[HN Gopher] Lasershark: Fast, bidirectional communication into a... ___________________________________________________________________ Lasershark: Fast, bidirectional communication into air-gapped systems Author : dloss Score : 123 points Date : 2022-02-11 17:26 UTC (5 hours ago) (HTM) web link (intellisec.de) (TXT) w3m dump (intellisec.de) | anfractuosity wrote: | Related to reading information from LEDs, thought this paper was | cool - http://www.applied-math.org/optical_tempest.pdf (from | 2002) | | "Dial-up and leased-line modems were found to faithfully | broadcast data transmitted and received by the device" | | Edit: Also it looks like Loughry has proposed similar work, using | lasers and LEDs https://arxiv.org/pdf/1907.00479.pdf | KennyBlanken wrote: | Research 10+ years ago found that activity lights on many | network cards and switches at 10BaseT could reveal actual | network traffic. | | Very quickly, major device manufacturers switched to buffered | activity LEDs and the attack became useless. | | I remember at one point modems switched from flickering with | actual traffic to just slow blinking with activity. | Jerrrry wrote: | you can exfiltrate data at a bit/hour through power consumption. | | Run while(1){sin(cos(tan(rand(1))) for 1, nothing for 0, every | half hour, with a correctional bit thrown in for good measure. | | measure the heat of the room via remote sensing, power | consumption, AC/air frequency analysis. | | the NSA will have to add a layer of thermodynamic static noise in | addition to their rooms full of stereo's blasting white noise. | | a technically proficient attacker could infer the value of a | encryption key given the GDP of the nation-state, if the data was | granular enough. | extrapickles wrote: | Adding noise helps, but an attacker can trade bitrate for noise | immunity. | | Probably the only way of keeping data secure would be to | heavily insulate (noise, thermal, RF, power, etc) the room so | that any signal would take weeks to pass through the | insulation, and then rotate your key material more often than | that. Opening the door would have to dump power to the room | before the door can be opened so an attacker couldn't leak data | out when people entered/left. | Jerrrry wrote: | rotating the keys quicker than they can be exfiltrated, and | expanded. | | similar to the original reason password rotation exists - | that the hashes of passwords to all users were known to all | parties, and were assumed cracked after a certain timeframe - | passwords were required to be changed before that cyclic | window. | | similarly, captcha's for high-sensitive sites embed the | domain in the captcha, and only allow the captcha for a small | timeframe. it then has a delay to show/fetch the captcha | challenge, and must be completed/expires quickly. this | reduces the chance of a MitM attack or a phishing attack to | nil. | | ultimately, if you want to prevent information leakage, | you'll have to create a event horizon surrounding the secret. | and even then, Hawking predicts that black holes sweat, so | even then, your 2^^8^^8 key is still derivable from | collecting and de-entrophizing the sweated muons of a photon- | sphere. | | *: unless you use reversible computing to generate the | secret, then reverse the computation, but keep the result. | this prevents people in the future from collecting | information on current wave-states, barring entanglement. | dr_dshiv wrote: | What. The. F | bitexploder wrote: | The nuts and bolts of information theory, of course. | FredPret wrote: | > a technically proficient attacker could infer the value of a | encryption key given the GDP of the nation-state, if the data | was granular enough | | I wonder if even knowing every transaction down to the cent is | granular enough | aaaaaaaaaaab wrote: | >a technically proficient attacker could infer the value of a | encryption key given the GDP of the nation-state, if the data | was granular enough | | Hm. So maybe the recent spike in inflation is just a series of | ones in an RSA key? | forgotmyoldacc wrote: | How often are attackers hacking a air-gapped device but have line | of sight? It seems fairly implausible. | locusofself wrote: | Right. In the SCIFs I have been in, if there even are windows, | the blinds remain drawn at all times. | Ansil849 wrote: | > In the SCIFs I have been in, if there even are windows, the | blinds remain drawn at all times. | | Windows are discouraged in SCIF construction, though not | outright against spec. Aside from visual controls like | blinds/curtains, IR/RF controls like RF film over the glass | panes are also mandatory. | alksjdalkj wrote: | I think it's common to have multiple systems on different | airgapped networks in the same room. So if one of the networks | were compromised this could let you pivot to another network. | Or if they're both compromised it would give a way to exfil | from one to the other. | phoe-krk wrote: | A telescope looking through a proper window at nighttime could | be enough. Some LEDs are powerful enough to illuminate a large | chunk of an otherwise dark room. | jaywalk