A team of three Israeli security researchers released a proof-of-concept earlier this month demonstrating the possibility of remote attackers exploiting vulnerabilities in scanners to deliver malware.
Using the light sensitivity of the scanner, they devised several methods to deliver data via a nearby laser, including one on a drone, and even sent from a passing car to a smart bulb within an organisation's environs. Their incursion could be used to launch ransomware attacks.
The paper, "Oops!...I think I scanned a malware," reveals the opportunities afforded bad actors seeking to exploit the popular devices – everything from sheet-fed scanners, integrated scanners, drum scanners and even portable scanners, all used in offices worldwide to transmit written text and images.
The trio used light transmitted to a flatbed scanner to infiltrate air-gapped systems. The attack relies on the extraction of malware installed into the organisation, they reported. The method "exploits an organisation's scanner which serves as a gateway to the organisation, in order to establish a covert channel between a malware and an attacker." The attacker, they added, could be at a considerable distance from the targeted scanner.
The motivation for the bad actors, the researchers wrote, could be to deliver malware capable of locking up critical files; in other words, a ransomware attack. The trio's intention was to show how an attacker could get past an enterprise's security measures – such as intrusion detection and prevention systems (IDS/IPS), firewalls and data leakage prevention (DLP) systems – and obfuscate their injection of malware so as to remain undetected.
The success of the researchers illustrated dangers inherent in a number of Internet of Things devices. “This research highlights that even the process of air-gapping devices does not guarantee that breaches can be prevented," Michael Patterson, CEO of Plixer, told SC Media on Friday. "Any form of data communication that does not require a physical connection becomes a point of vulnerability."
Many computing devices ship with infrared, Bluetooth, Wi-Fi and GPS sensors, Patterson said. "Each of these technologies allow for the transmission of data to and from a device without the need for wires. As these researchers have shown, flatbed scanners are now an example of another attack vector."
Any peripheral that connects to an air-gapped device introduces additional risk, Patterson told SC. "If the peripheral has a mechanism for receiving binary data via radio frequency, or in the case of these scanners, optically, there is a risk of compromise.”
As a security mechanism, air gapped systems are physically isolated from any internet-facing networks, he explained. "Typically these systems are either standalone, with no network connections at all, or they may be networked, but only with systems that lack internet access. Over the years, this method has proven very successful in keeping data safe which has led to a high degree of trust in air gaps. Currently however, researchers are finding more and more ways in which these seemingly isolated systems are vulnerable to external attacks."
In 2015, researchers at Georgia Institute of Technology identified a potential side-channel vulnerability, Patterson told SC. They found that the CPU of computing devices emanate electromagnetic signals that can be correlated to the zeros and ones being processed. "If a probe were to be connected to the right chip pin out, the voltage levels from that chip could be used to convert the zeros and ones to useful information."
The level of trust that has been associated to air gapped devices must be reconsidered, Patterson said. "Significant time, effort and money has been placed on efforts to protect and monitor systems connected to internet-facing networks. Due to the trust traditionally associated with air gapped systems, in many cases, less effort and monitoring have been directed at them," he said.
Given the rapidly evolving threat surfaces and the high sensitivity of the data, organisations need to begin to scrutinise the traffic flowing across these air gapped networks, Patterson advised. "Network traffic analysis and behaviour analysis tools must now be deployed to gain visibility, threat detection and forensics data on these air gapped systems and networks.”
After an extensive explication of their technique and one possible antidote – it involves keeping the scanner closed, since light can't be projected on the pane when the scanner is closed – the trio of Israeli researchers concluded their study saying they hoped it would increase awareness to the threat and would result in "secured protocols for scanning that will prevent an attacker from establishing such a covert channel specifically in the era of Internet of Things."