Introduction:

Air-gapped systems, also known as isolated or segregated systems, are computers or networks that are physically disconnected from external networks, making it impossible for data to be transferred through traditional methods such as the internet or external storage devices. These systems are often used in high-security environments where the protection of sensitive data is of paramount importance. However, even air-gapped systems are not completely immune to data exfiltration, as creative attackers can find ways to breach these isolated systems using covert channels.

A covert channel is a communication channel that is used to transfer information in a manner that is not intended or authorized by the system’s owner. Covert channels can be used for malicious purposes, such as stealing sensitive data from an air-gapped system, as they allow attackers to bypass traditional security measures. In this blog, we will explore two covert channels that can be used for data exfiltration from air-gapped systems: the camera LED status light and screen brightness.

Camera LED Status Light as a Covert Channel: Most laptops and desktop computers have a built-in camera LED status light that turns on whenever the camera is in use. This LED light is designed to provide a visual indication to the user that the camera is active and capturing video. However, attackers can repurpose this LED status light as a covert channel to exfiltrate data from an air-gapped system.

The process of using the camera LED status light as a covert channel typically involves the following steps:

1. Malware installation: The attacker installs malware on the air-gapped system, either physically or through other means such as social engineering or exploiting vulnerabilities in the system.
2. Data encoding: The malware encodes the data that needs to be exfiltrated into Morse code
3. Controlling the camera LED status light: The malware gains control over the camera LED status light and modulates its status (e.g., turning it on/off or changing the intensity of the light) to transmit the encoded data.
4. Data reception: A nearby external device, such as a smartphone or a camera, with a light sensor or a camera sensor, can receive the encoded data by capturing the changes in the camera LED status light and decoding them back into the original data.
5. This covert channel allows attackers to transfer data from the air-gapped system to an external device without the need for a physical connection or network access. However, it requires close proximity between the air-gapped system and the receiving device, as the camera LED status light is typically only visible from a short distance.

Screen Brightness as a Covert Channel: Another covert channel that can be used for data exfiltration from an air-gapped system is screen brightness. The screen brightness of a computer monitor or a mobile device can be adjusted to different levels to provide visual feedback to the user. However, attackers can also use changes in screen brightness to encode and transmit data.

The process of using screen brightness as a covert channel is similar to using the camera LED status light:

1. Malware installation: The attacker installs malware on the air-gapped system, either physically or through other means such as social engineering or exploiting vulnerabilities in the system.
2. Data encoding: The malware encodes the data that needs to be exfiltrated into Morse code, which can be represented as changes in screen brightness
3. Controlling screen brightness: The malware gains control over the screen brightness settings of the air-gapped system and modulates the brightness levels to transmit the encoded data. This can be done by directly manipulating the brightness settings of the display driver or by leveraging the system’s backlight control.
4. Data reception: A nearby external device with a light sensor or a camera sensor can receive the changes in screen brightness and decode them back into the original data.
5. Similar to using the camera LED status light, this covert channel also requires close proximity between the air-gapped system and the receiving device, as the changes in screen brightness may not be easily visible from a distance.

Proof of Concept Video demonstration of above covert channels

Code : https://github.com/harishsg993010/AirgapExresearch/tree/main

Countermeasures: Data exfiltration through covert channels such as camera LED status light and screen brightness can be challenging to detect and prevent, as they do not rely on traditional network communications or external storage devices. However, there are several countermeasures that can be implemented to mitigate the risk of data exfiltration from air-gapped systems:

1. Strict access controls: Limit physical access to air-gapped systems and implement strict access controls to prevent unauthorized installation of malware or tampering with system settings.
2. Regular security updates: Keep the operating system and software on air-gapped systems up-to-date with the latest security patches to prevent exploitation of vulnerabilities.
3. Monitoring and detection: Implement monitoring and detection mechanisms that can detect unusual changes in system settings, such as camera LED status light or screen brightness, and raise alerts for further investigation.
4. Behavioral analysis: Monitor and analyze the behavior of users and processes on air-gapped systems to detect any abnormal or suspicious activities that may indicate data exfiltration attempts.
5. Physical security measures: Implement physical security measures such as surveillance cameras, access controls, and tamper-evident seals to prevent physical tampering with system components or installation of unauthorized hardware.
6. Employee training: Educate employees about the risks of data exfiltration and the potential use of covert channels, and provide training on safe computing practices to minimize the risk of insider threats.

Limitations of this techniques

One limitation of using covert channels such as camera LED status light or screen brightness for data exfiltration from air-gapped systems is that the transfer speed can be relatively slow compared to traditional network-based methods. The transfer speed of data through these covert channels depends on various factors such as the encoding technique used, the distance between the air-gapped system and the receiving device, and the sensitivity of the light sensor or camera sensor used for data reception.

Due to the limited bandwidth of camera LED status light or screen brightness changes, the transfer speed may not be as fast as other methods of data exfiltration. For example, encoding data into binary using camera LED status light may result in a relatively low transfer speed, as the LED status light typically blinks at a slower rate compared to network-based communication channels. Similarly, using screen brightness changes to represent data may also result in a slow transfer speed, as the changes in brightness may not be easily visible or detectable from a distance.

The slow transfer speed of data exfiltration through covert channels such as camera LED status light or screen brightness can be a disadvantage for attackers who need to transfer a large amount of data quickly. However, it can also be an advantage in some scenarios where the attackers prioritize stealth over speed, such as in targeted attacks or espionage activities where the focus is on avoiding detection rather than transferring data quickly.

It’s important to note that the transfer speed of data exfiltration through covert channels can vary depending on the specific implementation and the capabilities of the hardware and software used. Attackers may also employ techniques to optimize the transfer speed, such as using sophisticated encoding techniques or leveraging other factors that can affect the brightness of the screen or LED status light, such as screen flickering or using multiple LED lights simultaneously. Therefore, organizations should not solely rely on the assumption of slow transfer speeds as a security measure, but rather implement a comprehensive set of security measures to mitigate the risk of data exfiltration through covert channels.

In conclusion, while using covert channels such as camera LED status light or screen brightness for data exfiltration from air-gapped systems can be a slow process, it is still a potential threat that organizations should be aware of and take appropriate security measures to prevent. Regular risk assessments, monitoring for unusual activities, and implementing strict access controls can help mitigate the risk of data exfiltration through covert channels, even if the transfer speed may be slow