How your screen’s brightness could be leaking data from your air-gapped computer
It may not be the most efficient way to steal data from an organisation, let alone the most practical, but researchers at Ben-Gurion University in Israel have once again detailed an imaginative way to exfiltrate information from an air-gapped computer.
On this occasion the team of boffins have devised and demonstrated a method for stealing data by watching out for tiny changes to the brightness of the targeted computer’s LCD screen – imperceptible by the human eye.
As the researchers describe in a white paper, the so-called BRIGHTNESS technique doesn’t attempt to steal information actually displayed on an air-gapped computer’s monitor, but instead collects data being sent surreptitiously through manipulations of the screen’s brightness – by malware pre-installed on the computer.
“This covert channel is invisible and it works even while the user is working on the computer. Malware on a compromised computer can obtain sensitive data (e.g., files, images, encryption keys and passwords), and modulate it within the screen brightness, invisible to users. The small changes in the brightness are invisible to humans but can be recovered from video streams taken by cameras such as a local security camera, smartphone camera or a webcam.”
In a video demonstration, the researchers show how it was possible to exfiltrate the text of A A Milne’s children’s classic “Winnie the Pooh” through the method.
This is all very clever. But what it isn’t, of course, is very practical.
And one of the main reasons for that is that the targeted computer has to have been already compromised in the first place before then trying to transmit the data in such an unusual and elaborate fashion.
Secondly, criminals still need a way of infecting the air-gapped target computer in the first place, in order to exfiltrate data from it. Remember, this is a computer that is not connected to any network, is not on WiFi, and probably has tight controls over who can physically access it.
That doesn’t make infection impossible, of course.
Imagine, for instance, malware planted on a USB stick known to be used by staff who use the computer, or the opportunities for meddling that might have made themselves available in the supply chain, or if an employee of the targeted organisation was secretly working for the attackers.
But it does make things much trickier.
Thirdly, the attackers need to also have visibility of the targeted computer’s monitor – whether that be through having additionally compromised a security camera, or having planted a camera in the vicinity of the device holding the desired data, or just an awfully good long distance view through a helpfully-positioned window.
It feels like an awful lot of effort to go to, and far beyond the desire of the typical cybercriminal. My feeling is that in many cases if you really wanted to get your paws on the data on that computer there might be easier ways to get it than this – some of which may involve kinetic attacks or pressure being applied to staff who work for the organisation.
In short, full marks for creativity – but this isn’t a threat I’m going to lose any sleep over.
Editor’s Note: The opinions expressed in this guest author article are solely those of the contributor, and do not necessarily reflect those of Tripwire, Inc.