LED-it-GO: Leaking (a lot of) data from air-gapped computers via the (small) hard drive LED

Research output: Chapter in Book/Report/Conference proceedingConference contributionpeer-review

Abstract

In this paper we present a method that allows attackers to covertly leak data from isolated, air-gapped computers. Our method utilizes the hard disk drive (HDD) activity LED which exists in most of today’s desktop PCs, laptops, and servers. We show that a malware can indirectly control the HDD LED, turning it on and off rapidly (up to 5800 blinks per second) – a rate that exceeds the visual perception capabilities of humans. Sensitive information can be encoded and leaked over the LED signals, which can then be received remotely by different kinds of cameras and light sensors (Demonstration video: https:// www.youtube.com/watch?v=4vIu8ld68fc). Compared to other LED methods, our method is unique, because it is also covert; the HDD activity LED routinely flickers frequently, and therefore the user may not be suspicious of changes in its activity. We discuss attack scenarios and present the necessary technical background regarding the HDD LED and its hardware control. We also present various data modulation methods and describe the implementation of a user-level malware that doesn’t require a kernel component. During the evaluation, we examined the physical characteristics of different colored HDD LEDs (red, blue, and white) and tested different types of receivers: remote cameras, ‘extreme’ cameras, security cameras, smartphone cameras, drone cameras, and optical sensors. Finally, we discuss hardware and software countermeasures for such a threat. Our experiment shows that sensitive data can successfully be leaked from air-gapped computers via the HDD LED at a maximum bit rate of 120 bit/s (bits per second) when a video camera is used as a receiver, and 4000 bit/s when a light sensor is used for the reception. Notably, the maximal speed is 10 times faster than the existing optical covert channels for air-gapped computers. These rates allow rapid exfiltration of encryption keys, keystroke logging, and text and binary files.

Original languageAmerican English
Title of host publicationDetection of Intrusions and Malware, and Vulnerability Assessment - 14th International Conference, DIMVA 2017, 2017
EditorsMichalis Polychronakis, Michael Meier
PublisherSpringer Verlag
Pages161-184
Number of pages24
ISBN (Print)9783319608754
DOIs
StatePublished - 1 Jan 2017
Event14th International Conference on Detection of Intrusions and Malware, and Vulnerability Assess, DIMVA 2017 - Bonn, Germany
Duration: 6 Jul 20177 Jul 2017

Publication series

NameLecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)
Volume10327 LNCS

Conference

Conference14th International Conference on Detection of Intrusions and Malware, and Vulnerability Assess, DIMVA 2017
Country/TerritoryGermany
CityBonn
Period6/07/177/07/17

Keywords

  • Air-gap
  • Covert channel
  • Exfiltration
  • Hard drive
  • LED
  • Network security
  • Optical

All Science Journal Classification (ASJC) codes

  • Theoretical Computer Science
  • General Computer Science

Fingerprint

Dive into the research topics of 'LED-it-GO: Leaking (a lot of) data from air-gapped computers via the (small) hard drive LED'. Together they form a unique fingerprint.

Cite this