Air Gap Beaten by Printer

Monday, October 20, 2014 @ 04:10 PM gHale

It is time to put the notion of an air gap to rest.

Even systems thought to be in an air-gapped environment are not safe. An all in one printer can end up an attack vector for a smart bad guy. Just ask cryptographer Adi Shamir, co-inventor of the RSA cryptographic system, and researchers Yuval Elovici and Moti Guri from Ben-Gurion University in Israel.

ICS Attack Responses
Espionage Group Targets NATO, EU
Insider Threat ‘Underestimated:’ DHS
Breaking Down an Insider Attack

In theory, if a malicious program ends up installed on an air-gapped computer by an unsuspecting user via, say, a USB thumb drive, attackers should have a hard time controlling the malicious program or stealing data through it because there is no Internet connection. Getting in is the easy part, but just how do you get information out, and how can you send in an attack message?

The researchers found if a multifunction printer end up attached to such a computer, attackers could issue commands to a malicious program running on it by flashing visible or infrared light at the scanner lid when open.

Shamir presented the attack, which he called Scangate, Thursday during his keynote at the Black Hat Europe security conference in Amsterdam.

The researchers said if a source of light points repeatedly at the white coating on the inside of the scanner’s lid during a scanning operation, the resulting image will have a series of white lines on darker background. Those lines correspond to the pulses of light hitting the lid and their thickness depends on the duration of the pulses, Shamir said.

Using this observation the researchers developed Morse code to send pulses of light at different intervals and interpret the resulting lines as binary data—1s and 0s. Malware running on an air-gapped system could end up programmed to initiate a scanning operation at a certain time — for example, during the night — and then interpret the commands sent by attackers using the technique from far away.

Shamir estimated several hundred bits of data can end up sent during a single scan. That’s enough to send small commands to activate functionality built into the malware.

The researchers successfully tested the attack from 200, 900 and 1,200 meters against a computer and printer located in a building in Beersheba, Israel, where EMC, Oracle and other big companies have research centers. They used a laser to flash visible light at the window of the office housing the scanner, illuminating the room.

Using a more powerful laser could produce reliable results from up to 5 kilometers away, according to Shamir. An attacker would likely use infrared light because it’s invisible to the naked eye, but the researchers only tested with infrared light over a short distance because using a high-powered infrared laser can be harmful to people’s eyesight.

Instead of waiting for the malware to initiate a scan, attackers could also wait until a person in the office scans a document with the lid open and then run their attack. In that case, the lines would appear on the sides of the scanned document because of the scanner’s larger surface that leave an uncovered border.

The researchers also found a way for the malware to send data back to the attackers by using the light produced by the scanner itself. Since the malware can initiate and cancel scanning operations, attackers can derive information from the amount of time the scanner’s light is on and reflects off the opened lid.

This is not as efficient as receiving commands, but can work to exfiltrate a few bits of data at a time. It is possible to repeat the operation to eventually exfiltrate critical information, like encryption keys, Shamir said.

Detecting the light generated by the scanner from far away would require very sensitive equipment and if the computer is in an office on a higher floor, the attacker would have a hard time getting good visibility. This can end up solved by using a quadcopter drone to get closer and observing the scanner from a better angle, Shamir said.

The technique is similar to the side-channel attacks that can derive cryptographic keys by analyzing a computer system’s power consumption, electromagnetic leaks or even sound during a cryptographic operation.

There are other examples of air-gapped systems suffering infection. The Stuxnet virus developed by the U.S. and Israeli intelligence services, hit air-gapped computers at Iran’s nuclear facility in Natanz through USB drives.

Leave a Reply

You must be logged in to post a comment.