Malware can manipulate blinking hard drive LEDs to steal data from secured systems

In February this year, University of Israel security researchers released their findings of a new type of attack to steal data from secured systems. Secured systems are frequently air-gapped (defined) to mitigate attacks from the internet. To steal data, the attacker can deploy custom malware onto the target system which causes its hard drive activity LED lights to blink at very rapid intervals; to a human eye the lights may appear to stay on rather than switch on and off.

With this activity taking place, the light can stay turned on to represent the binary computer numbering system digit 1 and turn off to represent a 0 (zero). The researchers found blue LEDs gave the best results for their purposes. A recording of a video of this flickering light can represent entire files (smaller files are preferred). The malwares primary purpose is to steal encryption keys, user credentials (username and passwords) as well as logged keystrokes stored on the system. Video cameras suitable for this attack are airborne drones with cameras, CCTV cameras or existing cameras within cell phones.

This attack is particularly successful and innovative; but it does not pose as severe a risk as may initially appear. While an airborne drone could observe a secured system from outside the building, the system must be visible from the outside; many secured rooms/locations do not have externally visible windows.

In addition, for the data stealing to take place the attackers need to pre-compromise the system with custom malware to enable the LED activity lights to flash in a pre-defined ways to steal data. However of note, this attack does not require administrator rights on the secured system in order to be successful.

How can I protect myself from this threat?
If you administer secured systems (air-gapped or otherwise) you should ensure they are stored in locations not visible from outside of the building.

Other countermeasures include permanently disabling the LEDs activity lights or covering the lights, physically securing the USB ports of the system to prevent installation of malware or the use of application whitelisting e.g. AppLocker for Windows. Integrity verification of the contents of secured systems is also achievable by comparing hashes of those systems with known secure systems.

Thank you.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s