A group of Israeli researchers has devised a new technique to exfiltrateÂ data from a PC in anÂ air-gapped networkÂ through malware controlled via scanners.
The team was composed of BenÂ Nassi, a graduate student at the Cyber Security Research Center at Ben-Gurion University, and his advisor Yuval Elovici, based on an idea of the prominent cryptographer Adi Shamir.
The technique could be used by hackers to establish a covert communication channel between a malicious code running on the target machine in an air-gapped network and the attacker.
The technique leverages a flatbed scanner used by the researchers to send commands to their malicious code running on the target victimâs network.
âOur method uses light transmitted by an attacker to a flatbed scanner, which is then extracted by a malware installed in the organization.â reads theÂ paperÂ published by the researchers. â Our method exploits an organizationâs scanner which serves as a gateway to the organization, in order to establish a covert channel between a malware and an attacker. The attacker controlling the light source can be located far away from the targeted scannerâ
In order to transfer data from an air-gapped network, researchers use a light source near the scanner that then receives the commands.
The scannerÂ detects reflected light on its glass pane and translates it into binary and convert it into an image. Scanners are sensitive to any changes of light in the surrounding environment, even when aÂ paper is on the glass or when the light source is infrared.
The researchers transmitted the signal to theÂ scanner by pointing a light at its glass pane. the commands are sent with a binary encoding obtained by turning on and off the light.Â The commands are included between specific binary sequences (1001).
According to the researchers, the attacker can also send messages to the malicious codeÂ by hijacking an existing light source installed in the vicinity of the scanner, letâs think of aÂ smart bulb.
In the test conducted by the researchers, the team of experts was able to delete a file on the target system by sending the commandÂ âerase file xxx.docâ via a laser positioned on a stand outside a glass-walled building from 900 meters away.
In a real attack scenario, it is possible to use a drone equipped with a laser gun while flying outside an office window.
In order to successfully conduct such kind of attacks, it is necessary the presence of the malware on the target machine, and to receive the light a scanner withÂ at least partially open lid must be connected to the PC.
In a real attack scenario, a malicious code could infect the target network, then scans it searching for scanners. In order to avoid detection, the scan could start at nighttime or during the weekend when the office is empty.
Letâs give a look at the speed of transmission obtained with this technique, it took 50 milliseconds to transmit each bit of the command.
This means that a 64-bit message took about three seconds to be transmitted, and the malware read the signal in real-time and acknowledged receipt by triggering a second scan once the command sequence ended.
In the test conducted by the Israeli researchers, the team used the technique to trigger a ransomware attack, sending the command to encrypt data from a car in the parking lot. The attacker controlled the fluctuating lightbulb via Bluetooth from a Samsung Galaxy S4.
âThe driver held a Samsung Galaxy S4 while driving in order to perform the attack from, a dedicated application that we wrote and installed on the Galaxy. The application scans for a MagicBlue smart bulb and connects to it. After connection, the application modulates a given command asÂ lightÂ sequence using a series of âonâ (1 bit) and âoffâ (0 bit) signals sent from over a BLE channelâ continues the paper.
The scanners used in the attack could detect changes in brightness from the smart bulb, a 5 percent reduction of light, and in sequences that lasted less than 25 milliseconds. An attack with this characteristic goes undetected to the human eyes.
The researchers say that a possible countermeasure to disconnect scanners from internal networks, but this solution is not feasible due to the impact on the ordinary work of the employees of a target company.
The best countermeasure consists in the setting up a proxy system whereby the scanner is connected by wire to a computer on the organizationâs network that processes data from the scanner, in this way the scanner isnât directly connected to the network.
âHowever, we believe that aÂ proxy basedÂ solution will prevent the attacker from establishing such a covert channel without the need to apply extreme changes. The scanner will be connected by a wire directly (e.g., using a USB interface) to a computer (proxy) within the organizationâs network instead of being connected to the network. The proxy will provide an API. When a scanning request is received, the computer initiates a scan and processes the outputÂ inÂ a classifier in order to detect malicious scanâ concluded the researchers.