CTRL-ALT-LED: Leaking data from air-gapped computers via keyboard LEDs

Mordechai Guri; Boris Zadov; Dima Bykhovsky; Yuval Elovici

doi:10.1109/COMPSAC.2019.00118

CTRL-ALT-LED: Leaking data from air-gapped computers via keyboard LEDs

Mordechai Guri, Boris Zadov, Dima Bykhovsky, Yuval Elovici

Research output: Chapter in Book/Report/Conference proceeding › Conference contribution › peer-review

39 Scopus citations

Abstract

Using the keyboard LEDs to send data optically was proposed in 2002 by Loughry and Umphress [1] (Appendix A). In this paper we extensively explore this threat in the context of a modern cyber-attack with current hardware and optical equipment. In this type of attack, an advanced persistent threat (APT) uses the keyboard LEDs (Caps-Lock, Num-Lock and Scroll-Lock) to encode information and exfiltrate data from airgapped computers optically. Notably, this exfiltration channel is not monitored by existing data leakage prevention (DLP) systems. We examine this attack and its boundaries for today's keyboards with USB controllers and sensitive optical sensors. We also introduce smartphone and smartwatch cameras as components of malicious insider and 'evil maid' attacks. We provide the necessary scientific background on optical communication and the characteristics of modern USB keyboards at the hardware and software level, and present a transmission protocol and modulation schemes. We implement the exfiltration malware, discuss its design and implementation issues, and evaluate it with different types of keyboards. We also test various receivers, including light sensors, remote cameras, 'extreme' cameras, security cameras, and smartphone cameras. Our experiment shows that data can be leaked from air-gapped computers via the keyboard LEDs at a maximum bit rate of 3000 bit/sec per LED given a light sensor as a receiver, and more than 120 bit/sec if smartphones are used. The attack doesn't require any modification of the keyboard at hardware or firmware levels.

Original language	English
Title of host publication	Proceedings - 2019 IEEE 43rd Annual Computer Software and Applications Conference, COMPSAC 2019
Editors	Vladimir Getov, Jean-Luc Gaudiot, Nariyoshi Yamai, Stelvio Cimato, Morris Chang, Yuuichi Teranishi, Ji-Jiang Yang, Hong Va Leong, Hossian Shahriar, Michiharu Takemoto, Dave Towey, Hiroki Takakura, Atilla Elci, Susumu Takeuchi, Satish Puri
Publisher	Institute of Electrical and Electronics Engineers
Pages	801-810
Number of pages	10
ISBN (Electronic)	9781728126074
DOIs	https://doi.org/10.1109/COMPSAC.2019.00118
State	Published - 1 Jul 2019
Event	43rd IEEE Annual Computer Software and Applications Conference, COMPSAC 2019 - Milwaukee, United States Duration: 15 Jul 2019 → 19 Jul 2019

Publication series

Name	Proceedings - International Computer Software and Applications Conference
Volume	1
ISSN (Print)	0730-3157

Conference

Conference	43rd IEEE Annual Computer Software and Applications Conference, COMPSAC 2019
Country/Territory	United States
City	Milwaukee
Period	15/07/19 → 19/07/19

Keywords

Air-gap
Covert channel
Exfiltration
Keyboard
Network
Optical

ASJC Scopus subject areas

Software
Computer Science Applications

Access to Document

10.1109/COMPSAC.2019.00118

Cite this

Guri, M., Zadov, B., Bykhovsky, D., & Elovici, Y. (2019). CTRL-ALT-LED: Leaking data from air-gapped computers via keyboard LEDs. In V. Getov, J.-L. Gaudiot, N. Yamai, S. Cimato, M. Chang, Y. Teranishi, J.-J. Yang, H. V. Leong, H. Shahriar, M. Takemoto, D. Towey, H. Takakura, A. Elci, S. Takeuchi, & S. Puri (Eds.), Proceedings - 2019 IEEE 43rd Annual Computer Software and Applications Conference, COMPSAC 2019 (pp. 801-810). Article 8754078 (Proceedings - International Computer Software and Applications Conference; Vol. 1). Institute of Electrical and Electronics Engineers. https://doi.org/10.1109/COMPSAC.2019.00118

Guri, Mordechai ; Zadov, Boris ; Bykhovsky, Dima et al. / CTRL-ALT-LED : Leaking data from air-gapped computers via keyboard LEDs. Proceedings - 2019 IEEE 43rd Annual Computer Software and Applications Conference, COMPSAC 2019. editor / Vladimir Getov ; Jean-Luc Gaudiot ; Nariyoshi Yamai ; Stelvio Cimato ; Morris Chang ; Yuuichi Teranishi ; Ji-Jiang Yang ; Hong Va Leong ; Hossian Shahriar ; Michiharu Takemoto ; Dave Towey ; Hiroki Takakura ; Atilla Elci ; Susumu Takeuchi ; Satish Puri. Institute of Electrical and Electronics Engineers, 2019. pp. 801-810 (Proceedings - International Computer Software and Applications Conference).

