Using screen brightness to steal data from Air-gapped computers

An air-gapped computer is isolated from unsecured networks, meaning that it is not directly connected to the internet, nor is it connected to any other system that is connected to the internet. A true air gapped computer is also physically isolated, meaning data can only be passed to it physically (via USB, removable media or a firewire with another machine).

You will tend to find air gapped computers implemented in high security environments, think classified military networks and payment networks. Here are some more examples of networks or systems that might be air gapped:

• Military computer systems and networks
• Government computer systems and networks
• Financial computer systems and networks
• Industrial control systems: SCADA
• Life-critical systems: Nuclear power plants
• Aviation Computers: FADECs & Avionics
• Medical Equipment

Interestingly, as more and more devices come online and become “smart,” a number of products that have traditionally been air gapped like thermostats, electronic sprinklers and automobile components are now connecting to the public internet.

So we can conclude that Air-gapped computers are totally secure right? well, not from Tom Cruise in mission impossible. Thus it may sound creepy and unreal, but hackers can also exfiltrate sensitive data from your computer by simply changing the brightness of the screen, new cybersecurity research shared with The Hacker News revealed.

In recent years, several cybersecurity researchers demonstrated innovative ways to covertly exfiltrate data from a physically isolated air-gapped computer that can't connect wirelessly or physically with other computers or network devices.

These clever ideas rely on exploiting little-noticed emissions of a computer's components, such as light, sound, heat, radio frequencies, or ultrasonic waves, and even using the current fluctuations in the power lines.

For instance, potential attackers could sabotage supply chains to infect an air-gapped computer, but they can't always count on an insider to unknowingly carry a USB with the data back out of a targeted facility.

When it comes to high-value targets, these unusual techniques, which may sound theoretical and useless to many, could play an important role in exfiltrating sensitive data from an infected but air-gapped computer.

How does this attack work?

A new covert optical channel using which attackers can steal data from air-gapped computers without requiring network connectivity or physically contacting the devices. This covert channel is invisible, and it works even while the user is working on the computer. Malware on a compromised computer can obtain sensitive data (e.g., files, images, encryption keys, and passwords), and modulate it within the screen brightness, invisible to users. The fundamental idea behind encoding and decoding of data is similar to the previous cases, i.e., malware encodes the collected information as a stream of bytes and then modulate it as '1' and '0' signal.

The LCD screen brightness, which remains invisible to the naked eye, to covertly modulate binary information in morse-code like patterns. In LCD screens each pixel presents a combination of RGB colors which produce the required compound color. In the proposed modulation, the RGB color component of each pixel is slightly changed. These changes are invisible, since they are relatively small and occur fast, up to the screen refresh rate. Moreover, the overall color change of the image on the screen is invisible to the user. The attacker, on the other hand, can collect this data stream using video recording of the compromised computer's display, taken by a local surveillance camera, smartphone camera, or a webcam and can then reconstruct exfiltrated information using image processing techniques.

Despite being unusual and potentially threatening, the BRIGHTNESS attack has many limitations.

At first, the probability of this attack on general systems is very low due to the sophistication of the attack setup. Secondly, the maximum file transmit speed recorded by the researchers is 5-10 bps, which is still very low for extracting large volumes of data. However, one can still exploit this attack for short-term yet dangerous data exfiltration, such as stealing encryption keys. 

Furthermore, users can easily mitigate the BRIGHTNESS attack by using polarized film on the systems’ screens. This will darken the display when viewed through a camera, thus minimizing the chances of recording screen brightness fluctuations.

Air-Gapped Popular Data Exfiltration Techniques:

• PowerHammer attack to exfiltrate data from air-gapped computers through power lines.
• MOSQUITO technique using which two (or more) air-gapped PCs placed in the same room can covertly exchange data via ultrasonic waves.
• BeatCoin technique that could let attackers steal private encryption keys from air-gapped cryptocurrency wallets.
• aIR-Jumper attack that takes sensitive information from air-gapped computers with the help of infrared-equipped CCTV cameras that are used for night vision.
• MAGNETO and ODINI techniques use CPU-generated magnetic fields as a covert channel between air-gapped systems and nearby smartphones.
• USBee attack that can be used to steal data from air-gapped computers using radio frequency transmissions from USB connectors.
• DiskFiltration attack that can steal data using sound signals emitted from the hard disk drive (HDD) of the targeted air-gapped computer;
• BitWhisper that relies on heat exchange between two computer systems to stealthily siphon passwords or security keys;
• AirHopper that turns a computer's video card into an FM transmitter to capture keystrokes;
• Fansmitter technique that uses noise emitted by a computer fan to transmit data; and
• GSMem attack that relies on cellular frequencies.