New malware variant attacks isolated devices without internet connection

Digital forensics experts report the detection of a new Israeli malware that is capable of hacking computers in isolation. To do this, attackers must take control of the LED indicators on the device, flashing them up to 6 thousand times per second, sending a signal containing data to a camera mounted on a drone near the target machine.

This method of attack focuses on isolated devices, which means they have no connection to the Internet or the company’s networks, so attacking them is a highly complex task. Usually, these devices (also known as “air-gapped” systems) store highly sensitive information for the company.

The digital forensics experts at Ben-Gurion University Cybersecurity Research Center designed this method of control through LED indicators to demonstrate that it was possible to hack an isolated device to steal information. “These LED lights are always flashing, so no user would suspect that the computer is being attacked,” says one of the researchers.

To demonstrate the attack, the researchers employed a drone located relatively close to the target device. By locating the target, attackers begin to transmit data through an LED light on the hard drive, requiring the use of malware.

International Institute of Cyber Security (IICS) digital forensics specialists say that, using this technique, data can be transferred at speeds of up to 4 thousand bits/second, thanks to a specialized sensor, placed on the drone. The camera records the flicker of the LED lights and then decrypts it.

Reaching nearly 6,000 bits per second, LED light patterns are imperceptible to the naked eye, although a powerful enough light sensor could record these patterns without problem. “The target user will most likely not even realize that he or she is being attacked,” the creators of this method of information theft say.

It is important to note that the attack requires the target device to be previously infected with a malware variant, although this is not really an impassable impediment for attackers. System administrators may want to cover these LED lights with duct tape to prevent a possible attack.