@inproceedings{4a0222b8cc8e41739cc814e460de1428,

title = "CTRL-ALT-LED: Leaking data from air-gapped computers via keyboard LEDs",

abstract = "Using the keyboard LEDs to send data optically was proposed in 2002 by Loughry and Umphress [1] (Appendix A). In this paper we extensively explore this threat in the context of a modern cyber-attack with current hardware and optical equipment. In this type of attack, an advanced persistent threat (APT) uses the keyboard LEDs (Caps-Lock, Num-Lock and Scroll-Lock) to encode information and exfiltrate data from airgapped computers optically. Notably, this exfiltration channel is not monitored by existing data leakage prevention (DLP) systems. We examine this attack and its boundaries for today's keyboards with USB controllers and sensitive optical sensors. We also introduce smartphone and smartwatch cameras as components of malicious insider and 'evil maid' attacks. We provide the necessary scientific background on optical communication and the characteristics of modern USB keyboards at the hardware and software level, and present a transmission protocol and modulation schemes. We implement the exfiltration malware, discuss its design and implementation issues, and evaluate it with different types of keyboards. We also test various receivers, including light sensors, remote cameras, 'extreme' cameras, security cameras, and smartphone cameras. Our experiment shows that data can be leaked from air-gapped computers via the keyboard LEDs at a maximum bit rate of 3000 bit/sec per LED given a light sensor as a receiver, and more than 120 bit/sec if smartphones are used. The attack doesn't require any modification of the keyboard at hardware or firmware levels.",

keywords = "Air-gap, Covert channel, Exfiltration, Keyboard, Network, Optical",

author = "Mordechai Guri and Boris Zadov and Dima Bykhovsky and Yuval Elovici",

note = "Publisher Copyright: {\textcopyright} 2019 IEEE.; 43rd IEEE Annual Computer Software and Applications Conference, COMPSAC 2019 ; Conference date: 15-07-2019 Through 19-07-2019",

year = "2019",

month = jul,

day = "1",

doi = "10.1109/COMPSAC.2019.00118",

language = "English",

series = "Proceedings - International Computer Software and Applications Conference",

publisher = "Institute of Electrical and Electronics Engineers",

pages = "801--810",

editor = "Vladimir Getov and Jean-Luc Gaudiot and Nariyoshi Yamai and Stelvio Cimato and Morris Chang and Yuuichi Teranishi and Ji-Jiang Yang and Leong, {Hong Va} and Hossian Shahriar and Michiharu Takemoto and Dave Towey and Hiroki Takakura and Atilla Elci and Susumu Takeuchi and Satish Puri",

booktitle = "Proceedings - 2019 IEEE 43rd Annual Computer Software and Applications Conference, COMPSAC 2019",

address = "United States",

}

Guri, M, Zadov, B, Bykhovsky, D & Elovici, Y 2019, CTRL-ALT-LED: Leaking data from air-gapped computers via keyboard LEDs. in V Getov, J-L Gaudiot, N Yamai, S Cimato, M Chang, Y Teranishi, J-J Yang, HV Leong, H Shahriar, M Takemoto, D Towey, H Takakura, A Elci, S Takeuchi & S Puri (eds), Proceedings - 2019 IEEE 43rd Annual Computer Software and Applications Conference, COMPSAC 2019., 8754078, Proceedings - International Computer Software and Applications Conference, vol. 1, Institute of Electrical and Electronics Engineers, pp. 801-810, 43rd IEEE Annual Computer Software and Applications Conference, COMPSAC 2019, Milwaukee, United States, 15/07/19. https://doi.org/10.1109/COMPSAC.2019.00118

CTRL-ALT-LED: Leaking data from air-gapped computers via keyboard LEDs. / Guri, Mordechai; Zadov, Boris; Bykhovsky, Dima et al.
Proceedings - 2019 IEEE 43rd Annual Computer Software and Applications Conference, COMPSAC 2019. ed. / Vladimir Getov; Jean-Luc Gaudiot; Nariyoshi Yamai; Stelvio Cimato; Morris Chang; Yuuichi Teranishi; Ji-Jiang Yang; Hong Va Leong; Hossian Shahriar; Michiharu Takemoto; Dave Towey; Hiroki Takakura; Atilla Elci; Susumu Takeuchi; Satish Puri. Institute of Electrical and Electronics Engineers, 2019. p. 801-810 8754078 (Proceedings - International Computer Software and Applications Conference; Vol. 1).

