10 research outputs found
xLED: Covert Data Exfiltration from Air-Gapped Networks via Router LEDs
In this paper we show how attackers can covertly leak data (e.g., encryption
keys, passwords and files) from highly secure or air-gapped networks via the
row of status LEDs that exists in networking equipment such as LAN switches and
routers. Although it is known that some network equipment emanates optical
signals correlated with the information being processed by the device
('side-channel'), intentionally controlling the status LEDs to carry any type
of data ('covert-channel') has never studied before. A malicious code is
executed on the LAN switch or router, allowing full control of the status LEDs.
Sensitive data can be encoded and modulated over the blinking of the LEDs. The
generated signals can then be recorded by various types of remote cameras and
optical sensors. We provide the technical background on the internal
architecture of switches and routers (at both the hardware and software level)
which enables this type of attack. We also present amplitude and frequency
based modulation and encoding schemas, along with a simple transmission
protocol. We implement a prototype of an exfiltration malware and discuss its
design and implementation. We evaluate this method with a few routers and
different types of LEDs. In addition, we tested various receivers including
remote cameras, security cameras, smartphone cameras, and optical sensors, and
also discuss different detection and prevention countermeasures. Our experiment
shows that sensitive data can be covertly leaked via the status LEDs of
switches and routers at a bit rates of 10 bit/sec to more than 1Kbit/sec per
LED
CTRL-ALT-LED: Leaking Data from Air-Gapped Computers via Keyboard LEDs
Using the keyboard LEDs to send data optically was proposed in 2002 by
Loughry and Umphress [1] (Appendix A). In this paper we extensively explore
this threat in the context of a modern cyber-attack with current hardware and
optical equipment. In this type of attack, an advanced persistent threat (APT)
uses the keyboard LEDs (Caps-Lock, Num-Lock and Scroll-Lock) to encode
information and exfiltrate data from airgapped computers optically. Notably,
this exfiltration channel is not monitored by existing data leakage prevention
(DLP) systems. We examine this attack and its boundaries for today's keyboards
with USB controllers and sensitive optical sensors. We also introduce
smartphone and smartwatch cameras as components of malicious insider and 'evil
maid' attacks. We provide the necessary scientific background on optical
communication and the characteristics of modern USB keyboards at the hardware
and software level, and present a transmission protocol and modulation schemes.
We implement the exfiltration malware, discuss its design and implementation
issues, and evaluate it with different types of keyboards. We also test various
receivers, including light sensors, remote cameras, 'extreme' cameras, security
cameras, and smartphone cameras. Our experiment shows that data can be leaked
from air-gapped computers via the keyboard LEDs at a maximum bit rate of 3000
bit/sec per LED given a light sensor as a receiver, and more than 120 bit/sec
if smartphones are used. The attack doesn't require any modification of the
keyboard at hardware or firmware levels.Comment: arXiv admin note: text overlap with arXiv:1706.0114
The Little Seal Bug: Optical Sound Recovery from Lightweight Reflective Objects
In this paper, we introduce the little seal bug
attack, an optical side-channel attack which exploits lightweight
reflective objects (e.g., an iced coffee can, a smartphone stand, a
souvenir) as optical implants for the purpose of recovering the
content of a conversation. We show how fluctuations in the air
pressure on the surface of a shiny object can be exploited by
eavesdroppers to recover speech passively and externally, using
equipment not likely to be associated with spying. These air
pressure fluctuations, which occur in response to sound, cause
the shiny object to vibrate and reflect light which modulates
the nearby sound; as a result, seemingly innocuous objects like
an empty beverage can, desk ornament, or smartphone stand,
which are often placed on desks, can provide the infrastructure
required for eavesdroppers to recover the content of a victim’s
conversation held when the victim is sitting at his/her desk.
