With talented hackers able to break into just about any device that's connected to the internet, from a computer to a car, the best way to keep sensitive data safe is to cut the cord completely. Keeping an "air gap" between a hard drive and other devices forces any would-be thief to physically go to the machine ... or so you might think. Cyber security researchers have shown that hackers could hijack the innocent flashing LED on the outside of a computer, and use it to beam a steady stream of data to a waiting drone.
For organizations that keep especially sensitive information, the safest option is usually to store it on an air-gapped computer, isolating it both physically and digitally from any network, be that the internet, an internal LAN or any other public connection. But it's not completely foolproof: digital criminals can be extremely crafty, using acoustic signals to jump the air gap between devices from a distance or untangling typed text by listening via Skype to the clickety-clack of a keyboard.
Now, a team at the Ben-Gurion University Cyber Security Research Center has demonstrated a new way that creative crooks could crack that isolated data. A piece of malware infecting an air-gapped computer could harness the hard drive's LED, making it flash in a very controlled and very fast manner. Flickering thousands of times a second, the virus could blink out a binary code of the desired data, at a rate that a human sitting at that computer wouldn't even notice. Special cameras or light sensors – say from a drone hovering at the window, with a line of sight to the LED – could then receive and record that information.
"Our method compared to other LED exfiltration is unique, because it is also covert," says Dr. Mordechai Guri, head of the research team. "The hard drive LED flickers frequently, and therefore the user won't be suspicious about changes in its activity."
Of course, for that to work the malware would need to get onto the computer in the first place, which is the issue that air-gapping is designed to beat. But it's far from impossible: the acoustic signals method above could transmit it, or a disgruntled employee with legitimate access could choose to (or be bribed to) manually install it.
Then there's the drone hovering outside the window ... perhaps closing the curtains should become standard operating procedure for maintaining cyber security.
The research is published online at arXiv. The team demonstrates the method in the video below.