This piece of mine originally appeared on Tripwire’s State of Security blog in March 2017. Enjoy!
When hard disk drives contain super sensitive data, cybersecurity professionals like myself will usually recommend that they shouldn’t be placed in any computers that have an operational TCP/IP stack. There are various ways that internet-connected computers can secure themselves against attack, such as firewalls, IPS devices, antivirus software, and OS configuration. That’s good enough security for most personal and professional computing needs.
There’s always the potential for attack even when you take many security precautions, but most computers need to use the internet. But when attackers really want your data, such as in the financial industry or in intelligence, the best bet is for your most sensitive data storage to have no network connectivity whatsoever. We refer to that technique as air-gapping.
Well, these days, air-gapping may no longer be enough. Can people see your HDD’s blinky lights?
Mordechai Guri of Ben-Gurion University has discovered a new way for attackers to get data from air-gapped machines. Guri and his research team developed malware that operates at the user level that’s designed to communicate an HDD’s data through its LED light. The challenge for an attacker is to get the malware on an air-gapped machine. But it’s possible for an attacker to do that with removable media, such as aUSB stick or an optical disc. Socially engineer your way to physical access to a target machine, and bingo!
Guri’s team has focused on the security of air-gapped machines for years. The technique they developed improves upon previous exploits for getting data from air-gapped computers because it’s more covert and the malware doesn’t require kernel-level privileges.
Here’s how an attacker could implement Guri’s attack. An attacker puts the malware on some sort of removable media. Then they acquire physical access to a target machine. If the USB ports haven’t been disabled from mounting filesystems, or the optical drives haven’t been disabled from reading discs, there’s an easy way in. They don’t need to go through an administrator, privilege-escalate, or crack an admin password because the malware is user-level.
The next step follows once the malware is in the target machine. A camera gets a view of the target machine’s HDD light. (Guri’s team used a camera attached to a drone in their research.) Software attached to the camera interprets the light signals, or a video file taken from the camera is read by the same sort of software. Then the attacker has the data that they want.
When a LED light blinks at 4000hz, it can’t be detected by the human eye. Guri’s team was able to transmit a 4096 bit encryption key between a few minutes and mere seconds, depending on the quality of a camera’s reception. Wow! The technique transmits data relatively slowly, but some of the most sensitive data, such as keys, is very small.
So, to harden against Guri’s exploit, here’s what you can do:
- Lock down physical access to your data center in the usual ways. That reduces the likelihood of removable media transmitting malware to an air-gapped HDD.
- Disable USB ports, optical drives, and HDD connections that don’t absolutely need to be enabled.
- Make sure that your server room has no windows.
- Or, the simplest measure is to put opaque tape over your LEDs.
A roll of duct tape can be purchased from Amazon for as low as 68 cents. $4.52 shipping to my mailing address would bring the grand total to just under five bucks. What an affordable cybersecurity measure!
But the risk of increasingly inventive and covert techniques to extract data from air-gapped machines must not be trivialized. Frankly, I didn’t even think of the possibility of an HDD LED light as a vulnerability until Guri’s research was publicized. Information security researchers must really think outside of the box these days!
If you like my writing and wish to support me, please consider donating to my Patreon.