[HN Gopher] Lasershark: Fast, bidirectional communication into a...
___________________________________________________________________
Lasershark: Fast, bidirectional communication into air-gapped
systems
Author : dloss
Score : 123 points
Date : 2022-02-11 17:26 UTC (5 hours ago)
(HTM) web link (intellisec.de)
(TXT) w3m dump (intellisec.de)
| anfractuosity wrote:
| Related to reading information from LEDs, thought this paper was
| cool - http://www.applied-math.org/optical_tempest.pdf (from
| 2002)
|
| "Dial-up and leased-line modems were found to faithfully
| broadcast data transmitted and received by the device"
|
| Edit: Also it looks like Loughry has proposed similar work, using
| lasers and LEDs https://arxiv.org/pdf/1907.00479.pdf
| KennyBlanken wrote:
| Research 10+ years ago found that activity lights on many
| network cards and switches at 10BaseT could reveal actual
| network traffic.
|
| Very quickly, major device manufacturers switched to buffered
| activity LEDs and the attack became useless.
|
| I remember at one point modems switched from flickering with
| actual traffic to just slow blinking with activity.
| Jerrrry wrote:
| you can exfiltrate data at a bit/hour through power consumption.
|
| Run while(1){sin(cos(tan(rand(1))) for 1, nothing for 0, every
| half hour, with a correctional bit thrown in for good measure.
|
| measure the heat of the room via remote sensing, power
| consumption, AC/air frequency analysis.
|
| the NSA will have to add a layer of thermodynamic static noise in
| addition to their rooms full of stereo's blasting white noise.
|
| a technically proficient attacker could infer the value of a
| encryption key given the GDP of the nation-state, if the data was
| granular enough.
| extrapickles wrote:
| Adding noise helps, but an attacker can trade bitrate for noise
| immunity.
|
| Probably the only way of keeping data secure would be to
| heavily insulate (noise, thermal, RF, power, etc) the room so
| that any signal would take weeks to pass through the
| insulation, and then rotate your key material more often than
| that. Opening the door would have to dump power to the room
| before the door can be opened so an attacker couldn't leak data
| out when people entered/left.
| Jerrrry wrote:
| rotating the keys quicker than they can be exfiltrated, and
| expanded.
|
| similar to the original reason password rotation exists -
| that the hashes of passwords to all users were known to all
| parties, and were assumed cracked after a certain timeframe -
| passwords were required to be changed before that cyclic
| window.
|
| similarly, captcha's for high-sensitive sites embed the
| domain in the captcha, and only allow the captcha for a small
| timeframe. it then has a delay to show/fetch the captcha
| challenge, and must be completed/expires quickly. this
| reduces the chance of a MitM attack or a phishing attack to
| nil.
|
| ultimately, if you want to prevent information leakage,
| you'll have to create a event horizon surrounding the secret.
| and even then, Hawking predicts that black holes sweat, so
| even then, your 2^^8^^8 key is still derivable from
| collecting and de-entrophizing the sweated muons of a photon-
| sphere.
|
| *: unless you use reversible computing to generate the
| secret, then reverse the computation, but keep the result.
| this prevents people in the future from collecting
| information on current wave-states, barring entanglement.
| dr_dshiv wrote:
| What. The. F
| bitexploder wrote:
| The nuts and bolts of information theory, of course.
| FredPret wrote:
| > a technically proficient attacker could infer the value of a
| encryption key given the GDP of the nation-state, if the data
| was granular enough
|
| I wonder if even knowing every transaction down to the cent is
| granular enough
| aaaaaaaaaaab wrote:
| >a technically proficient attacker could infer the value of a
| encryption key given the GDP of the nation-state, if the data
| was granular enough
|
| Hm. So maybe the recent spike in inflation is just a series of
| ones in an RSA key?
| forgotmyoldacc wrote:
| How often are attackers hacking a air-gapped device but have line
| of sight? It seems fairly implausible.
| locusofself wrote:
| Right. In the SCIFs I have been in, if there even are windows,
| the blinds remain drawn at all times.
| Ansil849 wrote:
| > In the SCIFs I have been in, if there even are windows, the
| blinds remain drawn at all times.
|
| Windows are discouraged in SCIF construction, though not
| outright against spec. Aside from visual controls like
| blinds/curtains, IR/RF controls like RF film over the glass
| panes are also mandatory.
| alksjdalkj wrote:
| I think it's common to have multiple systems on different
| airgapped networks in the same room. So if one of the networks
| were compromised this could let you pivot to another network.
| Or if they're both compromised it would give a way to exfil
| from one to the other.
