Air-gapped computers that are isolated from the Internet and physically separated from local networks are believed to be the most secure computers which are difficult to infiltrate.
However, these networks have been a regular target in recent years for researchers, who have been trying to demonstrate every possible attack scenarios that could compromise the security of such isolated networks.
Security researchers from Ben-Gurion University in Israel have previously demonstrated several ways to extract sensitive information from air-gapped computers.
Now, the same University researchers have discovered another way to steal confidential information from air-gapped computers – this time with the help of infrared-equipped CCTV cameras that are used for night vision.
Researchers have developed a new attack scenario, dubbed aIR-Jumper, which includes an infected air-gapped computer (from which data needs to be stolen) and an infected CCTV network (that has at least one CCTV installed inside the premises facing the infected computer and one outside the premises), assuming that both networks are isolated from each other, and none of them is Internet-connected.
Ignoring the fact that how an air-gapped computer and CCTV network got infected with malware in the first place, the new research focused on, once infected, how the malware would be able to transfer the stolen data back to the attackers (waiting outside the premises).
To read and send data, the aIR-Jumper malware installed on air-gapped computer and CCTV network blink IR LEDs in morse-code-like patterns to transmit files into the binary data, i.e. 0 and 1.
The data from a video camera can be transmitted at 20 bits per second to an attacker at a distance of tens of meters away and from an attacker to a video camera at 100 bits per second, even in total darkness.
Since the attack is meant to steal files in binary data, attackers wouldn’t be able to steal any large files but could get their hands on passwords, cryptographic keys, PIN codes and other small bits of sensitive data stored on the targeted computer.
“In an infiltration scenario, an attacker standing in a public area (e.g., in the street) uses IR LEDs to transmit hidden signals to the surveillance camera(s),” the researchers say. “Binary data such as command and control (C&C) and beacon messages are encoded on top of the IR signals.”
The researchers also published two videos demonstration, showing two attack scenarios.
In the first video, the researchers demonstrated how the malware installed on the air-gap computer collected data, converted it into binary and then blinked LED accordingly. At the same time, the infected camera captured this pattern and the malware installed on the camera converted the morse-code back into the binary data.
In the second video, another internally-connected camera installed outside the premises (in the parking area) transmitted the stolen binary data to the attackers sitting in the car using IR LED in morse-code-like patterns.
Attackers can simply capture the blink of the CCTV using their own camera and can decrypt the data later.
Here the infected CCTV camera is working as a bridge between the air-gapped computer and the remote attackers, offering a bi-directional covert channel.
It’s not the first time Ben-Gurion researchers came up with the technique to target air-gapped computers. Their previous research of hacking air-gap computers include:
- USBee attack that can be used steal data from air-gapped computers using radio frequency transmissions from USB connectors.
- DiskFiltration attack that can steal data using sound signals emitted from the hard disk drive (HDD) of the targeted air-gapped computer;
- BitWhisper that relies on heat exchange between two computer systems to stealthily siphon passwords or security keys;
- AirHopper that turns a computer’s video card into an FM transmitter to capture keystrokes;
- Fansmitter technique that uses noise emitted by a computer fan to transmit data; and
- GSMem attack that relies on cellular frequencies.
For more details on the latest aIR-Jumper attack, you can head onto the paper [PDF] titled, ‘aIR-Jumper: Covert Air-Gap Exfiltration/Infiltration via Security Cameras & Infrared (IR).’