This month, a small quadcopter drone lifted off from the parking lot of Ben-Gurion University in Beersheba, Israel.
It soon trained its built-in camera on its target, a desktop computer’s tiny blinking light inside a third-floor office nearby.
The pinpoint flickers, emitting from the LED hard drive indicator that lights up intermittently on practically every modern Windows machine, would hardly arouse the suspicions of anyone working in the office after hours.
But in fact, that LED was silently winking out an optical stream of the computer’s secrets to the camera floating outside.
That data-stealing drone, shown in the video below, works as a Mr. Robot-style demonstration of a very real espionage technique.
A group of researchers at Ben-Gurion’s cybersecurity lab has devised a method to defeat the security protection known as an “air gap,” the safeguard of separating highly sensitive computer systems from the internet to quarantine them from hackers.
If an attacker can plant malware on one of those systems—say, by paying an insider to infect it via USB or SD card—this approach offers a new way to rapidly pull secrets out of that isolated machine.
Every blink of its hard drive LED indicator can spill sensitive information to any spy with a line of sight to the target computer, whether from a drone outside the window or a telescopic lens from the next roof over.
In this way the Israeli researchers have found a a new system to attack isolated computers by taking control of their LED indicators, which are forced to blink up to 6,000 times a second to send a signal containing data to a camera mounted on a drone near the targeted computer.
The technique specifically targets so-called “air-gapped” computers, which are cut off from the Internet and company networks, making them the most challenging targets for hackers.
Consequently, they typically carry the most sensitive information.
The LED control method, which makes it possible to steal data from isolated computers while raising minimum suspicion, was devised by researchers of the Negev (BGU) Cyber Security Research Center at Ben-Gurion University.
“The LED is always blinking as it’s doing searching and indexing, so no one suspects, even in the night. It’s very covert, actually,” researcher Mordechai Guri said, as cited by the Wired.
In a demonstration video, a drone is shown navigating into the line of sight of a computer. Once the drone locates the target, malware starts transmitting data via a hard drive LED indicator, which blinks the signal to the built-in camera on the drone.
According to the researchers, the data can be transferred at rate as fast as 4,000 bits per second with a specialized Siemens photodiode sensor on the drone.
The blinking can be recorded by a camera and deciphered later.
The LED can be forced to blink at a rate of up to 6,000 times per second, which is indiscernible for humans, but potentially readable for light sensors.
“It’s possible for the attacker to do such fast blinking that a human never sees it,” Guri noted.
Of course, the technique relies on the computer being infected prior to the transmission, which can be accomplished using a USB stick or SD card.
While this type of attack is novel and hard to detect, it has one obvious drawback: the computer’s LEDs can simply be covered.
