Researchers have demonstrated that it’s possible for attackers to covertly exfiltrate data from and send data into an air-gapped network by using the infrared light capabilities of (indoor and outdoor) security cameras connected to it.
Infrared (IR) light is invisible to humans, but cameras are optically sensitive to it. They are also equipped with IR LEDs (used for night vision), which can be used to send out data.
Infiltration and exfiltration scenarios
The researchers have devised several encoding schemes for the data, and used the cameras’ own APIs to control the IR LEDs.
“In the exfiltration scenario, malware within the organization access the surveillance cameras across the local network and controls the IR illumination. Sensitive data such as PIN codes, passwords, and encryption keys are then modulated, encoded, and transmitted over the IR signals. An attacker in a public area (e.g., in the street) with a line of sight to the surveillance camera records the IR signals and decodes the leaked information,” researchers from Ben-Gurion University of the Negev and Shamoon College of Engineering (both in Israel) explained.
“In an infiltration scenario, an attacker standing in a public area (e.g., in the street) uses IR LEDs to transmit hidden signals to the surveillance camera(s). Binary data such as command and control (C&C) and beacon messages are encoded on top of the IR signals. The signals hidden in the video stream are then intercepted and decoded by the malware residing in the network.”
Data can be exfiltrated at a rate of 20 bit/sec per camera, and infiltrated at a rate of over 100 bit/sec per surveillance camera, but the transmission rates can be upped if the attackers use several cameras.
To receive the exfiltrated data, attackers must be positioned within tens to hundreds of meters away from the target camera – if they are in its line of sight. Sending the data into the network through the camera can be effected from hundreds of meters to kilometers away from the camera. If the attackers are not in line-of-sight of the cameras, the maximum distance for the techniques to work is tens of meters.
The researchers have put forward a number of ideas for countermeasures to prevent these tactics. Some are more workable (scalable) and effective than others, but all have specific limitations:
This research is based on the presumption that the attackers have already managed to plant malware inside the air-gapped network. While that might be hard, it is not impossible, especially for highly motivated, resourceful and well heeled attackers.