LED-it-GO: Leaking (a lot of) data from air-gapped computers via the (small) hard drive LED

Abstract

In this paper we present a method that allows attackers to covertly leak data from isolated, air-gapped computers. Our method utilizes the hard disk drive (HDD) activity LED which exists in most of today’s desktop PCs, laptops, and servers. We show that a malware can indirectly control the HDD LED, turning it on and off rapidly (up to 5800 blinks per second) – a rate that exceeds the visual perception capabilities of humans. Sensitive information can be encoded and leaked over the LED signals, which can then be received remotely by different kinds of cameras and light sensors (Demonstration video: https:// www.youtube.com/watch?v=4vIu8ld68fc). Compared to other LED methods, our method is unique, because it is also covert; the HDD activity LED routinely flickers frequently, and therefore the user may not be suspicious of changes in its activity. We discuss attack scenarios and present the necessary technical background regarding the HDD LED and its hardware control. We also present various data modulation methods and describe the implementation of a user-level malware that doesn’t require a kernel component. During the evaluation, we examined the physical characteristics of different colored HDD LEDs (red, blue, and white) and tested different types of receivers: remote cameras, ‘extreme’ cameras, security cameras, smartphone cameras, drone cameras, and optical sensors. Finally, we discuss hardware and software countermeasures for such a threat. Our experiment shows that sensitive data can successfully be leaked from air-gapped computers via the HDD LED at a maximum bit rate of 120 bit/s (bits per second) when a video camera is used as a receiver, and 4000 bit/s when a light sensor is used for the reception. Notably, the maximal speed is 10 times faster than the existing optical covert channels for air-gapped computers. These rates allow rapid exfiltration of encryption keys, keystroke logging, and text and binary files.