Jumping Air Gaps with Blinking Lights and Drones

Researchers have demonstrated how a malicious piece of software in an air-gapped computer can communicate with a nearby drone using a blinking LED on the computer.

I have mixed feelings about research like this. On the one hand, it's pretty cool. On the other hand, there's not really anything new or novel, and it's kind of a movie-plot threat.

Research paper.

EDITED TO ADD (3/7): Here's a 2002 paper on this idea.

Posted on March 3, 2017 at 6:48 AM • 21 Comments

Comments

Dr. I. Needtob AtheMarch 3, 2017 7:15 AM

Yes, and the movie is Silent Running, where two little robots, which Bruce Dern calls "drones", give secret signals to each other with blinking lights as he's teaching them to play poker.

George H.H. MitchellMarch 3, 2017 7:29 AM

Once you have anything loaded onto the air-gapped computer, the game is over.

Peter A.March 3, 2017 8:05 AM

Like anybody who's going to air-gap a computer will put it right next to an unobstructed window with a nice view of the countryside...

That's DEFINITELY a movie-plot scenario.

Jim AMarch 3, 2017 8:24 AM

Unitl they figure out how to get the software ONTO to the airgapped computer, this probably isn't that big an issue. Really, if somebody has a drone and a telephoto lens, a bigger problem would be them reading what was on the monitor through the window. Which is why one should be careful about the direction that your monitor sits on your desk, and any reflective surfaces.

PhMarch 3, 2017 8:29 AM

I bet you can also do something with with spikes in CPU power read by power consumption/EMF fields that are readable with some equipment.

We used to do this stuff in out garage and called it 'hacking'
It's just using the stuff for what is was not intended, but still able to do.

Arthur March 3, 2017 8:55 AM

...But isn't the novel combination of already existing technologies & techniques the mother of all innovation.... for advancement or maliciousness, . Who knows what other hacking methods can be "created" by just combining off the shelf technologies...ie hypothetically> use a drone to plant a wifi tap or listening device on someone's house/powerlines, use a battery operated hidden camera to monitor a subjects house to find the correct "time" to plant said listening device etc. etc.

Bruce EdigerMarch 3, 2017 9:23 AM

Here's a 2002 paper on using router or modem LED flickering to read data transferred on networks:


Given the lack of windows/fake windows on buildings where cautious people do things they don't want others to know about, this isn't really a new thing. One good question about this sort of thing is has it ever been used In Real Life/Real Spying?

Who?March 3, 2017 10:51 AM

Things may become simpler this way: read the blinkenlights from a webcam on a non-airgapped computer in the same room. Less chances to be discovered exfliltrating information from the airgapped computer than using something as obvious as a drone.

SofaMarch 3, 2017 11:00 AM

Bless you Bruce Ediger!

I have been looking for those articles for years, they predate my GMail account where I store that stuff and even my best GoogleFu couldn't find them. Thanks for posting them.

- Sofa

k15March 3, 2017 12:33 PM

If a web user started to wonder whether the internet in a supposedly free country had a censorship problem, how could they discern whether it did and, if it did, at what point the censorship was occurring?

jedMarch 3, 2017 12:56 PM

saw some articles about Li-Fi (optical wi-fi) a few years ago. it was using LED room lights as the access point. maybe it's a good thing the idea never took off.

Ross SniderMarch 3, 2017 1:56 PM

The reason to have a drone in this research is merely for headlines. The use of lights is not new and does not contribute to the field in any significant way.

Movie Plot Threat.

TRXMarch 3, 2017 3:13 PM

> li-fi

Interesting. Sort of like the powerline networking thing, which goes back to the early 20th century when generator station operators would telegraph each other across the grid. It came back in the 1980s, when a company was selling network modules that plugged into the powerlines. They got bought by Novell, who abandoned it like they did so many other things.

Evan HarperMarch 3, 2017 3:48 PM

Rather smacks of some young researchers with no really strong ideas going at the moment but an urgent need to get something published.

Not picking on your grammarMarch 3, 2017 4:42 PM

Just observing.

