from Hacker News

Lasershark: Fast, bidirectional communication into air-gapped systems

by dloss on 2/11/22, 5:26 PM with 112 comments

  • by Ansil849 on 2/11/22, 7:50 PM

    > For our attacker model, we assume that an initial compromise has happened on the target device through the software supply-chain similar to the incidents at SolarWinds [8] and CodeCov [7]. For example, a regular update of the device’s firmware might unnoticeably add the necessary code for sending and receiving data through a built-in LED.

    I mean, sure, if you have the ability to compromise the airgapped device by running code on it then you could presumably be doing a lot of things besides just leveraging potential LED line of sight.

  • by anfractuosity on 2/11/22, 6:03 PM

    Related to reading information from LEDs, thought this paper was cool - http://www.applied-math.org/optical_tempest.pdf (from 2002)

    "Dial-up and leased-line modems were found to faithfully broadcast data transmitted and received by the device"

    Edit: Also it looks like Loughry has proposed similar work, using lasers and LEDs https://arxiv.org/pdf/1907.00479.pdf

  • by Jerrrry on 2/11/22, 6:38 PM

    you can exfiltrate data at a bit/hour through power consumption.

    Run while(1){sin(cos(tan(rand(1))) for 1, nothing for 0, every half hour, with a correctional bit thrown in for good measure.

    measure the heat of the room via remote sensing, power consumption, AC/air frequency analysis.

    the NSA will have to add a layer of thermodynamic static noise in addition to their rooms full of stereo's blasting white noise.

    a technically proficient attacker could infer the value of a encryption key given the GDP of the nation-state, if the data was granular enough.

  • by contingencies on 2/11/22, 10:11 PM

    While LEDs are designed to emit light and can thus unnoticeably encode information through high-frequency flickering, their ability to also perceive light is largely unknown in the security community. In particular, by directing a laser on the LEDs of office devices, we induce a measurable current in the hardware that can be picked up by its firmware and used to receive incoming data.

    They are firing a laser at an LED under the following assumptions.

    1. They already have arbitrary code execution on the device but want to open a bidirectional communication channel. 2. It is possible to reprogram the GPIO port to function as an input (not always possible, since ports may be output only). 3. They can induce a large enough current through firing a laser at the LED to exceed the GPIO threshold voltage for said port. 4. They have a suitable line of sight to the LED, ie. it is both facing them and not recessed, and there is no oblique or low-opacity window between them and the air-gapped asset. 5. They can get close enough to launch the attack.

  • by jonititan on 2/11/22, 5:55 PM

    It's neat but the characterisation of the sensing potential of LEDs as relatively unknown is laughable. It's been known as far back as Forest Mims seminal books on circuits.

  • by 1970-01-01 on 2/11/22, 7:40 PM

    When you have sensitive data that needs to be air-gapped, but not so sensitive it can't be behind a pane of glass.

  • by sigg3 on 2/11/22, 6:43 PM

    If you want to effectively bridge an airgap you compromise someone on the inside.

  • by squarefoot on 2/11/22, 9:44 PM

    I briefly skimmed the paper; it looks like they're using pwm but not at its full potential. I would use it also as a synchronization mean, that is, the attacker points the led/laser and receiver to the target led, the attacker sends a signal like say a 10% modulated pwm, save for a 50% wide start bit which marks the start of the word being transmitted, then the bits are modulated like 10% for 1 and 20% for 0, or the other way around. Basically, the attacker talks 20% of each cycle, and listens the remaining 80%. The target led can be then read to detect those signals and sync itself to the signal received so that when replying it just modulates the led during the remaining time of each duty cycle. The attacker just by maintaining the link will receive both the echo of its transmission and the target's reply. That's just an idea, however, I'm not implying I could be able to implement it effectively:).

  • by camjohnson26 on 2/11/22, 5:41 PM

    Reminds me of this tweet:

    “Tech enthusiasts: My entire house is smart.

    Tech workers: The only piece of technology in my house is a printer and I keep a gun next to it so I can shoot it if it makes a noise I don't recognize.”

    Honestly I’m starting to operate under the assumption that anything can be hacked with enough focus and determination. Obscurity isn’t such a bad defense in the long run.

    https://twitter.com/PPathole/status/1116670170980859905?s=20...

  • by mikewarot on 2/12/22, 7:34 AM

    If you're going to try this at home, it is important to know that LEDs work as photodiodes only when the impinging light is of a higher energy that the photons the LED emits normally.

    A given LED color below will only detect colors to the right of it

    Infrared < Red < Orange < Yellow < Green < Blue < Ultraviolet

    Back in the 1990s I breadboarded an alarm circuit that used a normal cheap bicolor LED as both transmitter and receiver, feeding some BiFET op amps. I could detect a bicycle reflector to about 6 feet

  • by supercoffee on 2/12/22, 1:02 AM

    This concept sounded familiar, and it turns out that somebody else researched a similar technique a few years ago.

    https://cris.bgu.ac.il/en/publications/xled-covert-data-exfi...

  • by yencabulator on 2/15/22, 8:21 PM

    The pull quote I wanted to see:

    > While LEDs are designed to emit light and can thus unnoticeably encode information through high-frequency flickering, their ability to also perceive light is largely unknown in the security community. In particular, by directing a laser on the LEDs of office devices, we induce a measurable current in the hardware that can be picked up by its firmware and used to receive incoming data.

  • by vajrabum on 2/11/22, 5:56 PM

    I'd guess that means that going forward security conscious people will be putting tape or covers over not only their cameras but also over their LEDs.

    In high security settings the buildings have no windows or have fake windows to keep external laser signals out so that's not new. That's been true since about the time someone figured out you can reconstruct audio from the doppler of a laser reflected off windows.

  • by djinnandtonic on 2/11/22, 10:42 PM

    I don't understand why this is called an attack. Looks like just a (very cool!) communication protocol, over an unusual medium?

  • by etrautmann on 2/11/22, 7:20 PM

    Could an LCD display be used as a sensor?

  • by forgotmyoldacc on 2/11/22, 6:21 PM

    How often are attackers hacking a air-gapped device but have line of sight? It seems fairly implausible.

  • by lokimedes on 2/12/22, 7:14 AM

    There goes my office windows. Next up: how thermal control systems can be exploited to enhance band-gap transition probability to covertly cause bit-flips in air-gapped facilities. Vacuum it is.

  • by rdtwo on 2/12/22, 4:12 AM

    Why not just use the fan as a speaker and modulate fan noise is that too slow? The response time on the led to get a clear one or zero would be pretty slow too

  • by triactual on 2/12/22, 2:11 AM

    There are some pretty simple hardware mitigations that would render this and similar attacks nearly impossible and they only add pennies to the design.

  • by abi on 2/11/22, 7:37 PM

    How do I go about installing receiver in the air-gapped system in the first place? I'm a little confused on that.

  • by jppope on 2/11/22, 6:07 PM

    I had to upvote just based on the name. the doctor evil reference is hilarious