First, we conduct a series of experiments aimed at learning
the characteristics of optical measurements obtained from shiny
objects that reflect light, by using a photodiode to analyze the
movement of a shiny weight in response to sound. Based on
our findings, we propose an optical acoustical transformation
(OAT) to recover speech from the optical measurements obtained
from light reflected from shiny objects. Finally, we compare the
performance of the little seal bug attack to related methods
presented in other studies. We show that eavesdroppers located
35 meters away from a victim can use the little seal bug attack to
recover speech at the sound level of a virtual meeting with fair
intelligibility wh
Lamphone: Real-Time Passive Sound Recovery from Light Bulb Vibrations
Recent studies have suggested various side-channel attacks
for eavesdropping sound by analyzing the side effects of sound
waves on nearby objects (e.g., a bag of chips and window)
and devices (e.g., motion sensors). These methods pose a
great threat to privacy, however they are limited in one of the
following ways: they (1) cannot be applied in real time (e.g.,
Visual Microphone), (2) are not external, requiring the attacker
to compromise a device with malware (e.g., Gyrophone), or
(3) are not passive, requiring the attacker to direct a laser
beam at an object (e.g., laser microphone). In this paper,
we introduce Lamphone, a novel side-channel attack for
eavesdropping sound; this attack is performed by using a
remote electro-optical sensor to analyze a hanging light bulb’s
frequency response to sound. We show how fluctuations in the
air pressure on the surface of the hanging bulb (in response
to sound), which cause the bulb to vibrate very slightly (a
millidegree vibration), can be exploited by eavesdroppers to
recover speech and singing, passively, externally, and in real
time. We analyze a hanging bulb’s response to sound via an
electro-optical sensor and learn how to isolate the audio signal
from the optical signal. Based on our analysis, we develop
an algorithm to recover sound from the optical measurements
obtained from the vibrations of a light bulb and captured by the
electro-optical sensor. We evaluate Lamphone’s performance
in a realistic setup and show that Lamphone can be used
by eavesdroppers to recover human speech (which can be
accurately identified by the Google Cloud Speech API) and
singing (which can be accurately identified by Shazam and
SoundHound) from a bridge located 25 meters away from the
target room containing the hanging light bulb
Optical Cryptanalysis: Recovering Cryptographic Keys from Power LED Light Fluctuations
Although power LEDs have been integrated in various
devices that perform cryptographic operations for decades, the
cryptanalysis risk they pose has not yet been investigated.
In this paper, we present optical cryptanalysis, a new form
of cryptanalytic side-channel attack, in which secret keys are
extracted by using a photodiode to measure the light emitted
by a device’s power LED and analyzing subtle fluctuations in
the light intensity during cryptographic operations. We analyze
the optical leakage of power LEDs of various consumer
devices and the factors that affect the optical SNR. We then
demonstrate end-to-end optical cryptanalytic attacks against
a range of consumer devices (smartphone, smartcard, and
Raspberry Pi, along with their USB peripherals) and recover
secret keys (RSA, ECDSA, SIKE) from prior and recent
versions of popular cryptographic libraries (GnuPG, Libgcrypt,
PQCrypto-SIDH) from a maximum distance of 25 meter
A study in the mechanics of aeration at weirs
SIGLELD:D50346/84 / BLDSC - British Library Document Supply CentreGBUnited Kingdo
Quasi-digital front-ends for current measurement in integrated circuits with giant magnetoresistance technology
In this study, the authors report on two different electronic interfaces for low-power integrated circuits electric current monitoring through current-to-frequency (I-f) conversion schemes. This proposal displays the intrinsic advantages of the quasi-digital systems regarding direct interfacing and self-calibrating capabilities. In addition, as current-sensing devices, they have made use of the giant magnetoresistance (GMR) technology because of its high sensitivity and compatibility with standard complementary metal oxide semiconductor processes. Single elements and Wheatstone bridges based on spin-valves and magnetic tunnel junctions have been considered. In this sense, schematic-level simulations for integration in Austria Microsystems 0.35 mu m technology have been corroborated by means of experimental measurements with the help of printed circuit board prototypes and real GMR devices. Tables with relevant parameters (silicon area, power consumption, sensitivity etc.) have been constructed as practical tools for designers. Electric currents down to 2 mu A have been resolved in this way.Peer Reviewe