wrote: | The point is that the air-gapped system would have to be | compromised first. | 0xCMP wrote: | _And not in a windowless room already_. | | How many air gapped systems are running next to a Window? | | Although I guess you can use this as evidence: if it needs | to be air-gapped it also needs to be in a windowless room | or some kind of sealed container. | bentcorner wrote: | How long before we have people shooting cosmic rays at | air-gapped systems in windowless rooms and measuring bit | flips? | rgj wrote: | Most of the time the system is compromised before being in | an air gapped setup, for instance in the supply chain. | [deleted] | adwww wrote: | You could potentially use a UAV for a sophisticated cyber | attack on a specific system. | 1970-01-01 wrote: | When you have sensitive data that needs to be air-gapped, but not | so sensitive it can't be behind a pane of glass. | stevehawk wrote: | You would probably (not?) be surprised by the number of | government buildings actively using classified data on | computers that ignore the 2 major rules: 1) never have a | monitor visible from outside of the building and (2) keep your | window blinds closed. I spent a decade watching people actively | ignore that rule. | jacquesm wrote: | And here I was thinking putting my monitors at right angles | to the windows was paranoid :) | castillar76 wrote: | Wouldn't be the first time someone's put ultra-sensitive | equipment in a glass box so they could "show it off to all the | executives who come through". :) | jason-phillips wrote: | Behind pane-of-glass is not good enough, unfortunately. You | typically have counter-measures in place to detect when someone | is firing a laser at your exterior glass windows to exfiltrate | data/IP. I assume it can/does happen. | Ansil849 wrote: | > You typically have counter-measures in place to detect when | someone is firing a laser at your exterior glass windows to | exfiltrate data/IP. I assume it can/does happen. | | It does, either in films or intelligence lore, but not for | all intents and purposes, in regular life (regular life | including corporate espionage). As for counter-measures: | curtains. | jason-phillips wrote: | I guess I don't live a "regular life", but those counter- | measures exist where I've worked. | Ansil849 wrote: | Unless you were working for an intelligence agency, if | your organization was sold TSCM against laser-based | surveillance, then the organization was taken for a ride | by the security contractor; you weren't also sold birds | of prey to protect against UAS too, were you? (Yeah, | that's a thing too [1]). | | It's a bit like being sold flood protection insurance if | your data warehouse is in the desert. In other words, it | just doesn't happen realistically, and there are a | million and one other much more practical technical | surveillance counter measures to spend a likely very- | limited security budget on. | | [1] https://guardfromabove.com/ | jason-phillips wrote: | This specific entity has suffered billions in losses due | to IP theft in the past. | | When your unit of accounting is such that six figures is | a rounding error, they can afford it. And for good | reason. | | I wouldn't expect you to have knowledge of their | operations. The only reason I do is because I was close | with the head of security. But I will make sure to pass | along your expert advice next time I'm there. | Ansil849 wrote: | No reason to get weirdly defensive. The reality is that | realistically no one in the corporate espionage sector | uses lasers to either exfiltrate or infiltrate data, | because there are a million easier ways to do so which | aren't a nightmare to implement. There has been a very, | very, very tiny amount of times lasers have been employed | for state espionage, let alone corporate espionage. | [deleted] | gte525u wrote: | Flood insurance in the desert may be a bad example. There | is a reason Arizona has the "stupid motorist" law and it | has to do with soil dynamics in rain in the desert. | Ansil849 wrote: | Sure, the analogy is imperfect, but the point is if you | just spend a sizable chunk of your physec budget to guard | against a virtually-unused attack vector, you now have | that much less to spend to guard against much more common | threats like a break-in. | Fordec wrote: | Lots of electronics in industrial environments (eg. ATEX | ratings) in potentially explosive environments typically have | this problem. But magnetic transfer is far lower data rate than | this. | djinnandtonic wrote: | I don't understand why this is called an attack. Looks like just | a (very cool!) communication protocol, over an unusual medium? | contingencies wrote: | _While LEDs are designed to emit light and can thus unnoticeably | encode information through high-frequency flickering, their | ability to also perceive light is largely unknown in the security | community. In particular, by directing a laser on the LEDs of | office devices, we induce a measurable current in the hardware | that can be picked up by its firmware and used to receive | incoming data._ | | They are firing a laser at an LED under the following | assumptions. | | 1. They already have arbitrary code execution on the device but | want to open a bidirectional communication channel. 