| phoe-krk wrote:
| A telescope looking through a proper window at nighttime could
| be enough. Some LEDs are powerful enough to illuminate a large
| chunk of an otherwise dark room.
| jaywalk wrote:
| The point is that the air-gapped system would have to be
| compromised first.
| 0xCMP wrote:
| _And not in a windowless room already_.
|
| How many air gapped systems are running next to a Window?
|
| Although I guess you can use this as evidence: if it needs
| to be air-gapped it also needs to be in a windowless room
| or some kind of sealed container.
| bentcorner wrote:
| How long before we have people shooting cosmic rays at
| air-gapped systems in windowless rooms and measuring bit
| flips?
| rgj wrote:
| Most of the time the system is compromised before being in
| an air gapped setup, for instance in the supply chain.
| [deleted]
| adwww wrote:
| You could potentially use a UAV for a sophisticated cyber
| attack on a specific system.
| 1970-01-01 wrote:
| When you have sensitive data that needs to be air-gapped, but not
| so sensitive it can't be behind a pane of glass.
| stevehawk wrote:
| You would probably (not?) be surprised by the number of
| government buildings actively using classified data on
| computers that ignore the 2 major rules: 1) never have a
| monitor visible from outside of the building and (2) keep your
| window blinds closed. I spent a decade watching people actively
| ignore that rule.
| jacquesm wrote:
| And here I was thinking putting my monitors at right angles
| to the windows was paranoid :)
| castillar76 wrote:
| Wouldn't be the first time someone's put ultra-sensitive
| equipment in a glass box so they could "show it off to all the
| executives who come through". :)
| jason-phillips wrote:
| Behind pane-of-glass is not good enough, unfortunately. You
| typically have counter-measures in place to detect when someone
| is firing a laser at your exterior glass windows to exfiltrate
| data/IP. I assume it can/does happen.
| Ansil849 wrote:
| > You typically have counter-measures in place to detect when
| someone is firing a laser at your exterior glass windows to
| exfiltrate data/IP. I assume it can/does happen.
|
| It does, either in films or intelligence lore, but not for
| all intents and purposes, in regular life (regular life
| including corporate espionage). As for counter-measures:
| curtains.
| jason-phillips wrote:
| I guess I don't live a "regular life", but those counter-
| measures exist where I've worked.
| Ansil849 wrote:
| Unless you were working for an intelligence agency, if
| your organization was sold TSCM against laser-based
| surveillance, then the organization was taken for a ride
| by the security contractor; you weren't also sold birds
| of prey to protect against UAS too, were you? (Yeah,
| that's a thing too [1]).
|
| It's a bit like being sold flood protection insurance if
| your data warehouse is in the desert. In other words, it
| just doesn't happen realistically, and there are a
| million and one other much more practical technical
| surveillance counter measures to spend a likely very-
| limited security budget on.
|
| [1] https://guardfromabove.com/
| jason-phillips wrote:
| This specific entity has suffered billions in losses due
| to IP theft in the past.
|
| When your unit of accounting is such that six figures is
| a rounding error, they can afford it. And for good
| reason.
|
| I wouldn't expect you to have knowledge of their
| operations. The only reason I do is because I was close
| with the head of security. But I will make sure to pass
| along your expert advice next time I'm there.
| Ansil849 wrote:
| No reason to get weirdly defensive. The reality is that
| realistically no one in the corporate espionage sector
| uses lasers to either exfiltrate or infiltrate data,
| because there are a million easier ways to do so which
| aren't a nightmare to implement. There has been a very,
| very, very tiny amount of times lasers have been employed
| for state espionage, let alone corporate espionage.
| [deleted]
| gte525u wrote:
| Flood insurance in the desert may be a bad example. There
| is a reason Arizona has the "stupid motorist" law and it
| has to do with soil dynamics in rain in the desert.
| Ansil849 wrote:
| Sure, the analogy is imperfect, but the point is if you
| just spend a sizable chunk of your physec budget to guard
| against a virtually-unused attack vector, you now have
| that much less to spend to guard against much more common
| threats like a break-in.
| Fordec wrote:
| Lots of electronics in industrial environments (eg. ATEX
| ratings) in potentially explosive environments typically have
| this problem. But magnetic transfer is far lower data rate than
| this.
| djinnandtonic wrote:
| I don't understand why this is called an attack. Looks like just
| a (very cool!) communication protocol, over an unusual medium?
| contingencies wrote:
| _While LEDs are designed to emit light and can thus unnoticeably
| encode information through high-frequency flickering, their
| ability to also perceive light is largely unknown in the security
| community. In particular, by directing a laser on the LEDs of
| office devices, we induce a measurable current in the hardware
| that can be picked up by its firmware and used to receive
| incoming data._
|
| They are firing a laser at an LED under the following
| assumptions.
