Researchers in Israel have shown off a novel technique that would allow attackers to wirelessly command devices using a laser light, bypassing so-called air gaps.
When hackers infect computers with malware, they generally communicate with their code over the internet via a command-and-control server. But firewalls and intrusion detection systems can block communication going to and from suspicious domains and IP addresses.
To bypass these normal detection methods, researchers in Israel have devised a novel way to communicate covertly with malware. The technique uses a flatbed scanner as the gateway through which an attacker can send commands to their malware on a victim's network.
The attack works by using a light source in the vicinity of the scanner to signal commands through the scanner to malware. The technique can be used to erase important files on a computer or network before an important meeting, trigger ransomware to encrypt files and systems, or launch a logic bomb already planted on a network to shut down computers or do something else. The attack could even conceivably be used against industrial control systems to shut down processes on so-called "air-gapped" networks, which aren't directly connected to the internet.
The attack would also work by hijacking an existing light source installed near the scanner, such as a smart bulb.
The researchers tested their attack using the command "erase file xxx.doc" sent from a laser positioned on a stand outside a glass-walled building from 900 meters away as well as via a laser attached to a drone outside an office window. But the attack would also work by hijacking an existing light source installed near the scanner, such as a smart bulb. The researchers performed a successful attack by hijacking a smart bulb from a car in a parking lot adjacent to a building.
The work was conducted by Ben Nassi, a graduate student at the Cyber Security Research Center at Ben-Gurion University, and his advisor Yuval Elovici, based on an idea suggested by Adi Shamir, the famed cryptographer whose name is the S in RSA Security.
The lab in Israel specializes in security research on air-gapped systems. Most of their previous work has focused on various ways to extract data, such as passwords, from air-gapped systems—using using radio signals, electromagnetic waves, heat emissions, or the fan inside a computer. But this is the first successful test they've conducted to send data to a victim's network, though the method could be used in reverse to extract data as well.How It Works
Scanners work by detecting reflected light on their glass pane. The light creates a charge that the scanner translates into binary, which gets converted into an image. But scanners are sensitive to any changes of light in a room—even when paper is on the glass pane or when the light source is infrared--which changes the charges that get converted to binary. This means signals can be sent through the scanner by flashing light at its glass pane using either a visible light source or an infrared laser that is invisible to human eyes.
There are a couple of caveats to the attack—the malware to decode the signals has to already be installed on a system on the network, and the lid on the scanner has to be at least partially open to receive the light. It's not unusual for workers to leave scanner lids open after using them, however, and an attacker could also pay a cleaning crew or other worker to leave the lid open at night.
"Because most offices do have curtain walls, it makes it possible for a visible laser to [penetrate]."
Once the malware is installed on a computer in the target organization, it scans the internal network for the presence of a scanner. The malware initiates a scan at a scheduled time, for example at night when no one is in the office, or at periodic intervals, and the attacker's laser or the hijacked lightbulb initiates signaling at the same time. The commands are sent in binary by turning the laser on and off—to signal a "1" or "0" respectively. A prefix and suffix binary—1001—inserted before and after each command tells the malware when a command is being sent. The malware decodes the command from the binary and can even send back a response to acknowledge receipt.
The researchers first conducted an attack using a laser mounted on a stand 900 meters outside a glass-walled office building, known in the construction trade as a curtain wall. Even lthough the scanner was on the building's third floor, the stand on the ground outside had line-of-sight with it. The researchers used a visible green-light laser, since glass-walled buildings use filtered glass that blocks ultraviolet rays and infrared. The second experiment used a commercial drone flown outside the windows from 20 meters away.
"Because most offices do have curtain walls, it makes it possible for a visible laser to [penetrate]," Nassi told Motherboard.
It took 50 milliseconds to transmit each bit of the command. The entire 64-bit message took about three seconds. In both tests, the malware read the signal in real-time and acknowledged receipt by triggering a second scan once the command sequence ended. A video recorder mounted on the drone and a telescopic camera on the stand recorded the receipt response.
Chris Sistrunk, an industrial control system expert with Mandiant, says the scanner attack could conceivably work to shut down systems and processes in a manufacturing plant if the process network has a scanner installed on it, or if the business IT network and processing networks aren't segmented from each other.
"If the scanner is on the IT network and there is no segmentation [between it and the process network] so that it could talk to a scanner, or there's little segmentation [between them] due to misconfiguration of a firewall—which we've all seen—then it's plausible," he told Motherboard.
Both laser attacks relied on line-of-sight to the scanners. But in cases where a scanner is out of sight, the researchers devised an attack that works by hijacking a smart bulb in the scanner's vicinity. Previous research by other groups have shown smart lights and bulbs to be vulnerable to attack.
"[D]espite the fact that [a] smart bulb does not contain any important information […] the bulb can cause big damage when used as a mediator in attacks," the researchers note in they've published about their tests. "The attacker can either attack an IoT device whose purpose is to illuminate (e.g., a smart bulb) or attack an IoT device in which illumination is a side effect, (e.g., a smart TV)."
The Israeli researchers used a ransomware attack for this test, sending the command to encrypt data from a car in the parking lot. The driver of the car controlled the fluctuating lightbulb via Bluetooth from a Samsung Galaxy S4. The scanners they tested were able to detect even slight changes in brightness from the smart bulb—a 5 percent reduction of light—and in sequences that lasted less than 25 milliseconds, which would not be noticeable.
To guard against all of these attacks, the researchers say companies and organizations could disconnect their scanners from internal networks; but this would prevent workers from printing or faxing documents remotely to a multi-functioning printer/scanner. The better solution they say would be to set up a proxy system whereby the scanner is connected by wire to a computer on the organization's network that processes data from the scanner, rather than connecting the scanner directly to the network.
Subscribe to pluspluspodcast, Motherboard's new show about the people and machines that are building our future.