Hard drive LED can leak air-gapped data
Thu 23 Feb 2017
Researchers have discovered a method that could be used by hackers to leak sensitive data stored on an individual computer by manipulating the machine’s LED light.
The researchers found that using malware to control the hard drive LED, sensitive information could be encoded and transmitted to a camera or sensor, where it could be recorded and decoded at leisure. This method was found to be an effective method for hacking air-gapped computers which, due to their physical and practical isolation are often considered to be secure (though imperfect) data repositories.
Isolating a specific machine physically and logically from unsecured networks, including public networks and the internet, is considered a next-level security measure. While not perfectly secure, air-gapped computers are often used to store highly classified information such as military defense systems, critical infrastructure, and financial computer systems such as stock exchanges.
Using malware to control the blinking LED hard drive, the team was able to transfer data including passwords, encryption keys, and entire files which can be transmitted at a rate of 2MB/hour.
The method used malware to turn the LED light off and on at a rate of up to 5800 blinks per second. Well beyond the capability of human perception, this rapid blinking creates a flickering effect to the human eye, mimicking the everyday flickering of the hard drive’s processor LED light. However, using malware to control a hard drive’s ‘read’ and ‘write’ functions creates controlled LED flickering. Information from the computer can then be transmitted in a Morse-code like message, which, while too fast to see, can be recorded and later decoded by malicious parties.
Using a drone, the researchers demonstrated how an air-gapped computer could be located and the malware-controlled flickering recorded to exfiltrate sensitive data.
The research team conducted tests of LED transmitters in red, white and blue and found that all types were vulnerable to this manipulation, although blue lights produce the strongest optic signals.
They also attempted to extract data using different types of receivers including high-end security cameras, webcams, smartphone cameras, and wearable cameras in addition to the drones used in the video example. They found that several different types of receivers were effective for recording LED flickering provided the correct settings were used.
Recommendations for protecting an air-gapped machine against LED transmission of data include covering or disabling the LED light entirely, or monitoring LED activity using software or security cameras. Camera banning, window shielding, and signal jamming are also options in preventing this type of data leak.