Researchers have demonstrated a way for remote attackers to exfiltrate data from and send malicious commands to air-gapped networks, using infrared surveillance cameras that ironically are supposed to make the organisations using them more secure.
Dubbed aIR-Jumper, the air-gap covert channel attack was discovered by researchers Mordechai Guri and Yuval Elovici at Ben-Gurion University of the Negev and Dima Bykhovsky with the Shamoon College of Engineering (both institutions are based in Israel). According to the researchers' report, published this week, sensitive data such as PIN codes, passwords, encryption keys and keylogging information can be encoded onto the infrared light emitted by surveillance cameras and subsequently captured and deciphered by the attackers. Likewise, malicious actors can send command-and-control and beaconing messages to their victims' systems by transmitting infrared signals - invisible to the human eye - into the cameras.
Such an attack, however, requires several steps of compromise in order to succeed. The air-gapped systems would already have to be infected with malware, likely delivered via a flash drive, that is capable of both controlling networked cameras' illumination and decoding incoming infrared signals. Additionally, the security cameras need to be in proximity to the attackers, within their line or sight. And finally, to connect to the cameras, the attackers likely would need to steal a password, perhaps by exploiting a bug in the camera's software or firmware.
"Our evaluation of the covert channel shows that data can be covertly exfiltrated from an organisation at a rate of 20 bit/sec per surveillance camera to a distance of tens of metres away," the report states. "Data can be covertly infiltrated into an organisation at a rate of over 100 bit/sec per surveillance camera from a distance of hundreds of metres to kilometers away. These transmission rates can be increased further when several surveillance cameras are used."