Researchers in Israel have come up with an innovative hack that turns a computer’s LED light into a signaling system that shows passwords and other sensitive data.
The researchers at Ben-Gurion University of the Negev demonstrated the hack in a YouTube video posted Wednesday. It shows a hacked computer broadcasting the data through a computer’s LED light, with a drone flying nearby reading the pattern.
The researchers designed the scheme to underscore vulnerabilities of air-gapped systems, or computers that have been intentionally disconnected from the internet.
Air-gapped systems generally carry highly confidential information or operate critical infrastructure. But the researchers have been coming up with sneaky ways to extract data from these computers, like using the noise from the PC’s fan or hard drive to secretly broadcast the information to a nearby smartphone.
Their latest hack leverages the LED activity light for the hard disk drive, which can be found on many servers and desktop PCs and is used to indicate when memory is read or written.
The researchers found that with malware, they could control the LED light to emit binary signals by flashing on and off. That flickering could send out a maximum of 4,000 bits per second, or enough to leak out passwords, encryption keys and files, according to their paper. It’s likely no one would notice anything wrong.
“The hard drive LED flickers frequently, and therefore the user won’t be suspicious about changes in its activity,” said Mordechai Guri, who led the research, in a statement.
To read the signals from the LED light, all that’s needed is a camera or an optical sensor to record the patterns. The researchers found they could read the signal from 20 meters away from outside a building. With an optical zoom lens, that range could be even longer.
It wouldn’t be easy for hackers to pull off this trick. They’d have to design malware to control the LED light and then somehow place it on an air-gapped system, which typically is heavily protected.
They’d also need to find a way to read the signals from the LED light. To do so, a bad actor might hijack a security camera inside the building or fly a drone to spy through a window at night.
However, the danger of an LED light being hijacked can be easy to solve. The researchers recommend placing a piece of tape over the light, or disconnecting it from the computer.
Segura often studies malvertising, which involves seeding ad networks with harmful online advertisements that then appear on websites, potentially delivering malware to a person’s computer.
It’s a particularly insidious type of attack, since a person merely has to view an advertisement to become infected if his or her computer has a software vulnerability.
“We knew there was something different that malvertisers were doing,” said Segura.
The problem was his team couldn’t replicate the attack by viewing the malicious ad. It’s almost as if the attackers knew they were being watched.
Cyberattackers often profile machines — known as fingerprinting — in order to attack ones that are being used by security researchers. Machines on certain IP addresses or VPN networks or those running virtual machines won’t be attacked.
Segura couldn’t get another look at the attack until he went home and used his home computer rather than the ones in Malwarebytes’ lab.
If a computer checked out, its user was redirected by the advertisement to a server running the Angler exploit kit, Segura said.
It is not unusual for cyberattackers to do some quick reconnaissance on potential victims. But Segura said this time around, the attackers are also taking other steps that make it very difficult for ad networks and security researchers to detect bad behavior.
The malicious ad, including the one-by-one pixel, was also delivered over SSL/TLS, which makes it harder to detect potentially malicious behavior, Segura said.
The malicious ad was carried by Google’s DoubleClick and dozens of other ad networks. It appears the attackers had set up fake domains and even LinkedIn profiles months before to appear they were legitimate before supplying their malicious advertisement to the online advertising companies.
“It shows you how deceptive they can be and how many fake advertisers are out there,” he said.
Concerns regarding cyberterrorism was front and center this week among security experts at the RSA security conference in San Francisco, who find that some people with extremist views have the technical knowledge that could be used to breach computer networks.
Cyberterrorism does not exist currently in a serious form, but some individuals with extremist views have displayed a significant level of knowledge of hacking, so the threat shouldn’t be underestimated, said F-Secure’s chief research officer Mikko Hypponen on Thursday at the RSA security conference in San Francisco .
Other security experts agree. “I think it’s something that we should be concerned about. I wouldn’t be surprised if 2012 is the year when we start seeing more cyberterrorism,” said Mike Geide, a senior security analyst at security vendor Zscaler.
Extremists commonly use the Internet to communicate, spread their message, recruit new members and even launder money in some cases, Hypponen said during a presentation about cyberterrorism at the conference.
Based on the data Hypponen analyzed, most groups of radical Islamists, Chechen terrorists or white supremacists seem at this stage more concerned about protecting their communications and hiding incriminating evidence on their computers.
They’ve even built their own file and email encryption tools to serve this goal and they use strong algorithms that cannot be cracked, Hypponen said. However, there are some extremists out there that possess advanced knowledge of hacking, and they are trying to share it with others, he added.
The researcher has seen members of extremist forums publish guides on how to use penetration testing and computer forensics tools like Metasploit, BackTrack Linux or Maltego. “I don’t think they’re using these for penetration testing though,” Hypponen said.
Others have posted guides on website vulnerability scanning, SQL injection techniques, and on using Google search hacks to find leaked data and more, he said.
Although such extremists have mainly succeeded in unsophisticated Web defacements so far, Hypponen believes that cyberterrorists could become the fourth group of Internet attackers after financially-motivated hackers, hacktivists and nation states engaging in cyberespionage.
The closest we’ve come to a real cyberterrorist attack was the DigiNotar breach which resulted in rogue digital certificates being issued for high-profile domain names, said Richard Moulds, vice president of strategy and product marketing at French defense contractor Thales.