The team of researchers at the Ben-Gurion University of the Negev in Israel composed of Mordechai Guri, Dima Bykhovsky, Yuval Elovici developed a PoC malware that leverages security cameras with Infrared capabilities to steal data.
The security cameras are used as a covert channel for data exfiltration and to send commands to the malicious code.
Modern surveillance and security cameras are equipped with infrared LEDs for night vision, experts decided to exploit them because infrared light is imperceptible to the human eye making impossible for users to discover the data transmission through led blinking.
The same research team has devised numerous techniques to exfiltrate data from air-gapped networks across the years, including DiskFiltration, AirHopper, BitWhisper, LED-it-Go, SPEAKE(a)R, USBee, Fansmitter, xLED.
The current research project dubbed aIR-Jumper, leverage on a malicious code that must be installed on the target computers which enables the attackers to control it with security surveillance cameras/software, or on a computer in the same network with the camera.
“In this paper, we show how attackers can use surveillance cameras and infrared light to establish bi-directional covert communication between the internal networks of organizations and remote attackers. We present two scenarios: exfiltration (leaking data out of the network) and infiltration (sending data into the network). ” reads the paper published by the team and titled “aIR-Jumper: Covert Air-Gap Exfiltration/Infiltration via Security Cameras & Infrared (IR)“
The malicious code is able to steal data from an infected system and then convert it into a sequence of ones and zeros that is then transmitted by making the device’s infrared LEDs blinking.
“By blinking the IR LEDs an attacker can leak sensitive data stored on the device, such as credentials
and cryptographic keys, at a speed of 15 bit/sec. However, in their method the attacker must find a way to insert the compromised hardware into the organization. In contrast, our method uses the IR LEDs that already exist in surveillance and security cameras and doesn’t require special or malicious
hardware.” continues the paper.
On the other end, an attacker sitting in the range of the security camera’s infrared LED will be able to receive the blinking and use an application developed by the ream to reconstructs stream of data sent through the led blinking.
The researchers also demonstrated that an attacker can use an infrared LED to send new commands to a security camera inside an infected network. The malicious code developed by the experts analyzes the camera’s video feed, detect infrared LED transmissions and convert the incoming blinks into new commands.
The expert implemented a malware prototype and evaluated it with different models of cameras and discussed preventive and defensive countermeasures.
“Our evaluation shows that an attacker can use IR and surveillance cameras to communicate over the air-gap to a distance of tens to hundreds of meters away. We demonstrate how data can be leaked from the network at a bit rate of 20 bit/sec (per camera) and be delivered to the network at bit rate of more than 100 bit/sec (per camera).” states the paper.
The exfiltration speed obtained by the researchers is low compared to the one obtained with other techniques tested by the same group of researchers. In July, the team of experts led by the expert Mordechai Guri developed a specific firmware dubbed xLED that allowed them to control the LED while the router is working. The router LEDs were used to exfiltrate data from air-gapped networks with better performance compared with aIR-Jumper.
The researchers explained that infrared signals are better than router LEDs because infrared signals bounce of nearby surfaces with a higher reflection rate, this means that attackers don’t necessarily need a line of sight to the camera.
In the following table, the aIR-Jumper technique is compared with others devised by the research team
In their research paper. the team proposes a series of software and hardware countermeasures, such as window shielding, IR LED activity monitoring, firmware controls for disabling IR support, irregular access to camera API functions, suspicious traffic detection (LED control), and also LEDs covering /disconnecting.
I reached Mordechai Guri for a comment:
“This air-gap covert-channel is unique since it allow attackers to establish a bi-directional communication with a remote attacker, like a TCP/IP connection with IR signals and security cameras: you can send a request and receive a response. Almost all existing air-gap covert-channels allows only one way communication”
The experts published two videos PoC that show how they send commands to the aIR-Jumper malware via the security camera, and how they exfiltrate data from the affected network.