2. It is | possible to reprogram the GPIO port to function as an input (not | always possible, since ports may be output only). 3. They can | induce a large enough current through firing a laser at the LED | to exceed the GPIO threshold voltage for said port. 4. They have | a suitable line of sight to the LED, ie. it is both facing them | and not recessed, and there is no oblique or low-opacity window | between them and the air-gapped asset. 5. They can get close | enough to launch the attack. | squarefoot wrote: | I briefly skimmed the paper; it looks like they're using pwm but | not at its full potential. I would use it also as a | synchronization mean, that is, the attacker points the led/laser | and receiver to the target led, the attacker sends a signal like | say a 10% modulated pwm, save for a 50% wide start bit which | marks the start of the word being transmitted, then the bits are | modulated like 10% for 1 and 20% for 0, or the other way around. | Basically, the attacker talks 20% of each cycle, and listens the | remaining 80%. The target led can be then read to detect those | signals and sync itself to the signal received so that when | replying it just modulates the led during the remaining time of | each duty cycle. The attacker just by maintaining the link will | receive both the echo of its transmission and the target's reply. | That's just an idea, however, I'm not implying I could be able to | implement it effectively:). | etrautmann wrote: | Could an LCD display be used as a sensor? | giantrobot wrote: | IIRC the Apple Newtons used a thermocoupler integrated into the | LCD to help keep the contrast adjusted to the user-set level as | the temperature of the device changed. There was at least one | application that would read the current contrast setting of the | screen and infer the temperature. I don't remember it being | super accurate but it worked. | | The Newtons had grayscale LCDs with manually adjusted contrast. | The MP130 and later also had an electro-luminescent backlight | but it was not always active. So the user contrast setting was | very important to maintain for screen visibility. | upofadown wrote: | The display processor would have to have some way to turn off | the backlight LEDs and then sense the voltage generated by the | laser. It is unlikely that the signal would be able to get back | through whatever power device controlled the backlight power to | get to a processor pin. The rest of the LED strings would | probably load the signal down. | jppope wrote: | I had to upvote just based on the name. the doctor evil reference | is hilarious | [deleted] | sigg3 wrote: | If you want to effectively bridge an airgap you compromise | someone on the inside. | camjohnson26 wrote: | Reminds me of this tweet: | | "Tech enthusiasts: My entire house is smart. | | Tech workers: The only piece of technology in my house is a | printer and I keep a gun next to it so I can shoot it if it makes | a noise I don't recognize." | | Honestly I'm starting to operate under the assumption that | anything can be hacked with enough focus and determination. | Obscurity isn't such a bad defense in the long run. | | https://twitter.com/PPathole/status/1116670170980859905?s=20... | Terry_Roll wrote: | > Obscurity isn't such a bad defense in the long run. | | Correct, and education can be seen as a form of mass brain | washing employed by the state on the population. With that in | mind, are private schools & colleges a breeding ground for | criminals or certain beliefs and their easy access into | strategic parts of society? | https://en.wikipedia.org/wiki/School_tie#Old_school_tie | https://en.wikipedia.org/wiki/Old_boy_network | | I wonder how hard it would be to make this dual use and have it | working as a laser microphone that can detect the sound | vibrations on materials like glass windows? | | Suddenly non contact blackout blinds become useful even in a | conservatory! | batch12 wrote: | As a part of a defense-in-depth strategy, sure. Where we get in | trouble is when it's the only layer. | buscoquadnary wrote: | To this I respond with the only valuable treat matrix for an | individual I've ever seen. | | Threat: Ex-girlfriend/boyfriend breaking into your email | account and publicly releasing your correspondence with the | My Little Pony fan club | | Solution: Strong Passwords | | Threat: Organized criminals breaking into your email account | and sending spam using your identity | | Solution: Strong passwords + common sense (don't click on | unsolicited herbal Viagra ads that result in keyloggers and | sorrow) | | Threat: The Mossad doing Mossad things with your email | account | | Solution: * Magical amulets? | | * Fake your own death, move into a submarine? | | * YOU'RE STILL GONNA BE MOSSAD'ED UPON | | All credit to James Mickens for the above. | | My point being that if someone is that committed to | compromising your air gapped system they're going to find a | way. Especially if