@Evan Harper

Rather smacks of some young researchers with no really strong ideas going at the moment but an urgent need to get something published.

Your usage of the word "smack" is closely related to Swedish smaka, "to taste."

Clive RobinsonMarch 3, 2017 5:03 PM

@ Bruce,

On the one hand, it's pretty cool. On the other hand, there's not really anything new or novel, and it's kind of a movie-plot threat.

Cool yes, yup it's far from new or novel, however, it has been used so movie-plot not so much.

@ ALL,

As I've said a number of times on this blog before "serialized data" is rich in energy with high frequency components, and is conveniently picked up if you make a mistake and you get the energy to either radiate or conduct away from the signal circuit.

The earliest cases of this date back to WWI with the leakage from trench telephones that used "phantom circuits". The listening device used a couple of spikes driven into the ground a few feet apart and a couple of "magamps" wired up back to back to drive high impedence speakers. Later during WWII the US mil SigInt organisation looked at the output of the UK's One Time Tape link level super encryptor (modified Telekrypton / Rockex) based in the Rockefeller center NY. They found that by looking on an oscilloscope it was due to relay timing issues possible to see the key stream thus strip it off to get back to the basic Typex message cipher. Various TEMPEST issues plagued the Rockex through various revisions. However it stayed in use for DWS/MI6 (as BID 08) mainline link traffic from 1940 through to the early 1980's. When I came across it people were often using it to keep mugs of tea warm due to the heat from the valves in the logic unit...

In later crypto equipment the "filament" lamp "health indicators" were replaced with LEDs... Unfortunately during the process somebody tried to "cost save" so designed out the the CR and second NOR gate of the monostable multivibrator. The result was the LED flashed out the "key stream"...

Back in the last decade or so of the last century, there was a "fetish" of putting ICT equipment in glass walled rooms, often in plain sight of people in public spaces and adjacent buildings etc. The equipment being rack mounted had the front panel LEDs visible from quite a distance. It is known from that period that modems for Private Leased Lines had the same LED health indicator issues, thus the private data that was in plain text was transmitted out for all to see. And apparently a US bank discovered that their London branch was being "evesdropped on" from an adjacent building that over looked their comms racks... The "glass wall" issue continued until Gulf War I when the security industry became aware of the effects of HERF and EM Pulse guns...

Clive RobinsonMarch 3, 2017 6:05 PM

@ Jim A,

Unitl they figure out how to get the software ONTO to the airgapped computer, this probably isn't that big an issue.

As I've mentioned befor many transducers are bidirectional, a LED can be used as a photo diode sensitive in the IR spectrum. You can go and buy a number of telescopes that work as well with IR as they do with visable light. You can also buy class three and above IR diode lasers that can be pulse modulated. If the LED is directly connected to a bidirectional MCU port pin then you have the potential for a line of sight air-gap crossing data communications system.

There are other tricks you can do with EM Fault Injection techniques, I independently discovered that you could disrupt a computer with a sufficiently high field strength EM carrier. Amongst other things it gets demodulated by diode junctions on the MCU chip, thus becomes a way to induce faults by injecting a voltage into the MCU pins and thus onto the chip. By various techniques you can use a low power EM field that gets cross modulated by the data on one or more signal traces and you can thus use it to detect trigger points in the software operation signature, and up the EM field strength to change the state of lines etc thus change the behaviour of the software...

I would rather the students at Ben Gurion Uni did original work in Active EM Fault Injection Attacks, than reboil thirty year old cabbage. The academic community has done very little on EM Attacks, which is a real shame because back in the 1980's when I was investigating them they were quite devastating...

u38cgMarch 7, 2017 10:27 AM

> Your usage of the word "smack" is closely related to Swedish smaka, "to taste."

It is the same word, etymologically. To smack as to smack a child, or a lazy security researcher, is a different word. Lip-smacking, etc.

Leave a comment

Allowed HTML: <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre>

Photo of Bruce Schneier by Per Ervland.

Schneier on Security is a personal website. Opinions expressed are not necessarily those of IBM Resilient.