Ops, hackers can exfiltrate data from air-gapped networks through a malware controlled via a scanner

A group of Israeli researchers has devised a new technique to exfiltrate data from a PC in an air-gapped network through malware controlled via scanners.

The team was composed of Ben Nassi, a graduate student at the Cyber Security Research Center at Ben-Gurion University, and his advisor Yuval Elovici, based on an idea of the prominent cryptographer Adi Shamir.

The technique could be used by hackers to establish a covert communication channel between a malicious code running on the target machine in an air-gapped network and the attacker.

The technique leverages a flatbed scanner used by the researchers to send commands to their malicious code running on the target victim’s network.

“Our method uses light transmitted by an attacker to a flatbed scanner, which is then extracted by a malware installed in the organization.” reads the paper published by the researchers. ” Our method exploits an organization’s scanner which serves as a gateway to the organization, in order to establish a covert channel between a malware and an attacker. The attacker controlling the light source can be located far away from the targeted scanner”

In order to transfer data from an air-gapped network, researchers use a light source near the scanner that then receives the commands.

The scanner detects reflected light on its glass pane and translates it into binary and convert it into an image. Scanners are sensitive to any changes of light in the surrounding environment, even when a paper is on the glass or when the light source is infrared.

The researchers transmitted the signal to the scanner by pointing a light at its glass pane. the commands are sent with a binary encoding obtained by turning on and off the light. The commands are included between specific binary sequences (1001).

According to the researchers, the attacker can also send messages to the malicious code by hijacking an existing light source installed in the vicinity of the scanner, let’s think of a smart bulb.

In the test conducted by the researchers, the team of experts was able to delete a file on the target system by sending the command “erase file xxx.doc” via a laser positioned on a stand outside a glass-walled building from 900 meters away.

In a real attack scenario, it is possible to use a drone equipped with a laser gun while flying outside an office window.

In order to successfully conduct such kind of attacks, it is necessary the presence of the malware on the target machine, and to receive the light a scanner with at least partially open lid must be connected to the PC.

In a real attack scenario, a malicious code could infect the target network, then scans it searching for scanners. In order to avoid detection, the scan could start at nighttime or during the weekend when the office is empty.

Let’s give a look at the speed of transmission obtained with this technique, it took 50 milliseconds to transmit each bit of the command.

This means that a 64-bit message took about three seconds to be transmitted, and the malware read the signal in real-time and acknowledged receipt by triggering a second scan once the command sequence ended.

In the test conducted by the Israeli researchers, the team used the technique to trigger a ransomware attack, sending the command to encrypt data from a car in the parking lot. The attacker controlled the fluctuating lightbulb via Bluetooth from a Samsung Galaxy S4.

“The driver held a Samsung Galaxy S4 while driving in order to perform the attack from, a dedicated application that we wrote and installed on the Galaxy. The application scans for a MagicBlue smart bulb and connects to it. After connection, the application modulates a given command as light sequence using a series of “on” (1 bit) and “off” (0 bit) signals sent from over a BLE channel” continues the paper.

The scanners used in the attack could detect changes in brightness from the smart bulb, a 5 percent reduction of light, and in sequences that lasted less than 25 milliseconds. An attack with this characteristic goes undetected to the human eyes.

The researchers say that a possible countermeasure to disconnect scanners from internal networks, but this solution is not feasible due to the impact on the ordinary work of the employees of a target company.

The best countermeasure consists in the setting up a proxy system whereby the scanner is connected by wire to a computer on the organization’s network that processes data from the scanner, in this way the scanner isn’t directly connected to the network.

“However, we believe that a proxy based solution will prevent the attacker from establishing such a covert channel without the need to apply extreme changes. The scanner will be connected by a wire directly (e.g., using a USB interface) to a computer (proxy) within the organization’s network instead of being connected to the network. The proxy will provide an API. When a scanning request is received, the computer initiates a scan and processes the output in a classifier in order to detect malicious scan” concluded the researchers.

Below the PoC videos of the attacks:

[adrotate banner=”9″]

[adrotate banner=”12″]

Pierluigi Paganini

(Security Affairs –scanners, air-gapped network)

[adrotate banner=”5″]

[adrotate banner=”13″]