Malware Uses Blinking Hard Drive LEDs to Transmit Data to Nearby Cameras

Share this…

Custom-made malware installed on an offline computer can use a hard drive’s LED to send out sensitive data from infected computers to nearby cameras.

This Hollywood hacking scenario is now a reality after security researchers from a university in Israel have created such malware and successfully tested it in real-life attacks.

The purpose of this malware, which doesn’t need admin rights to run its code, is to make the HDD LED flicker at rapid intervals.

LED-it-GO: stealing data via light signals

An attacker can then use a nearby camera to capture the LED’s flickers and transmit the data to a special computer to analyze the recorded video, where the LED turned on stands for a binary one, and the LED turned off stands for a binary zero.

This way, the malware can find sensitive information on infected computers, break down the data into ones and zeros, and exfiltrate it via the HDD LED.

The type of data the malware can steal is up to the attacker, but smaller-sized files are better, such as logged keystrokes, encryption keys, or user credentials dumped from various applications.

Attackers can then use cameras found on their phones, those mounted on drones, or surveillance cameras deployed with CCTV systems to record the video and pass it on.

Test results

Researchers said they tested various camera types and HDD LEDs in various colors, such as red, blue, and white.

Their tests revealed that photodiode sensors are the best LED light-capturing system with a data acquisition maximum bandwidth of up to 4,000 bits per second.

Other camera types used in the tests included GoPro cameras, high-end security cameras, entry-level DSLR cameras, HD webcams, smartphone cameras, and Google Glass spectacles. Most of these faired a lowly speed of 15 bits per second, with GoPro Hero5 reaching data acquisition speeds of up to 120 bits per second.

As for LED colors, researchers said that blue LEDs produced the strongest optic signals.

LED-it-GO is a covert attack

With a maximum exfiltration speed of 4,000 bits/s (0.5 KB/s), stealing large files is somewhat possible if users don’t detect and stop the attack.

“Because the HDD activity LED routinely blinks frequently, additional blinks caused by the attack may raise no suspicions,” researchers pointed out.

Furthermore, when transmitting data, the LED blinks so rapidly that for a human eye the LED looks like it’s turned on permanently.

All of this doesn’t matter because there’s always one or more LEDs blinking on a PC, and most human operators will ignore them anyway.

Researchers recorded a video showing how they used a camera mounted on a drone to pick up LED flickers from a PC on a building’s third floor.

Attack was designed for targeting air-gapped systems

Despite researchers painting a grim picture, this type of scenario works only if attackers manage to infect computers with their malware.

Since there are easier ways to steal data from Internet-connected PCs than using HDD LED flickers, this type of attack is suitable only for air-gapped systems that store sensitive information, but have no Internet connection.

In most real-world scenarios, air-gapped systems are stored in isolated rooms with no windows and no other electronics nearby.

Basic countermeasures exist

If by any chance there’s a sensitive air-gapped computer in the range of a camera, it’s quite easy to mitigate the attack by putting tape over the LED or shielding windows so outsiders can’t peek in.

Other countermeasures researchers proposed include banning cameras from rooms where companies store air-gapped systems (already implemented in many places), physically disconnecting LEDs or deploying LED activity monitoring systems.

This research is titled LED-it-GO: Leaking (a lot of) Data from Air-Gapped Computers via the (small) Hard Drive LED, and is the work of researchers from the Cyber Security Research Center at the Ben-Gurion University of the Negev in Israel.

Previously the same research team published research such as:
SPEAKE(a)R – use headphones to record audio and spy on nearby users
9-1-1 DDoS – launch DDoS attacks that can cripple a US state’s 911 emergency systems
USBee – make a USB connector’s data bus give out electromagnetic emissions that can be used to exfiltrate data
AirHopper – use the local GPU card to emit electromagnetic signals to a nearby mobile phone, also used to steal data
Fansmitter – steal data from air-gapped PCs using sounds emanated by a computer’s GPU fan
DiskFiltration – steal data using the hard drive read/write sounds
BitWhisper – exfiltrate data from non-networked computers using heat emanations