Malware Steals Data From Air-Gapped Network via Security Cameras

Proof-of-concept malware called aIR-Jumper can be used to bypass air-gapped network protections and send data in and out of network.

Proof-of-concept malware called aIR-Jumper can be used to defeat air-gapped network protections and send data in and out of a targeted network. The technique uses security cameras and infrared LED lights that can blink back and forth to each other transmitting data that has been converted into data streams.

The attack was devised by researchers Mordechai Guri, Dima Bykhovsky‏, and Yuval Elovici at the Ben-Gurion University who published their findings earlier this week (PDF).

“Attackers can use surveillance cameras and infrared light to establish bi-directional covert communication between the internal networks of organizations and remote attackers,” researchers wrote.

The big caveats to the hack are any targeted air-gapped network must already be infected with the aIR-Jumper malware and infected networks must be linked to surveillance cameras visible to external hackers. Under those conditions, the malware can target a camera’s application program interfaces (API) to either modulate infrared LED lights to send data or interpret external blinking infrared LED lights as commands.

“The IR LEDs in surveillance cameras can be controlled by the appropriate API provided by its firmware. In the most basic way, the state of the IR LEDs can be adjusted from within the camera’s Web interface… The user can set the night vision to manual/automatic mode, in order to turn the IR LEDs on and off and set the level of the IR illumination,” wrote researchers.

Under one scenario, the aIR-Jumper malware can be pre-programmed to find sensitive data within the air-gapped network. That data can then be exfiltrated by the security camera’s infrared light used for night vision and which is invisible to the naked eye.

In a video demonstration of the attack, an attacker has line-of-sight to the video camera’s blinking IR LED. The blinking light represents data that has been converted into ones and zeros. Next, the attacker would record the blinking lights and play it back later to decode the flashes as ones and zeros and then back to readable files.

“Our evaluation of the covert channel shows that data can be covertly exfiltrated from an organization at a rate of 20 bit/sec per surveillance camera to a distance of tens of meters away,” researchers said.

Using a similar technique, where an attacker uses a remote blinking IR LED light that can be seen by the security camera, data can be covertly infiltrated into an organization at a rate of more than 100 bit/sec per surveillance camera from up to a mile away. “These signals are then received by the surveillance camera and intercepted by malware within the network,” wrote researchers.

Using this technique, researchers said sensitive data such as PIN codes, passwords, encryption keys, and keylogging data can be modulated, encoded, and transmitted over the IR signals outside the air-gapped network.

In another infiltration scenario, information delivered from a remote attacker to the organization’s internal networks might consist of C&C messages for the aIR-Jumper malware residing in the network, according to researchers.

Researchers behind this report have been focused on hacking air-gapped systems over the years using techniques that range from optical (xLED), electromagnetic (AirHopper), thermal (BitWhisper) and acoustic (Fansmitter).

“Technological countermeasures may include the detection of the presence of malware that controls the camera’s IR LEDs or monitors the camera’s input,” researchers wrote. “Similarly, detection can be done at the network level, by monitoring the network traffic from hosts in the network to the surveillance cameras.”

Suggested articles

Using Heat to Jump Air-Gapped Computers

Researchers claim that when thermal energy from one computer is detected by an adjacent computer it can facilitate the spread of keys and malware.