they can just slip the janitor $10,000 to | put a USB labelled "Barely Legal Gone Wild" into the machine | while vaccumming. | na85 wrote: | > Especially if they can just slip the janitor $10,000 to | put a USB labelled "Barely Legal Gone Wild" into the | machine while vaccumming. | | Part of Defensive Depth includes vetting and requiring the | janitor who cleans the SCIF to themselves also hold a | security clearance. | | Your cited example is also why Counterintelligence is a | thing. It's not enough to trust your processes; you also | have to probe them. | | When I was in the military I met a guy whose job was to | pentest (among other things) nuclear weapons facilities and | NORAD defense installations, specifically their computer | equipment. He had some pretty wild stories; suffice it to | say the ladder trick doesn't work when you are trying to | access an ICBM solo. | alksjdalkj wrote: | > Part of Defensive Depth includes vetting and requiring | the janitor who cleans the SCIF to themselves also hold a | security clearance. | | Sure, but no amount of vetting is going to be perfect. | Maybe the vetting missed something, maybe some | circumstance changed between now and the most recent re- | up, maybe instead of $10k it's $10M, etc. | | A better solution is to physically disable the USB ports. | ahazred8ta wrote: | There are security testers in DC with a good track record | of getting into government buildings. "Who are you and | what are you doing here?" "I've brought chocolate cake." | "Oooo!!" | kingcharles wrote: | Everyone will break. Even the janitor who passed | clearance. Threaten his wife, see how long he cares about | his clearance. When the government was trying to break me | I was all macho, "I ain't saying shit", until the second | they threatened to hurt my wife, then I was a little | bitch who would have woofed and begged for treats had | they asked. | closetohome wrote: | My old boss was very disturbed when we explained to him | that our small business with one IT guy can't really defend | against state-level actors who are intent on getting into | our systems. | | I'm still not sure why he was worried about that. | Ansil849 wrote: | > For our attacker model, we assume that an initial compromise | has happened on the target device through the software supply- | chain similar to the incidents at SolarWinds [8] and CodeCov [7]. | For example, a regular update of the device's firmware might | unnoticeably add the necessary code for sending and receiving | data through a built-in LED. | | I mean, sure, if you have the ability to compromise the airgapped | device by running code on it then you could presumably be doing a | lot of things besides just leveraging potential LED line of | sight. | londons_explore wrote: | Lots of systems rely on air gaps heavily, and then aren't too | worried what the software on the machines is up to. For | example, if you are running a nuclear power plant and need a | printer, you probably aren't going to be hiring a team of | printer firmware developers. You're just going to buy an off- | the-shelf non-wifi printer, and use it offline. | Ansil849 wrote: | > you probably aren't going to be hiring a team of printer | firmware developers. You're just going to buy an off-the- | shelf non-wifi printer, and use it offline. | | In such a scenario, you're also probably never, ever going to | be manually updating the printer's firmware. | londons_explore wrote: | But there's a reasonable chance someone evil works for the | printer company and every printer sold contains this | backdoor. | | Or the FedEx driver who delivered it to the nuclear plant | flashed a modded firmware with the same version number? | | How often have you disassembled your printer firmware and | given it a decent audit? | Ansil849 wrote: | > But there's a reasonable chance someone evil works for | the printer company and every printer sold contains this | backdoor. | | If your threat model does legitimately consider this to | be a "reasonable chance", then your facility will be | printer-free. | sam0x17 wrote: | Don't forget toner has firmware in it these days ;) | Ansil849 wrote: | Facts! But seriously, if we're talking about the | realistic risks printers pose in most environments, it is | not having data exfiltrated via LED signaling or other | vanity supply chain injection attacks; the number one | risk is by having staff not dispose of sensitive | documents properly, whether it's leaving them out on | their desk or just chucking them in the bin, or taking | them home with them, etcetera. | | Vanity attacks with branded names like this "Lasershark" | sound sexy and appealing, because they invoke James Bond- | style gadgetry and accompanying delusions of grandeur, | but real life is decidedly more prosaic: someone is going | to discover infinitely more intelligence while expanding | exponentially less time and energy by just good old | fashioned dumpster diving than by designing and | successfully implementing a novel airgap exfiltration | methodology. | upsidesinclude wrote: | Agreed, this kind of thing always seems like a post-grad | expirement