 |
---------------------------------------- |
|
CTRL-ALT-LED keyboard LED attack on airgapped systems |
|
July 11th, 2019 |
|
---------------------------------------- |
|
|
|
|
 |
So I saw an interesting article on zdnet earlier about keyboard LEDs |
|
potentially being used to exfiltrate data on extremely high security |
|
air gapped systems (essentially systems have no network access). |
|
|
|
Here's a short synopsis of the article |
|
> The attack, which they named CTRL-ALT-LED, is nothing that regular |
|
> users should worry about but is a danger for highly secure environments |
|
> such as government networks that store top-secret documents or enter- |
|
> prise networks dedicated to storing non-public proprietary information. |
|
> The attack requires some pre-requisites, such as the malicious actor |
|
> finding a way to infect an air-gapped system with malware beforehand. |
|
> CTRL-ALT-LED is only an exfiltration method. But once these prerequi- |
|
> sites are met, the malware running on a system can make the LEDs of an |
|
> USB-connected keyboard blink at rapid speeds, using a custom transmis- |
|
> sion protocol and modulation scheme to encode the transmitted data. A |
|
> nearby attacker can record these tiny light flickers, which they can |
|
> decode at a later point, using the same modulation scheme used to |
|
> encode it. |
|
|
|
Given previous hypotheticals against airgapped systems using hard disk |
|
drive LEDs, I think it's entirely reasonable that folks using systems |
|
requiring this much security should make a few changes to prevent |
|
exfiltration of information via LEDs... For starters I would remove the |
|
keyboard LEDs with an X-ACTO knife, it's a realitively simple operation |
|
to do. If users absolutely need a keyboard indication of whether num/ |
|
caps/scroll lock is on, a keyboard manufacturer could easily make old- |
|
style keyboards with mechanical latches for those keys (you gently press |
|
your finger on the lock key to see if it's actually locked or not). |
|
|
|
Furthermore the HDD LED should be removed for the same reason, and while |
|
we are at it, the power LED should be removed too. Before you say that |
|
I am mad for advocating power LED removal, hear me out; an external power |
|
LED can be made by handy engineers with ease: an induction coil attached |
|
to the incoming mains of the PSU can be wired into an LED (be sure to use |
|
a filtering capacitor) to determine if the system is powered or not. |
|
|
|
Don't take a chance on taping off LEDs, tape can fall off, and some users |
|
compulsively pick at things. Ugh. |
|
|
|
As for me, I'm taking the easy way out: if the data is so important that |
|
it requires an airgapped system, I'm not going to put it on any of my |
|
computers to begin with. :) |
|
---------------------------------------- |
 |
Back to phlog index |
|
gopher.zcrayfish.soy gopher root |
|
This phlog entry has been read 4240 times. |
|
Future direct comment submission has been disabled for this phlog entry. |
|
Comments are still accepted by email, please send to: |
|
[email protected] |
|
Be sure to include the post title in the subject line! Thanks! |
|
Comments have been left on this post: |
|
|
|
everyone should have an airgap machine for making key pairs. |
|
Posted Sat Jul 20 02:12:46 UTC 2019 by 104.244.74.97 |
|
------------------------------------------------------------------------ |
|
I have an airgap machine for making private keys. |
|
Posted Sat Aug 17 01:21:24 UTC 2019 by 178.17.170.135 |
|
------------------------------------------------------------------------ |
