-channel'), intentionally controlling the status LEDs to carry any type
of data ('covert-channel') has never studied before. A malicious code is
executed on the LAN switch or router, allowing full control of the status LEDs.
Sensitive data can be encoded and modulated over the blinking of the LEDs. The
generated signals can then be recorded by various types of remote cameras and
optical sensors. We provide the technical background on the internal
architecture of switches and routers (at both the hardware and software level)
which enables this type of attack. We also present amplitude and frequency
based modulation and encoding schemas, along with a simple transmission
protocol. We implement a prototype of an exfiltration malware and discuss its
design and implementation. We evaluate this method with a few routers and
different types of LEDs. In addition, we tested various receivers including
remote cameras, security cameras, smartphone cameras, and optical sensors, and
also discuss different detection and prevention countermeasures. Our experiment
shows that sensitive data can be covertly leaked via the status LEDs of
switches and routers at a bit rates of 10 bit/sec to more than 1Kbit/sec per
LED
POWER-SUPPLaY: Leaking Data from Air-Gapped Systems by Turning the Power-Supplies Into Speakers
It is known that attackers can exfiltrate data from air-gapped computers
through their speakers via sonic and ultrasonic waves. To eliminate the threat
of such acoustic covert channels in sensitive systems, audio hardware can be
disabled and the use of loudspeakers can be strictly forbidden. Such audio-less
systems are considered to be \textit{audio-gapped}, and hence immune to
acoustic covert channels.
In this paper, we introduce a technique that enable attackers leak data
acoustically from air-gapped and audio-gapped systems. Our developed malware
can exploit the computer power supply unit (PSU) to play sounds and use it as
an out-of-band, secondary speaker with limited capabilities. The malicious code
manipulates the internal \textit{switching frequency} of the power supply and
hence controls the sound waveforms generated from its capacitors and
transformers. Our technique enables producing audio tones in a frequency band
of 0-24khz and playing audio streams (e.g., WAV) from a computer power supply
without the need for audio hardware or speakers. Binary data (files,
keylogging, encryption keys, etc.) can be modulated over the acoustic signals
and sent to a nearby receiver (e.g., smartphone). We show that our technique
works with various types of systems: PC workstations and servers, as well as
embedded systems and IoT devices that have no audio hardware at all. We provide
technical background and discuss implementation details such as signal
generation and data modulation. We show that the POWER-SUPPLaY code can operate
from an ordinary user-mode process and doesn't need any hardware access or
special privileges. Our evaluation shows that using POWER-SUPPLaY, sensitive
data can be exfiltrated from air-gapped and audio-gapped systems from a
distance of five meters away at a maximal bit rates of 50 bit/sec
CTRL-ALT-LED: Leaking Data from Air-Gapped Computers via Keyboard LEDs
Using the keyboard LEDs to send data optically was proposed in 2002 by
Loughry and Umphress [1] (Appendix A). In this paper we extensively explore
this threat in the context of a modern cyber-attack with current hardware and
optical equipment. In this type of attack, an advanced persistent threat (APT)
uses the keyboard LEDs (Caps-Lock, Num-Lock and Scroll-Lock) to encode
information and exfiltrate data from airgapped computers optically. Notably,
this exfiltration channel is not monitored by existing data leakage prevention
(DLP) systems. We examine this attack and its boundaries for today's keyboards
with USB controllers and sensitive optical sensors. We also introduce
smartphone and smartwatch cameras as components of malicious insider and 'evil
maid' attacks. We provide the necessary scientific background on optical
communication and the characteristics of modern USB keyboards at the hardware
and software level, and present a transmission protocol and modulation schemes.
We implement the exfiltration malware, discuss its design and implementation
issues, and evaluate it with different types of keyboards. We also test various
receivers, including light sensors, remote cameras, 'extreme' cameras, security
cameras, and smartphone cameras. Our experiment shows that data can be leaked
from air-gapped computers via the keyboard LEDs at a maximum bit rate of 3000
bit/sec per LED given a light sensor as a receiver, and more than 120 bit/sec
if smartphones are used. The attack doesn't require any modification of the
keyboard at hardware or firmware levels.Comment: arXiv admin note: text overlap with arXiv:1706.0114
Light Auditor: Power Measurement Can Tell Private Data Leakage Through IoT Covert Channels
Despite many conveniences of using IoT devices, they have suffered from various attacks due to their weak security. Besides well-known botnet attacks, IoT devices are vulnerable to recent covert-channel attacks. However, no study to date has considered these IoT covert-channel attacks. Among these attacks, researchers have demonstrated exfiltrating users\u27 private data by exploiting the smart bulb\u27s capability of infrared emission.
In this paper, we propose a power-auditing-based system that defends the data exfiltration attack on the smart bulb as a case study. We first implement this infrared-based attack in a lab environment. With a newly-collected power consumption dataset, we pre-process the data and transform them into two-dimensional images through Continous Wavelet Transformation (CWT). Next, we design a two-dimensional convolutional neural network (2D-CNN) model to identify the CWT images generated by malicious behavior. Our experiment results show that the proposed design is efficient in identifying infrared-based anomalies: 1) With much fewer parameters than transfer-learning classifiers, it achieves an accuracy of 88% in identifying the attacks, including unseen patterns. The results are similarly accurate as the sophisticated transfer-learning CNNs, such as AlexNet and GoogLeNet; 2) We validate that our system can classify the CWT images in real time
- …