TY - JOUR
T1 - aIR-Jumper
T2 - Covert air-gap exfiltration/infiltration via security cameras & infrared (IR)
AU - Guri, Mordechai
AU - Bykhovsky, Dima
N1 - Publisher Copyright: © 2018 Elsevier Ltd
PY - 2019/5/1
Y1 - 2019/5/1
N2 - Breaching highly secure networks with advanced persistent threats (APTs) has been proven feasible in the last decade, however communication between the attacker outside the organization and the APT inside the organization is not possible if the compromised network is disconnected from the Internet. In this paper, we show how attackers can exploit surveillance cameras to establish covert communication between the air-gapped networks of organizations and remote attackers. We present bidirectional communication allowing inbound and outbound data transfer. Infiltration. An attacker standing in a public area (e.g., in the street) uses near infrared light (NIR) to transmit hidden signals to the surveillance camera(s). Such NIR signals at a wavelength of 800–900 nm are invisible to humans, but cameras are optically sensitive to this type of light. Binary data is encoded and modulated on top of the IR signals. The signals hidden in the video stream are then intercepted and decoded by the malware residing in the internal network. Exfiltration. Surveillance and security cameras are equipped with controllable IR LEDs which are used for night vision. We show that the malware can control the strength of the IR illumination. Sensitive data such as PIN codes, passwords, and encryption keys are then modulated, encoded, and transmitted over the IR signals. An attacker in a public area (e.g., in the street) with a line of sight to the surveillance camera records the IR signals and decodes the leaked information. We discuss related work on air-gap covert channels and provide scientific background about our optical channel. Our evaluation shows that an attacker can establish bidirectional communication with the internal networks from distances of tens of meters to kilometers away via surveillance cameras and IR light.
AB - Breaching highly secure networks with advanced persistent threats (APTs) has been proven feasible in the last decade, however communication between the attacker outside the organization and the APT inside the organization is not possible if the compromised network is disconnected from the Internet. In this paper, we show how attackers can exploit surveillance cameras to establish covert communication between the air-gapped networks of organizations and remote attackers. We present bidirectional communication allowing inbound and outbound data transfer. Infiltration. An attacker standing in a public area (e.g., in the street) uses near infrared light (NIR) to transmit hidden signals to the surveillance camera(s). Such NIR signals at a wavelength of 800–900 nm are invisible to humans, but cameras are optically sensitive to this type of light. Binary data is encoded and modulated on top of the IR signals. The signals hidden in the video stream are then intercepted and decoded by the malware residing in the internal network. Exfiltration. Surveillance and security cameras are equipped with controllable IR LEDs which are used for night vision. We show that the malware can control the strength of the IR illumination. Sensitive data such as PIN codes, passwords, and encryption keys are then modulated, encoded, and transmitted over the IR signals. An attacker in a public area (e.g., in the street) with a line of sight to the surveillance camera records the IR signals and decodes the leaked information. We discuss related work on air-gap covert channels and provide scientific background about our optical channel. Our evaluation shows that an attacker can establish bidirectional communication with the internal networks from distances of tens of meters to kilometers away via surveillance cameras and IR light.
UR - http://www.scopus.com/inward/record.url?scp=85058471474&partnerID=8YFLogxK
U2 - https://doi.org/10.1016/j.cose.2018.11.004
DO - https://doi.org/10.1016/j.cose.2018.11.004
M3 - Article
SN - 0167-4048
VL - 82
SP - 15
EP - 29
JO - Computers and Security
JF - Computers and Security
ER -