Oh no, you're thinking, yet another cookie pop-up. Well, sorry, it's the law. We measure how many people read us, and ensure you see relevant ads, by storing cookies on your device. If you're cool with that, hit “Accept all Cookies”. For more info and to customize your settings, hit “Customize Settings”.

Review and manage your consent

Here's an overview of our use of cookies, similar technologies and how to manage them. You can also change your choices at any time, by hitting the “Your Consent Options” link on the site's footer.

Manage Cookie Preferences
  • These cookies are strictly necessary so that you can navigate the site as normal and use all features. Without these cookies we cannot provide you with the service that you expect.

  • These cookies are used to make advertising messages more relevant to you. They perform functions like preventing the same ad from continuously reappearing, ensuring that ads are properly displayed for advertisers, and in some cases selecting advertisements that are based on your interests.

  • These cookies collect information in aggregate form to help us understand how our websites are being used. They allow us to count visits and traffic sources so that we can measure and improve the performance of our sites. If people say no to these cookies, we do not know how many people have visited and we cannot monitor performance.

See also our Cookie policy and Privacy policy.

This article is more than 1 year old

How to leak data from an air-gapped PC – using, er, a humble scanner

Security researchers propose old-school gear as a covert command & control conduit

Cybercriminals managed to infect a PC in the design department of Contoso Ltd through a cleverly crafted spear-phishing campaign. Now they need a way to communicate with the compromised machine in secret.

Unfortunately, they know Contoso's impenetrable network defenses will detect commands sent to their malware.

To avoid detection, they have to send data through a channel not monitored by the company's IT security system, the Hyper IronGuard WallShield 2300, with its "military-grade" two-ply data leakage protection technology.

They consider several potential covert transmission techniques – inaudible sound, modulated light, even thermal manipulation of hardware – but none of these appear to be practical given their budgetary limitations and modest intellects.

Then one member of the three-person group recalls hearing about a security paper, "Oops!...I think I scanned a malware" [PDF], published earlier in March by researchers from two Israeli universities, Ben-Gurion University of the Negev and the Weizmann Institute of Science.

The other hackers are skeptical at first, but as they learn about the proposed technique, they become more open to trying it, particularly because it can be done with a drone. All of them love drones.

Scanner used to communicate with malware

The researchers, Ben Nassi and Yuval Elovici from Ben-Gurion University and Adi Shamir from the Weizmann Institute, describe a method for creating a covert communication channel between a compromised computer inside an organization and a scanner on the same network that happens to be near an external window.

The technique involves shining an external light, such as a laser or an infrared beam, through the window (or hijacking a manipulable internal light source) so that the illumination alters the scanner output to produce a digital file containing the desired command sequence.

To do so, the light must be connected to a micro-controller that modulates the binary-encoded commands from the server into light flashes that register with the scanner's sensors.

"Since the entire scanning process is influenced by the reflected light, interfering with the light that is illuminated on the pane will result in a different electrical charge which will therefore be parsed to a different binary representation of the scanned material," the paper explains.

The researchers describe setting a drone to hover outside a third-floor office window at a time when installed malware in the target organization had been instructed to begin scanning. With a transmission rate of 50 milliseconds per bit, they infiltrated the command "d x.pdf" to delete a test PDF file. The command sequence took 3.2 seconds to transmit using a laser mounted on the drone.

The cyber thieves spend several days preparing to carry out their plan. But during the final rehearsal, one of them realizes it won't work because the attack requires the scanner to be at least partially open to register incoming light.

Although Contoso's precious secrets remain beyond their reach, all three soon get recruited by a Silicon Valley drone startup focused on pet transportation. ®

Similar topics

TIP US OFF

Send us news


Other stories you might like