Research output: Chapter in Book/Report/Conference proceeding › Conference contribution › peer-review

TY - GEN

T1 - CTRL-ALT-LED

T2 - 43rd IEEE Annual Computer Software and Applications Conference, COMPSAC 2019

AU - Guri, Mordechai

AU - Zadov, Boris

AU - Bykhovsky, Dima

AU - Elovici, Yuval

PY - 2019/7/1

Y1 - 2019/7/1

N2 - Using the keyboard LEDs to send data optically was proposed in 2002 by Loughry and Umphress [1] (Appendix A). In this paper we extensively explore this threat in the context of a modern cyber-attack with current hardware and optical equipment. In this type of attack, an advanced persistent threat (APT) uses the keyboard LEDs (Caps-Lock, Num-Lock and Scroll-Lock) to encode information and exfiltrate data from airgapped computers optically. Notably, this exfiltration channel is not monitored by existing data leakage prevention (DLP) systems. We examine this attack and its boundaries for today's keyboards with USB controllers and sensitive optical sensors. We also introduce smartphone and smartwatch cameras as components of malicious insider and 'evil maid' attacks. We provide the necessary scientific background on optical communication and the characteristics of modern USB keyboards at the hardware and software level, and present a transmission protocol and modulation schemes. We implement the exfiltration malware, discuss its design and implementation issues, and evaluate it with different types of keyboards. We also test various receivers, including light sensors, remote cameras, 'extreme' cameras, security cameras, and smartphone cameras. Our experiment shows that data can be leaked from air-gapped computers via the keyboard LEDs at a maximum bit rate of 3000 bit/sec per LED given a light sensor as a receiver, and more than 120 bit/sec if smartphones are used. The attack doesn't require any modification of the keyboard at hardware or firmware levels.

AB - Using the keyboard LEDs to send data optically was proposed in 2002 by Loughry and Umphress [1] (Appendix A). In this paper we extensively explore this threat in the context of a modern cyber-attack with current hardware and optical equipment. In this type of attack, an advanced persistent threat (APT) uses the keyboard LEDs (Caps-Lock, Num-Lock and Scroll-Lock) to encode information and exfiltrate data from airgapped computers optically. Notably, this exfiltration channel is not monitored by existing data leakage prevention (DLP) systems. We examine this attack and its boundaries for today's keyboards with USB controllers and sensitive optical sensors. We also introduce smartphone and smartwatch cameras as components of malicious insider and 'evil maid' attacks. We provide the necessary scientific background on optical communication and the characteristics of modern USB keyboards at the hardware and software level, and present a transmission protocol and modulation schemes. We implement the exfiltration malware, discuss its design and implementation issues, and evaluate it with different types of keyboards. We also test various receivers, including light sensors, remote cameras, 'extreme' cameras, security cameras, and smartphone cameras. Our experiment shows that data can be leaked from air-gapped computers via the keyboard LEDs at a maximum bit rate of 3000 bit/sec per LED given a light sensor as a receiver, and more than 120 bit/sec if smartphones are used. The attack doesn't require any modification of the keyboard at hardware or firmware levels.

KW - Air-gap

KW - Covert channel

KW - Exfiltration

KW - Keyboard

KW - Network

KW - Optical

UR - http://www.scopus.com/inward/record.url?scp=85072700970&partnerID=8YFLogxK

U2 - 10.1109/COMPSAC.2019.00118

DO - 10.1109/COMPSAC.2019.00118

M3 - Conference contribution

AN - SCOPUS:85072700970

T3 - Proceedings - International Computer Software and Applications Conference

SP - 801

EP - 810

BT - Proceedings - 2019 IEEE 43rd Annual Computer Software and Applications Conference, COMPSAC 2019

A2 - Getov, Vladimir

A2 - Gaudiot, Jean-Luc

A2 - Yamai, Nariyoshi

A2 - Cimato, Stelvio

A2 - Chang, Morris

A2 - Teranishi, Yuuichi

A2 - Yang, Ji-Jiang

A2 - Leong, Hong Va

A2 - Shahriar, Hossian

A2 - Takemoto, Michiharu

A2 - Towey, Dave

A2 - Takakura, Hiroki

A2 - Elci, Atilla

A2 - Takeuchi, Susumu

A2 - Puri, Satish

PB - Institute of Electrical and Electronics Engineers

Y2 - 15 July 2019 through 19 July 2019

ER -

Guri M, Zadov B, Bykhovsky D, Elovici Y. CTRL-ALT-LED: Leaking data from air-gapped computers via keyboard LEDs. In Getov V, Gaudiot JL, Yamai N, Cimato S, Chang M, Teranishi Y, Yang JJ, Leong HV, Shahriar H, Takemoto M, Towey D, Takakura H, Elci A, Takeuchi S, Puri S, editors, Proceedings - 2019 IEEE 43rd Annual Computer Software and Applications Conference, COMPSAC 2019. Institute of Electrical and Electronics Engineers. 2019. p. 801-810. 8754078. (Proceedings - International Computer Software and Applications Conference). doi: 10.1109/COMPSAC.2019.00118

CTRL-ALT-LED: Leaking data from air-gapped computers via keyboard LEDs

Abstract

Publication series

Conference

Keywords

ASJC Scopus subject areas

Access to Document

Other files and links

Fingerprint

Cite this