The Caps Lock, Num Lock and Scroll Lock keys on a keypad can be used to exfiltrate data from a secure system, as proven by university academics. Israeli.
The attack, which they named CTRL-ALT-LED, does not worry about the usual users, but is a danger for highly secure environments, such as government networks storing ultra-secret documents or documents. corporate networks dedicated to the storage of proprietary non-public information.
How CTRL-ALT-DEL works
The attack requires certain prerequisites, such as the malicious actor who finds a way to previously infect a malicious system in the air. CTRL-ALT-LED is only a method of exfiltration.
But once these prerequisites are met, malware running on a system can quickly flash the LEDs of a USB-connected keyboard, using a custom transmission protocol and a modulation scheme for encode the transmitted data.
A nearby attacker can record these tiny flickers, which he can decode later, using the same modulation scheme used to code it.
The research team behind this exfiltration method said it had tested the CTRL-ALT-LED technique with various optical capture devices, such as a smartphone camera, a smartwatch camera, security cameras, extreme sports and even high quality optical / optical sensors.
Some attacks require a "damn maid" scenario, in which the attacker must be physically present to record the flickering of the LED, using his smartphone or smartwatch.
However, other scenarios are more feasible, with the attacker taking control of CCTV surveillance systems that have a direct line of sight on the keyboard lights.
LED keypad transmissions can also be programmed at certain times of the day when users are not present. It also makes it easier for attackers to synchronize recordings or place optical recorders or cameras near siled targets when they know the LEDs are transmitting stolen information.
During the experiments, the research team – Ben Gurion University of the Negev in Israel – reported recording exfiltration rates of up to 3,000 bit / s per LED with light sensors. sensitive, and about 120 bit / s. the speeds when they used a normal smartphone camera.
Speeds varied depending on the camera's sensitivity and the distance to the keyboard. Keyboard models play no role in exfiltration speeds and no vendor has keypads more vulnerable to this exfiltration method than others. The bit error rates during the recovery of stolen data ranged from acceptable rates of 3% to values greater than 8%.
But the technique that Ben Gurion's research team has tested with modern equipment is not new. A research paper published in 2002 first warned that the exfiltration of data via keyboard lights was technically possible.
In addition, the same team of Ben Gurion was also behind similar research in the past. The first is called LED-it-GO, an exfiltration technique that uses hard drive LEDs, and the second, xLED, a similar method that exfilates data from routers and switches to the remote. help from their state lights.
As this article has indicated from the beginning, regular users have nothing to fear from the technique described in this article. Malware usually has much better and faster methods of stealing data from infected computers. This is something that the administrators of ventilated networks must take into account.
The Ben-Gurion team has identified various measures to combat this attack in its white paper titled "CTRL-ALT-LED: Data Leakage from Isolated Computers Using Keyboard Indicators".
The research team will present its findings next week, July 18, at the COMPSAC conference in Milwaukee, Wisconsin, USA.
More vulnerability reports: