Platform-agnostic Low-intrusion Optical Data Exfiltration

Arthur Costa Lopes, Diego F. Aranha

2017

Abstract

Information leakage through covert channels is a growing and persistent threat, even for physical perimeters considered as highly secure. We study a new approach for data exfiltration using a malicious storage device which subtly transmits data through blinking infrared LEDs. This approach could be used by an attacker trying to leak sensitive data stored in the device, such as credentials, cryptographic keys or a small classified document. An ideal application for this approach is when an attacker is capable of sneaking a malicious device inside a protected perimeter and has remote control over a camera inside such perimeter. The device can then collect information and transmit directly to the attacker, without the need of recovering the device to obtain the captured information, erase evidence or prevent a forensic investigation. We discuss techniques for improving communication efficiency up to 15 bits per second per LED, and possible countermeasures for mitigation.

References

  1. Abraham, S. and Chengalur-Smith, I. (2010). An overview of social engineering malware: Trends, tactics, and implications. Technology in Society, 32(3):183-196.
  2. Camera, D. (2013). LUFA - Lightweight USB Framework for AVRs. http://www.fourwalledcubicle.com.
  3. Caudill, A. (2014). Phison 2251-03 (2303) Custom Firmware and Existing Firmware Patches (BadUSB). https://github.com/adamcaudill/Psychson.
  4. Cheddad, A., Condell, J., Curran, K., and McKevitt, P. (2010). Digital image steganography: Survey and analysis of current methods. Signal Processing, 90(3):727-752.
  5. Clark, J., Leblanc, S., and Knight, S. (2009). Hardware trojan horse device based on unintended USB channels. In NSS, pages 1-8. IEEE.
  6. Guri, M., Hasson, O., Kedma, G., and Elovici, Y. (2016a). VisiSploit: An Optical Covert-Channel to Leak Data through an Air-Gap. CoRR, abs/1607.03946.
  7. Guri, M., Kachlon, A., Hasson, O., Kedma, G., Mirsky, Y., and Elovici, Y. (2015a). Gsmem: Data exfiltration from air-gapped computers over GSM frequencies. In USENIX Security Symposium, pages 849-864. USENIX Association.
  8. Guri, M., Kedma, G., Kachlon, A., and Elovici, Y. (2014). Airhopper: Bridging the air-gap between isolated networks and mobile phones using radio frequencies. In MALWARE, pages 58-67. IEEE.
  9. Guri, M., Monitz, M., and Elovici, Y. (2016b). USBee: Air-Gap Covert-Channel via Electromagnetic Emission from USB. CoRR, abs/1608.08397.
  10. Guri, M., Monitz, M., Mirski, Y., and Elovici, Y. (2015b). BitWhisper: Covert Signaling Channel between AirGapped Computers Using Thermal Manipulations. In CSF, pages 276-289. IEEE.
  11. Guri, M., Solewicz, Y. A., Daidakulov, A., and Elovici, Y. (2016c). DiskFiltration: Data Exfiltration from Speakerless Air-Gapped Computers via Covert Hard Drive Noise. CoRR, abs/1608.03431.
  12. Guri, M., Solewicz, Y. A., Daidakulov, A., and Elovici, Y. (2016d). Fansmitter: Acoustic Data Exfiltration from (Speakerless) Air-Gapped Computers. CoRR, abs/1606.05915.
  13. Hamming, R. W. (1986). Coding and information theory (2. ed.). Prentice Hall.
  14. Hanspach, M. and Goetz, M. (2014). Recent developments in covert acoustical communications. In Sicherheit, volume 228 of LNI, pages 243-254. GI.
  15. Itseez (2015). Open source computer vision library, version 3.0. https://github.com/itseez/opencv.
  16. Kuhn, M. G. and Anderson, R. J. (1998). Soft tempest: Hidden data transmission using electromagnetic emanations. In Information Hiding, volume 1525 of Lecture Notes in Computer Science, pages 124-142. Springer.
  17. Langner, R. (2011). Stuxnet: Dissecting a cyberwarfare weapon. IEEE Security & Privacy, 9(3):49-51.
  18. Loughry, J. and Umphress, D. A. (2002). Information leakage from optical emanations. ACM Trans. Inf. Syst. Secur., 5(3):262-289.
  19. Maass, P. (2013). How Laura Poitras Helped Snowden Spill His Secrets. New York Times. http://www.nytimes.com/2013/08/18/magazine/laurapoitras-snowden.html.
  20. Sepetnitsky, V., Guri, M., and Elovici, Y. (2014). Exfiltration of information from air-gapped machines using monitor's LED indicator. In JISIC, pages 264-267. IEEE.
  21. Tischer, M., Durumeric, Z., Foster, S., Duan, S., Mori, A., Bursztein, E., and Bailey, M. (2016). Users really do plug in USB drives they find. In IEEE Symposium on Security and Privacy, pages 306-319. IEEE Computer Society.
  22. Tsagourias, N. (2012). Cyber attacks, self-defence and the problem of attribution. Journal of Conflict and Security Law.
  23. Verble, J. (2014). The NSA and Edward Snowden: surveillance in the 21st century. SIGCAS Computers and Society, 44(3):14-20.
  24. Zaddach, J., Kurmus, A., Balzarotti, D., Blass, E., Francillon, A., Goodspeed, T., Gupta, M., and Koltsidas, I. (2013). Implementation and implications of a stealth hard-drive backdoor. In ACSAC, pages 279- 288. ACM.
  25. Zander, S., Armitage, G. J., and Branch, P. (2007). A survey of covert channels and countermeasures in computer network protocols. IEEE Communications Surveys and Tutorials, 9(1-4):44-57.
Download


Paper Citation


in Harvard Style

Costa Lopes A. and Aranha D. (2017). Platform-agnostic Low-intrusion Optical Data Exfiltration . In Proceedings of the 3rd International Conference on Information Systems Security and Privacy - Volume 1: ICISSP, ISBN 978-989-758-209-7, pages 474-480. DOI: 10.5220/0006211504740480


in Bibtex Style

@conference{icissp17,
author={Arthur Costa Lopes and Diego F. Aranha},
title={Platform-agnostic Low-intrusion Optical Data Exfiltration},
booktitle={Proceedings of the 3rd International Conference on Information Systems Security and Privacy - Volume 1: ICISSP,},
year={2017},
pages={474-480},
publisher={SciTePress},
organization={INSTICC},
doi={10.5220/0006211504740480},
isbn={978-989-758-209-7},
}


in EndNote Style

TY - CONF
JO - Proceedings of the 3rd International Conference on Information Systems Security and Privacy - Volume 1: ICISSP,
TI - Platform-agnostic Low-intrusion Optical Data Exfiltration
SN - 978-989-758-209-7
AU - Costa Lopes A.
AU - Aranha D.
PY - 2017
SP - 474
EP - 480
DO - 10.5220/0006211504740480