aIR-Jumper: Covert air-gap exfiltration/infiltration via security cameras & infrared (IR)

Breaching highly secure networks with advanced persistent threats (APTs) has been proven feasible in the last decade, however communication between the attacker outside the organization and the APT inside the organization is not possible if the compromised network is disconnected from the Internet....

Full description

Saved in:
Bibliographic Details
Published inComputers & security Vol. 82; pp. 15 - 29
Main Authors Guri, Mordechai, Bykhovsky, Dima
Format Journal Article
LanguageEnglish
Published Amsterdam Elsevier Ltd 01.05.2019
Elsevier Sequoia S.A
Subjects
Air gaps
Binary data
Cameras
Coding
Communication
Cybersecurity
Data transfer (computers)
Encryption
Infiltration
Infrared cameras
Light emitting diodes
Malware
Measuring instruments
Networks
Night vision
Security systems
Stability
Surveillance
Video data
Online AccessGet full text

Cover

More Information
Summary:Breaching highly secure networks with advanced persistent threats (APTs) has been proven feasible in the last decade, however communication between the attacker outside the organization and the APT inside the organization is not possible if the compromised network is disconnected from the Internet. In this paper, we show how attackers can exploit surveillance cameras to establish covert communication between the air-gapped networks of organizations and remote attackers. We present bidirectional communication allowing inbound and outbound data transfer. Infiltration. An attacker standing in a public area (e.g., in the street) uses near infrared light (NIR) to transmit hidden signals to the surveillance camera(s). Such NIR signals at a wavelength of 800–900 nm are invisible to humans, but cameras are optically sensitive to this type of light. Binary data is encoded and modulated on top of the IR signals. The signals hidden in the video stream are then intercepted and decoded by the malware residing in the internal network. Exfiltration. Surveillance and security cameras are equipped with controllable IR LEDs which are used for night vision. We show that the malware can control the strength of the IR illumination. Sensitive data such as PIN codes, passwords, and encryption keys are then modulated, encoded, and transmitted over the IR signals. An attacker in a public area (e.g., in the street) with a line of sight to the surveillance camera records the IR signals and decodes the leaked information. We discuss related work on air-gap covert channels and provide scientific background about our optical channel. Our evaluation shows that an attacker can establish bidirectional communication with the internal networks from distances of tens of meters to kilometers away via surveillance cameras and IR light.
ISSN:0167-4048
1872-6208
DOI:10.1016/j.cose.2018.11.004