|
| 1. They already have arbitrary code execution on the device but
| want to open a bidirectional communication channel. 2. It is
| possible to reprogram the GPIO port to function as an input (not
| always possible, since ports may be output only). 3. They can
| induce a large enough current through firing a laser at the LED
| to exceed the GPIO threshold voltage for said port. 4. They have
| a suitable line of sight to the LED, ie. it is both facing them
| and not recessed, and there is no oblique or low-opacity window
| between them and the air-gapped asset. 5. They can get close
| enough to launch the attack.
| squarefoot wrote:
| I briefly skimmed the paper; it looks like they're using pwm but
| not at its full potential. I would use it also as a
| synchronization mean, that is, the attacker points the led/laser
| and receiver to the target led, the attacker sends a signal like
| say a 10% modulated pwm, save for a 50% wide start bit which
| marks the start of the word being transmitted, then the bits are
| modulated like 10% for 1 and 20% for 0, or the other way around.
| Basically, the attacker talks 20% of each cycle, and listens the
| remaining 80%. The target led can be then read to detect those
| signals and sync itself to the signal received so that when
| replying it just modulates the led during the remaining time of
| each duty cycle. The attacker just by maintaining the link will
| receive both the echo of its transmission and the target's reply.
| That's just an idea, however, I'm not implying I could be able to
| implement it effectively:).
| etrautmann wrote:
| Could an LCD display be used as a sensor?
| giantrobot wrote:
| IIRC the Apple Newtons used a thermocoupler integrated into the
| LCD to help keep the contrast adjusted to the user-set level as
| the temperature of the device changed. There was at least one
| application that would read the current contrast setting of the
| screen and infer the temperature. I don't remember it being
| super accurate but it worked.
|
| The Newtons had grayscale LCDs with manually adjusted contrast.
| The MP130 and later also had an electro-luminescent backlight
| but it was not always active. So the user contrast setting was
| very important to maintain for screen visibility.
| upofadown wrote:
| The display processor would have to have some way to turn off
| the backlight LEDs and then sense the voltage generated by the
| laser. It is unlikely that the signal would be able to get back
| through whatever power device controlled the backlight power to
| get to a processor pin. The rest of the LED strings would
| probably load the signal down.
| jppope wrote:
| I had to upvote just based on the name. the doctor evil reference
| is hilarious
| [deleted]
| sigg3 wrote:
| If you want to effectively bridge an airgap you compromise
| someone on the inside.
| camjohnson26 wrote:
| Reminds me of this tweet:
|
| "Tech enthusiasts: My entire house is smart.
|
| Tech workers: The only piece of technology in my house is a
| printer and I keep a gun next to it so I can shoot it if it makes
| a noise I don't recognize."
|
| Honestly I'm starting to operate under the assumption that
| anything can be hacked with enough focus and determination.
| Obscurity isn't such a bad defense in the long run.
|
| https://twitter.com/PPathole/status/1116670170980859905?s=20...
| Terry_Roll wrote:
| > Obscurity isn't such a bad defense in the long run.
|
| Correct, and education can be seen as a form of mass brain
| washing employed by the state on the population. With that in
| mind, are private schools & colleges a breeding ground for
| criminals or certain beliefs and their easy access into
| strategic parts of society?
| https://en.wikipedia.org/wiki/School_tie#Old_school_tie
| https://en.wikipedia.org/wiki/Old_boy_network
|
| I wonder how hard it would be to make this dual use and have it
| working as a laser microphone that can detect the sound
| vibrations on materials like glass windows?
|
| Suddenly non contact blackout blinds become useful even in a
| conservatory!
| batch12 wrote:
| As a part of a defense-in-depth strategy, sure. Where we get in
| trouble is when it's the only layer.
| buscoquadnary wrote:
| To this I respond with the only valuable treat matrix for an
| individual I've ever seen.
|
| Threat: Ex-girlfriend/boyfriend breaking into your email
| account and publicly releasing your correspondence with the
| My Little Pony fan club
|
| Solution: Strong Passwords
|
| Threat: Organized criminals breaking into your email account
| and sending spam using your identity
|
| Solution: Strong passwords + common sense (don't click on
| unsolicited herbal Viagra ads that result in keyloggers and
| sorrow)
|
| Threat: The Mossad doing Mossad things with your email
| account
|
| Solution: * Magical amulets?
|
| * Fake your own death, move into a submarine?
|
| * YOU'RE STILL GONNA BE MOSSAD'ED UPON
|
| All credit to James Mickens for the above.
