Hackers use infra red CCTV cameras to steal data from air gapped systems

0 2

By Matthew Griffin Security and Privacy 10th May 2018

WHY THIS MATTERS IN BRIEF

Air gapped computer systems that often hold highly sensitive data are generally thought to be secure, but more hackers are testing that theory than ever before.

Even the cleverest malware is stranded unless it can communicate with the people who sent it. This can be hard to achieve without a network’s defenders noticing the malware’s chatter, so stealthy communication is at a premium for malware that wants to go unnoticed.

The most extreme example of this challenge occurs when malware has no direct connection to the outside world at all, such as is the case in isolated networks that are “air-gapped” from the outside world.

In this situation, the malware typically has two ways to communicate: infect storage media used to ferry data and software to and from the protected network (the approach used by the infamous Stuxnet malware), or get an insider to access the gapped systems.

Researchers at Israel’s Ben Gurion University prefer a third way – they’ve come up with a new proof-of-concept gap-beating attack, dubbed “aIR Jumper”, based on controlling the infrared (IR) LEDs inside surveillance cameras.

Watch it “in action”

The team wanted to see whether these devices could be used to jump the gap and exfiltrate data (sneak it out of a network), infiltrate data (sneak it in as part of command and control) or, ideally, a combination of the two. To work, the malware (already inside the air-gapped network using one of the techniques mentioned above) must look for and compromise network-attached surveillance cameras, which are typically fitted with infra-red LEDs to enable night vision. For cameras facing on to a public car park or street, the researchers discovered that data could be infiltrated and exfiltrated as encoded infra-red flashes at throughputs of 20 bits/sec, per camera, to an attacker with a video camera standing tens of metres away. In two scenarios, the team demonstrated how the lighting systems could be used to connect attackers to a compromised network. In one case, exfiltration, the leak of data, was possible, while in an infiltration attack scenario, data was sent into the network.

Command and control data could then be infiltrated back to the malware by reversing this process at a throughput of 100 bit/sec, per camera, using infra-red LEDs from kilometres a way.

“In an infiltration scenario, an attacker standing in a public area (e.g., in the street) uses IR LEDs to transmit hidden signals to the surveillance camera(s),” the paper reads, “binary data such as command and control (C&C) and beacon messages are encoded on top of the IR signals.”

This is enough to transmit sensitive data such as PIN codes, passwords, and encryption keys that are then modulated, encoded, and transmitted over the IR signals, but better still the covert channel can be established with more than one surveillance camera in order to multiply the channel’s bandwidth.

Despite its relatively low bandwidth, the attack has the compelling advantage of being both incredibly hard to spot, either visually, because infra-red is invisible to humans, or by security systems, because it never traverses internet gateways.

In a sense, the aIR attack works by creating its own alternative port into and out of the network using surveillance cameras as the medium.

Of course the success of this approach against air-gapped networks would depend on the network configuration.

You might reasonably expect air-gapped networks to be completely isolated from devices like cameras, in which case the aIR attack would fail. Even if the cameras were accessible, the malware would still have to compromise them, which would hinge on how well secured they were.

On the other hand, researchers at Ben Gurion University and elsewhere have researched techniques for jumping air gaps directly, including using electro-magnetism to communicate with mobile phones, using heat, the noises from hard drives, and even hard drive LEDs blinking at drones.

The best-known example of this class of attack is probably the legendary and strange BadBIOS from 2013, which was said amongst other things to use inaudible sounds to jump air gaps.

As for camera security, one has only to turn to the mass compromise of public surveillance cameras in Washington DC earlier in 2017 to see the potential for trouble.

So, much of this is possible if a little cloak and dagger – would attackers really want to risk standing in car parks at night holding video cameras though?

The obvious defence is simply to secure surveillance cameras while isolating them from sensitive networks.

The researchers at Ben Gurion University aren’t really concerned with what’s likely, but what’s possible and they seem determined to show that, air-gapped or not, nothing is ever completely out of reach.

Matthew Griffin / About Author

Matthew Griffin, described as a "Walking encyclopaedia of the future" by NASA and a futurist polymath, is one of the world's most renowned futurists and strategic foresight experts. A serial entrepreneur Matthew is the Founder and Futurist in Chief of the 311 Institute, a global Futures and Deep Futures advisory firm working across the next 50 years, XPotential University, the world's first free futures and foresight university, and the World Futures Forum which works with the United Nations to solve the worlds greatest challenges. 13 times author of the Codex of the Future series, Matthew is an in demand international keynote, acclaimed university lecturer, and host of the hit Fanatical Futurist podcast.

A rare talent in his past Matthew helped build and run several multi-billion dollar business units for Atos, Dell-EMC, and IBM, and his ability to identify, track, and explain the impacts of hundreds of emerging technologies and trends on global business, culture, and society has earned him a powerful reputation and a roster of clients that include royal households, world leaders, G7, G20, and G77+ governments, and many of the world's most respected brands including ABB, Accenture, Adidas, AON, ARM, BCG, Centrica, Citi Group, Coca Cola, Dentons, Deloitte, Disney, EY, KPMG, Lego, Legal & General, LinkedIn, Microsoft, Pepsi Co, Qualcomm, RWE, Samsung, T-Mobile, UBS, VISA, and many others. He was also the only futurist invited to talk at the UN COP28 held in Dubai alongside world leaders.

Regularly featured in the global media including the AP, BBC, Bloomberg, CNBC, Discovery, Forbes, Khaleej Times, Telegraph, TIME, ViacomCBS, WIRED, and the WSJ, Matthews mission is to help organisations create a fair and sustainable future whose benefits are shared by everyone irrespective of their ability, background, or circumstances.