Light-based printer attack overcomes air-gapped computer security

Multi-function printers - a route to bypass air-gapped computer security.

Multi-function printers - a route to bypass air-gapped computer security...
Multi-function printers - a route to bypass air-gapped computer security...

Adi Shamir - currently Borman Professor of Applied Mathematics at the Weizmann Institute of Science and the co-developer of the RSA cryptographic system - revealed a proof-of-concept method of bypassing air-gapped computer security systems at Black Hat Europe yesterday.

Air-gapping - also known as air-walling - is a security measure that allows a secure computer network to be physically isolated from unsecured networks, such as the public internet. The security measure is typically used for critical computer systems where no external access is allowed, and where any incursion by hackers could be potentially catastrophic.  

In his Black Hat keynote speech, entitled `Side Channel Attacks - Past, Present, and Future', Shamir revealed that he - and two colleagues from Israel's Ben-Gurion University - were looking at methods of bypassing air-gap security. Even if malware were introduced to an air-gapped computer system, he said, there would be no normal method of controlling the malware by external cyber-criminals.

Unless, he explained, a multi-function printer was installed on the computer system.

Shamir - along with fellow researchers Yuval Elovici and Moti Guri - found they could flash visible or infrared light signals at the printer's scanner lid if it were open. Tests revealed the Scangate system, as Shamir calls it, can operate at up to 1,200 metres away from the printer.

If malware installed on a computer attached to the multi-function printer runs a scanning process, Shamir says that the malware can interpret the pulsed light beams as a series of slow-speed data/morse code transmissions.

According to reporter Lucian Constantin of the PC Advisor newswire, the three researchers successfully tested their Scangate attack methodology at a range of 200, 900 and 1,200 metres against a computer and printer located in a building in Beersheba, Israel, where EMC, Oracle and other big companies have research centres.

"They used a laser to flash visible light at the window of the office where the scanner was located, illuminating the room," says the newswire, adding that using a more powerful laser could produce reliable results from up to five kilometres away.

Reverse path

The same technology - using light from the printer along a reverse path - could also be used to exfiltrate data from the air-gapped system, says Shamir, although at slower speeds.

"Detecting the light generated by the scanner from far away would require very sensitive equipment and if the computer is located in an office on a higher floor, the attacker would have a hard time getting good visibility. This can be solved by using a quadcopter drone to get closer and observing the scanner from a better angle," Shamir told his audience.

According to Professor Peter Sommer, a digital forensics security expert and visiting professor with De Montfort University, Shamir and his team's revelations falls squarely in the category of issues that security researchers like to spend time on - "and then produce demonstrations at geek conferences but have very little practical value."

Not so long ago, he explained, researchers at Fraunhofer were demonstrating communications between air-gapped computers using the in-built microphone and loudspeakers to send high frequency audio modulated traffic.

"But to make these things work you need to be able to have previously covertly sent the relevant driver software - which will probably be identified by heuristics-based malware detection software.  And even if you overcome that you are heavily dependent on specific environmental conditions - the detecting computer has to be able to `see' the device being hacked," he said.

Hacker's toolkit

Nigel Stanley, OpenSky's cybersecurity, risk and compliance practice director, said that he views Shamir's research as just another part of a hacker's toolkit to be used when other attack methodologies fail.

"I think this approach shows how creative security researchers have become in recent years, in terms of using technology to bypass existing security layers, and beat the existing human and electronic security systems seen on so-called air-gapped computers," he explained.

Sarb Sembhi, a leading light in ISACA, the not-for-profit IT security association, said that the Scangate attack vector could prove useful as a means of hacking into an air-gapped system, but would only normally work where the printer was located at a central point in a large building, and a light beam could be shone in from the edge.

"It's an interesting approach," he said, adding that, whilst it has a limited number of applications, highlights the need for `security in depth' in all IT systems, as, if the printer is attached to a firewall appliance, then its ability to be misused in the manner described by Shamir and his team would be blocked.

Sembhi, a director with Storm Guidance, went on to say this security in depth approach, whilst used for corporate computer systems, is not always used on peripherals such as multi-function printers, although as Shamir's keynote shows, he says, there is a definite need for this approach to security, especially in air-gapped computer system installations.