|
| My point being that if someone is that committed to
| compromising your air gapped system they're going to find a
| way. Especially if they can just slip the janitor $10,000 to
| put a USB labelled "Barely Legal Gone Wild" into the machine
| while vaccumming.
| na85 wrote:
| > Especially if they can just slip the janitor $10,000 to
| put a USB labelled "Barely Legal Gone Wild" into the
| machine while vaccumming.
|
| Part of Defensive Depth includes vetting and requiring the
| janitor who cleans the SCIF to themselves also hold a
| security clearance.
|
| Your cited example is also why Counterintelligence is a
| thing. It's not enough to trust your processes; you also
| have to probe them.
|
| When I was in the military I met a guy whose job was to
| pentest (among other things) nuclear weapons facilities and
| NORAD defense installations, specifically their computer
| equipment. He had some pretty wild stories; suffice it to
| say the ladder trick doesn't work when you are trying to
| access an ICBM solo.
| alksjdalkj wrote:
| > Part of Defensive Depth includes vetting and requiring
| the janitor who cleans the SCIF to themselves also hold a
| security clearance.
|
| Sure, but no amount of vetting is going to be perfect.
| Maybe the vetting missed something, maybe some
| circumstance changed between now and the most recent re-
| up, maybe instead of $10k it's $10M, etc.
|
| A better solution is to physically disable the USB ports.
| ahazred8ta wrote:
| There are security testers in DC with a good track record
| of getting into government buildings. "Who are you and
| what are you doing here?" "I've brought chocolate cake."
| "Oooo!!"
| kingcharles wrote:
| Everyone will break. Even the janitor who passed
| clearance. Threaten his wife, see how long he cares about
| his clearance. When the government was trying to break me
| I was all macho, "I ain't saying shit", until the second
| they threatened to hurt my wife, then I was a little
| bitch who would have woofed and begged for treats had
| they asked.
| closetohome wrote:
| My old boss was very disturbed when we explained to him
| that our small business with one IT guy can't really defend
| against state-level actors who are intent on getting into
| our systems.
|
| I'm still not sure why he was worried about that.
| Ansil849 wrote:
| > For our attacker model, we assume that an initial compromise
| has happened on the target device through the software supply-
| chain similar to the incidents at SolarWinds [8] and CodeCov [7].
| For example, a regular update of the device's firmware might
| unnoticeably add the necessary code for sending and receiving
| data through a built-in LED.
|
| I mean, sure, if you have the ability to compromise the airgapped
| device by running code on it then you could presumably be doing a
| lot of things besides just leveraging potential LED line of
| sight.
| londons_explore wrote:
| Lots of systems rely on air gaps heavily, and then aren't too
| worried what the software on the machines is up to. For
| example, if you are running a nuclear power plant and need a
| printer, you probably aren't going to be hiring a team of
| printer firmware developers. You're just going to buy an off-
| the-shelf non-wifi printer, and use it offline.
| Ansil849 wrote:
| > you probably aren't going to be hiring a team of printer
| firmware developers. You're just going to buy an off-the-
| shelf non-wifi printer, and use it offline.
|
| In such a scenario, you're also probably never, ever going to
| be manually updating the printer's firmware.
| londons_explore wrote:
| But there's a reasonable chance someone evil works for the
| printer company and every printer sold contains this
| backdoor.
|
| Or the FedEx driver who delivered it to the nuclear plant
| flashed a modded firmware with the same version number?
|
| How often have you disassembled your printer firmware and
| given it a decent audit?
| Ansil849 wrote:
| > But there's a reasonable chance someone evil works for
| the printer company and every printer sold contains this
| backdoor.
|
| If your threat model does legitimately consider this to
| be a "reasonable chance", then your facility will be
| printer-free.
| sam0x17 wrote:
| Don't forget toner has firmware in it these days ;)
| Ansil849 wrote:
| Facts! But seriously, if we're talking about the
| realistic risks printers pose in most environments, it is
| not having data exfiltrated via LED signaling or other
| vanity supply chain injection attacks; the number one
| risk is by having staff not dispose of sensitive
| documents properly, whether it's leaving them out on
| their desk or just chucking them in the bin, or taking
| them home with them, etcetera.
|
| Vanity attacks with branded names like this "Lasershark"
| sound sexy and appealing, because they invoke James Bond-
| style gadgetry and accompanying delusions of grandeur,
| but real life is decidedly more prosaic: someone is going
| to discover infinitely more intelligence while expanding
| exponentially less time and energy by just good old
| fashioned dumpster diving than by designing and
| successfully implementing a novel airgap exfiltration
| methodology.
