Introduction:
Air-gapped systems, also known as isolated or segregated systems, are computers or networks that are physically disconnected from external networks, making it impossible for data to be transferred through traditional methods such as the internet or external storage devices. These systems are often used in high-security environments where the protection of sensitive data is of paramount importance. However, even air-gapped systems are not completely immune to data exfiltration, as creative attackers can find ways to breach these isolated systems using covert channels.
A covert channel is a communication channel that is used to transfer information in a manner that is not intended or authorized by the system’s owner. Covert channels can be used for malicious purposes, such as stealing sensitive data from an air-gapped system, as they allow attackers to bypass traditional security measures. In this blog, we will explore two covert channels that can be used for data exfiltration from air-gapped systems: the camera LED status light and screen brightness.
Camera LED Status Light as a Covert Channel: Most laptops and desktop computers have a built-in camera LED status light that turns on whenever the camera is in use. This LED light is designed to provide a visual indication to the user that the camera is active and capturing video. However, attackers can repurpose this LED status light as a covert channel to exfiltrate data from an air-gapped system.
The process of using the camera LED status light as a covert channel typically involves the following steps:
Screen Brightness as a Covert Channel: Another covert channel that can be used for data exfiltration from an air-gapped system is screen brightness. The screen brightness of a computer monitor or a mobile device can be adjusted to different levels to provide visual feedback to the user. However, attackers can also use changes in screen brightness to encode and transmit data.
The process of using screen brightness as a covert channel is similar to using the camera LED status light:
Proof of Concept Video demonstration of above covert channels
Code : https://github.com/harishsg993010/AirgapExresearch/tree/main
Countermeasures: Data exfiltration through covert channels such as camera LED status light and screen brightness can be challenging to detect and prevent, as they do not rely on traditional network communications or external storage devices. However, there are several countermeasures that can be implemented to mitigate the risk of data exfiltration from air-gapped systems:
Limitations of this techniques
One limitation of using covert channels such as camera LED status light or screen brightness for data exfiltration from air-gapped systems is that the transfer speed can be relatively slow compared to traditional network-based methods. The transfer speed of data through these covert channels depends on various factors such as the encoding technique used, the distance between the air-gapped system and the receiving device, and the sensitivity of the light sensor or camera sensor used for data reception.
Due to the limited bandwidth of camera LED status light or screen brightness changes, the transfer speed may not be as fast as other methods of data exfiltration. For example, encoding data into binary using camera LED status light may result in a relatively low transfer speed, as the LED status light typically blinks at a slower rate compared to network-based communication channels. Similarly, using screen brightness changes to represent data may also result in a slow transfer speed, as the changes in brightness may not be easily visible or detectable from a distance.
The slow transfer speed of data exfiltration through covert channels such as camera LED status light or screen brightness can be a disadvantage for attackers who need to transfer a large amount of data quickly. However, it can also be an advantage in some scenarios where the attackers prioritize stealth over speed, such as in targeted attacks or espionage activities where the focus is on avoiding detection rather than transferring data quickly.
It’s important to note that the transfer speed of data exfiltration through covert channels can vary depending on the specific implementation and the capabilities of the hardware and software used. Attackers may also employ techniques to optimize the transfer speed, such as using sophisticated encoding techniques or leveraging other factors that can affect the brightness of the screen or LED status light, such as screen flickering or using multiple LED lights simultaneously. Therefore, organizations should not solely rely on the assumption of slow transfer speeds as a security measure, but rather implement a comprehensive set of security measures to mitigate the risk of data exfiltration through covert channels.
In conclusion, while using covert channels such as camera LED status light or screen brightness for data exfiltration from air-gapped systems can be a slow process, it is still a potential threat that organizations should be aware of and take appropriate security measures to prevent. Regular risk assessments, monitoring for unusual activities, and implementing strict access controls can help mitigate the risk of data exfiltration through covert channels, even if the transfer speed may be slow