In recent years, several cybersecurity researchers demonstrated innovative ways to covertly exfiltrate data from a physically isolated air-gapped computer that can't connect wirelessly or physically with other computers or network devices.
These clever ideas rely on exploiting little-noticed emissions of a computer's components, such as light, sound, heat, radio frequencies, or ultrasonic waves, and even using the current fluctuations in the power lines.
For instance, potential attackers could sabotage supply chains to infect an air-gapped computer, but they can't always count on an insider to unknowingly carry a USB with the data back out of a targeted facility.
When it comes to high-value targets, these unusual techniques, which may sound theoretical and useless to many, could play an important role in exfiltrating sensitive data from an infected but air-gapped computer.
How Does the Brightness Air-Gapped Attack Work?
In his latest research with fellow academics, Mordechai Guri, the head of the cybersecurity research center at Israel's Ben Gurion University, devised a new covert optical channel using which attackers can steal data from air-gapped computers without requiring network connectivity or physically contacting the devices.
"This covert channel is invisible, and it works even while the user is working on the computer. Malware on a compromised computer can obtain sensitive data (e.g., files, images, encryption keys, and passwords), and modulate it within the screen brightness, invisible to users," the researchers said.
The fundamental idea behind encoding and decoding of data is similar to the previous cases, i.e., malware encodes the collected information as a stream of bytes and then modulate it as '1' and '0' signal.
In this case, the attacker uses small changes in the LCD screen brightness, which remains invisible to the naked eye, to covertly modulate binary information in morse-code like patterns
"In LCD screens each pixel presents a combination of RGB colors which produce the required compound color. In the proposed modulation, the RGB color component of each pixel is slightly changed."
"These changes are invisible, since they are relatively small and occur fast, up to the screen refresh rate. Moreover, the overall color change of the image on the screen is invisible to the user."
The attacker, on the other hand, can collect this data stream using video recording of the compromised computer's display, taken by a local surveillance camera, smartphone camera, or a webcam and can then reconstruct exfiltrated information using image processing techniques.
As shown in the video demonstration shared with The Hacker News, researchers infected an air-gapped computer with specialized malware that intercepts the screen buffer to modulate the data in ASK by modifying the brightness of the bitmap according to the current bit ('1' or '0').
You can find detailed technical information on this research in the paper [PDF] titled, 'BRIGHTNESS: Leaking Sensitive Data from Air-Gapped Workstations via Screen Brightness,' published yesterday by Mordechai Guri, Dima Bykhovsky and Yuval Elovici.
Air-Gapped Popular Data Exfiltration Techniques
It's not the first time Ben-Gurion researchers came up with a covert technique to target air-gapped computers. Their previous research of hacking air-gap machines include:
- PowerHammer attack to exfiltrate data from air-gapped computers through power lines.
- MOSQUITO technique using which two (or more) air-gapped PCs placed in the same room can covertly exchange data via ultrasonic waves.
- BeatCoin technique that could let attackers steal private encryption keys from air-gapped cryptocurrency wallets.
- aIR-Jumper attack that takes sensitive information from air-gapped computers with the help of infrared-equipped CCTV cameras that are used for night vision.
- MAGNETO and ODINI techniques use CPU-generated magnetic fields as a covert channel between air-gapped systems and nearby smartphones.
- USBee attack that can be used to steal data from air-gapped computers using radio frequency transmissions from USB connectors.
- DiskFiltration attack that can steal data using sound signals emitted from the hard disk drive (HDD) of the targeted air-gapped computer;
- BitWhisper that relies on heat exchange between two computer systems to stealthily siphon passwords or security keys;
- AirHopper that turns a computer's video card into an FM transmitter to capture keystrokes;
- Fansmitter technique that uses noise emitted by a computer fan to transmit data; and
- GSMem attack that relies on cellular frequencies.