| upsidesinclude wrote:
| Agreed, this kind of thing always seems like a post-grad
| expirement to get grant money from the bureaucratic fear
| mongers. I had to sit through a symposium on quantum
| messaging with qubits via encrypted laser transmission.
| It was literally line-of-sight and required impossibly
| expensive field equipment....
| upsidesinclude wrote:
| Speaking with respect to non-nuclear builds, this is exactly
| how the military operates. USS and USNS vessels utilize off
| the shelf hardware for airgapped systems routinely, though
| USB device usage is strictly prohibited. In practice however,
| many unofficial semi-airgapped networks exist Equipment may
| require specialized software that is not purchased, but
| licensed and can only be operated by a service technician.
| The tech brings a preloaded laptop of questionable provenance
| and initiates a firmware/software update and reboot. Every
| company is vetted to some degree and employs background
| investigation, to what effect is hard to determine.
| WastingMyTime89 wrote:
| The operating part of the network for safety critical
| installation is shielded from the rest of the network by a
| physical diode. This printer can receive data but can't send
| anything back.
| bootwoot wrote:
| The air-gap is specifically to prevent exfiltration of data.
| The air-gapped systems I have worked on had literally zero
| checking on software added to the system. But all the USB and
| media ports had super glue in them. An exploit that can't talk
| to the outside world is not terribly useful in the general
| case, although it's become lucrative with the rise of
| ransomware.
| closeparen wrote:
| Or sabotage, as in Stuxnet.
|
| Or privilege escalation, so that an insider threat can do
| more damage than otherwise possible.
|
| I don't think "it's airgapped so vulnerabilities don't
| matter" really holds water.
| _jal wrote:
| > An exploit that can't talk to the outside world is not
| terribly useful in the general case
|
| That's not true at all. Stuxnet eventually communicated with
| the outside world, in pretty spectacular fashion, and there
| are stories of other less well-documented attacks.
|
| I would agree that attacking systems without a gateway
| generally takes more resources and discipline than something
| you can just reinfect on demand.
|
| In a different direction, I've had to do some thinking about
| how to structure and use an always-offline CA. It is an
| interesting set of constraints.
| jonititan wrote:
| It's neat but the characterisation of the sensing potential of
| LEDs as relatively unknown is laughable. It's been known as far
| back as Forest Mims seminal books on circuits.
| vajrabum wrote:
| I'd guess that means that going forward security conscious people
| will be putting tape or covers over not only their cameras but
| also over their LEDs.
|
| In high security settings the buildings have no windows or have
| fake windows to keep external laser signals out so that's not
| new. That's been true since about the time someone figured out
| you can reconstruct audio from the doppler of a laser reflected
| off windows.
| t-3 wrote:
| I already cover all the LEDs with electrical tape. Not for
| security, just because I hate unnecessary, over-bright blue
| lights shining everywhere.
| sgc wrote:
| I recently learned the black sharpie tip somewhere. It works
| like a charm.
| suifbwish wrote:
| Wouldn't they need physical access or at least line of sight to
| the machine for this? Lasers don't go through walls or metal
| Ansil849 wrote:
| > or at least line of sight to the machine for this?
|
| Correct, and not just line of sight, but static line of
| sight. The potential scenario here is something like if there
| is a desk phone on someone's desk visible from the window
| that you want to monitor (and you also manage to successfully
| install custom firmware on the phone).
| abi wrote:
| How do I go about installing receiver in the air-gapped system in
| the first place? I'm a little confused on that.
| bentcorner wrote:
| The pre-print goes over the infiltration process - basically
| you shoot a laser at an LED on the air-gapped system, it
| induces a current, and you measure that current.
| kybernetyk wrote:
| Yes, and why not install a WiFi dongle instead if I have
| physical access?
| lann wrote:
| To this specific point, SCIFs (https://en.m.wikipedia.org/wik
| i/Sensitive_compartmented_info...) are (allegedly) protected
| by faraday cages.
| tgsovlerkhgsel wrote:
| This does not help with the initial compromise, but they
| demonstrate that with a _software-only change_ , you can use
| existing _LEDs_ as _receivers_ in addition to senders!
| iam-TJ wrote:
| One caveat to note is the LED needs to be connected to a GPIO
| port that the software can control.
|
| That leads to the obvious question for high-value systems
| that may be targeted - presumably fixed systems not
| laptops/notebooks/tablets - are the activity/power LEDs
| commonly connected via software-controlled GPIOs or mostly
| part of the electronic circuit only ?
| abi wrote:
| Cool, good to know!
___________________________________________________________________
(page generated 2022-02-11 23:00 UTC)