CTRL-ALT-LED, the new way to hack “air-gapped” systems

According to network security specialists, the LED lights on the Caps Lock, Num Lock and Scroll Lock keys on a USB keyboard can be used to extract data from a system secured with the technique known as “Air Gap”, a security measure used to physically isolate a computer network of other insecure networks, such as public WiFi or unsecured LAN.

The attack, dubbed “CTRL-ALT -LED”, does not affect users of regular computer equipment, but focuses on compromising environments with more security measures (government computer networks, for example) where sensitive information is stored, a very attractive target for threat actors.  

Network security experts point out that to complete the attack it is necessary that some conditions exist beforehand, for example, the hacker must find a way to infect an air gap-protected system with a malware variant; “The CTRL-ALT-LED attack is just the data extraction method”, they add.

If these preconditions are met, the malware used by the attacker can cause the LED lights on a USB keyboard to start flashing quickly following a certain pattern, using a transmission protocol and modulation scheme to encode the data. Hackers, from a nearby location, can record the pattern of LED lights and decode it using the same modulation scheme to encode it.

Network security experts claim to have tested this data theft technique using different devices with optical capture capabilities, such as smartphone and smart watches cameras, surveillance cameras and optical sensors.  

Keyboard LED transmissions can also be programmed at certain intervals of the day when users are not present. This also makes it easier for attackers to synchronize recordings or place optical recorders or cameras near lenses with air spaces only when they know that LEDs will transmit stolen information.

Specialists from the International Institute of Cyber Security (IICS) mention that, in most cases, the extraction of information by this method requires that a scenario known as “evil maid” be presented; where the attacker must be physically present to record LED keystrokes using any device.