LCD pwn System: How to modulate screen brightness to covertly transmit data from an air-gapped computer... slowly

To be honest, it was the impracticality and inefficiency that first attracted us to this otherwise cunning exfiltration

43 Reg comments Got Tips?

Boffins from Ben-Gurion University of the Negev and Shamoon College of Engineering in Israel have come up with yet another TEMPEST-style attack to exfiltrate data from an air-gapped computer: leaking binary signals invisibly by slightly modulating the light coming off its monitor.

TEMPEST, or Telecommunications Electronics Material Protected from Emanating Spurious Transmission, refers to an NSA specification designed to prevent the capture of thermal, acoustic, optical, electronic, or kinetic device emanations that might convey information about a protected system.

The researchers who developed this screen illumination scheme, Mordechai Guri, Dima Bykhovsky, and Yuval Elovici, have done previous side channel transmission work: exploring ultrasonic data leakage (MOSQUITO), an escape route for Faraday-caged computers (ODINI); computer-smartphone data exchange via electrical fields (MAGNETO); acoustic signaling using fan modulation (FANSMITTER); and covert signaling via keyboard lights (CTRL-ALT-LED), among other techniques.

The latest paper from the trio, presented at the 12th CMI Conference on Cybersecurity and Privacy in November and just distributed via ArXiv, is called "BRIGHTNESS: Leaking Sensitive Data from Air-Gapped Workstations via Screen Brightness."

The utility of this technique looks fairly limited. The assumed target is a computer that's not connected to a network. And before the BRIGHTNESS attack can take place, this air-gapped device must be infected with malware, to install code for screen modulation. This could be achieved through an evil maid attack, prior supply chain meddling, or a USB stick drop attack, for example.

It also requires a device capable of picking up the emanations from the infiltrated target machine – a nearby video camera in this instance. There's a further assumption that the object of the attack isn't to capture information displayed on screen and that the camera doesn't have a direct view of the screen.

Given those circumstances, it's possible to modify the screen pixel intensity in a way that transmits data residing on the target machine – without anyone seeing that this is going on.

"This covert channel is invisible and it works even while the user is working on the computer," the researchers explain in their paper. "Malware on a compromised computer can obtain sensitive data (e.g., files, images, encryption keys and passwords), and modulate it within the screen brightness, invisible to users."


Boffins: Mixed-signal silicon can SCREAM your secrets to all


These modulations, which involve increasing the brightness of red pixels by 3 per cent to convey a binary '1' without any evident change, can nonetheless be reconstructed from video captured by a nearby security camera, smartphone camera, or webcam.

And when we say nearby, we're talking about within nine meters if the receiving device is a security camera or webcam and within 1.5 meters if it's smartphone.

Even if all these requirements are met, this isn't a quick process: Guri, Bykhovsky, and Elovici managed to exfiltrate the bit sequence ‘1010101010101010’ from a 19-inch display at a bitrate of 5 bit/sec using a camera six meters from the screen.

You can see just how tediously slow this is in a YouTube video showing the attack capturing text of A.A. Milne's "Winnie-the-Pooh" from the screen flicker coming off a PC in an office adjacent to a video camera.

Youtube Video

The boffins in their paper touch on potential countermeasures, like policies that restrict access to sensitive computers and polarized screen filters that hinder optical signaling. Would-be spies meanwhile may wish to revisit XKCD's security analysis about the utility of a $5 wrench before embarking on an elaborate penetration exercise. ®


Biting the hand that feeds IT © 1998–2020