Using infrared cameras to break out of air-gapped networks

Even the cleverest malware is stranded unless it can communicate with the people who sent it.

This can be hard to achieve without a network’s defenders noticing the malware’s chatter, so stealthy communication is at a premium for malware that wants to go unnoticed.

The most extreme example of this challenge occurs when malware has no direct connection to the outside world at all, such as is the case in isolated networks that are “air-gapped” from the outside world.

In this situation, the malware typically has two ways to communicate: infect storage media used to ferry data and software to and from the protected network (the approach used by the infamous Stuxnet malware), or get an insider to access the gapped systems.

Researchers at Israel’s Ben-Gurion University prefer a third way: they’ve come up with a new proof-of-concept gap-beating attack, dubbed “aIR Jumper”, based on controlling the infrared (IR) LEDs inside surveillance cameras.

The team wanted to see whether these devices could be used to jump the gap and exfiltrate data (sneak it out of a network), infiltrate data (sneak it in as part of command and control) or, ideally, a combination of the two.

To work, the malware (already inside the air-gapped network using one of the techniques mentioned above) must look for and compromise network-attached surveillance cameras, which are typically fitted with infra-red LEDs to enable night vision.

For cameras facing on to a public car park or street, the researchers discovered that data could be exfiltrated as encoded infra-red flashes at throughputs of 20 bits/sec, per camera, to an attacker with a video camera standing tens of metres away.

Command and control data could then be infiltrated back to the malware by reversing this process at a throughput of 100 bit/sec, per camera, using infra-red LEDs from kilometres a way.

This is enough to transmit:

Sensitive data such as PIN codes, passwords, and encryption keys that are then modulated, encoded, and transmitted over the IR signals.

Better still:

The covert channel can be established with more than one surveillance camera in order to multiply the channel’s bandwidth.

Despite its relatively low bandwidth, the attack has the compelling advantage of being both incredibly hard to spot, either visually (infra-red being invisible to humans) or by security systems (because it never traverses internet gateways).

In a sense, the aIR attack works by creating its own alternative port into and out of the network using surveillance cameras as the medium.

Of course the success of this approach against air-gapped networks would depend on the network configuration.

You might reasonably expect air-gapped networks to be completely isolated from devices like cameras, in which case the aIR attack would fail. Even if the cameras were accessible, the malware would still have to compromise them, which would hinge on how well secured they were.

On the other hand, researchers at Ben-Gurion University and elsewhere have researched techniques for jumping air gaps directly, including using electro-magnetism to communicate with mobile phones, using heat, via disk and fan acoustics, and even hard drive LEDs blinking at drones.

The best-known example of this class of attack is probably the legendary and strange BadBIOS from 2013, which was said amongst other things to use inaudible sounds to jump air gaps.

As for camera security, one has only to turn to the mass compromise of public surveillance cameras in Washington DC earlier in 2017 to see the potential for trouble.

So, much of this is possible if a little cloak and dagger – would attackers really want to risk standing in car parks at night holding video cameras though?

The obvious defence is simply to secure surveillance cameras while isolating them from sensitive networks.

The researchers at Ben-Gurion University aren’t really concerned with what’s likely, but what’s possible and they seem determined to show that, air-gapped or not, nothing is ever completely out of reach.