to get grant money from the bureaucratic fear | mongers. I had to sit through a symposium on quantum | messaging with qubits via encrypted laser transmission. | It was literally line-of-sight and required impossibly | expensive field equipment.... | upsidesinclude wrote: | Speaking with respect to non-nuclear builds, this is exactly | how the military operates. USS and USNS vessels utilize off | the shelf hardware for airgapped systems routinely, though | USB device usage is strictly prohibited. In practice however, | many unofficial semi-airgapped networks exist Equipment may | require specialized software that is not purchased, but | licensed and can only be operated by a service technician. | The tech brings a preloaded laptop of questionable provenance | and initiates a firmware/software update and reboot. Every | company is vetted to some degree and employs background | investigation, to what effect is hard to determine. | WastingMyTime89 wrote: | The operating part of the network for safety critical | installation is shielded from the rest of the network by a | physical diode. This printer can receive data but can't send | anything back. | bootwoot wrote: | The air-gap is specifically to prevent exfiltration of data. | The air-gapped systems I have worked on had literally zero | checking on software added to the system. But all the USB and | media ports had super glue in them. An exploit that can't talk | to the outside world is not terribly useful in the general | case, although it's become lucrative with the rise of | ransomware. | closeparen wrote: | Or sabotage, as in Stuxnet. | | Or privilege escalation, so that an insider threat can do | more damage than otherwise possible. | | I don't think "it's airgapped so vulnerabilities don't | matter" really holds water. | _jal wrote: | > An exploit that can't talk to the outside world is not | terribly useful in the general case | | That's not true at all. Stuxnet eventually communicated with | the outside world, in pretty spectacular fashion, and there | are stories of other less well-documented attacks. | | I would agree that attacking systems without a gateway | generally takes more resources and discipline than something | you can just reinfect on demand. | | In a different direction, I've had to do some thinking about | how to structure and use an always-offline CA. It is an | interesting set of constraints. | jonititan wrote: | It's neat but the characterisation of the sensing potential of | LEDs as relatively unknown is laughable. It's been known as far | back as Forest Mims seminal books on circuits. | vajrabum wrote: | I'd guess that means that going forward security conscious people | will be putting tape or covers over not only their cameras but | also over their LEDs. | | In high security settings the buildings have no windows or have | fake windows to keep external laser signals out so that's not | new. That's been true since about the time someone figured out | you can reconstruct audio from the doppler of a laser reflected | off windows. | t-3 wrote: | I already cover all the LEDs with electrical tape. Not for | security, just because I hate unnecessary, over-bright blue | lights shining everywhere. | sgc wrote: | I recently learned the black sharpie tip somewhere. It works | like a charm. | suifbwish wrote: | Wouldn't they need physical access or at least line of sight to | the machine for this? Lasers don't go through walls or metal | Ansil849 wrote: | > or at least line of sight to the machine for this? | | Correct, and not just line of sight, but static line of | sight. The potential scenario here is something like if there | is a desk phone on someone's desk visible from the window | that you want to monitor (and you also manage to successfully | install custom firmware on the phone). | abi wrote: | How do I go about installing receiver in the air-gapped system in | the first place? I'm a little confused on that. | bentcorner wrote: | The pre-print goes over the infiltration process - basically | you shoot a laser at an LED on the air-gapped system, it | induces a current, and you measure that current. | kybernetyk wrote: | Yes, and why not install a WiFi dongle instead if I have | physical access? | lann wrote: | To this specific point, SCIFs (https://en.m.wikipedia.org/wik | i/Sensitive_compartmented_info...) are (allegedly) protected | by faraday cages. | tgsovlerkhgsel wrote: | This does not help with the initial compromise, but they | demonstrate that with a _software-only change_ , you can use | existing _LEDs_ as _receivers_ in addition to senders! | iam-TJ wrote: | One caveat to note is the LED needs to be connected to a GPIO | port that the software can control. | | That leads to the obvious question for high-value systems | that may be targeted - presumably fixed systems not | laptops/notebooks/tablets - are the activity/power LEDs | commonly connected via software-controlled GPIOs or mostly | part of the electronic circuit only ? | abi wrote: | Cool, good to know! ___________________________________________________________________ (page generated 2022-02-11 23:00 UTC)