aIR-Jumper: Covert Air-Gap Exfiltration/Infiltration via Security Cameras & Infrared (IR) (1709.05742v1)

Abstract: Infrared (IR) light is invisible to humans, but cameras are optically sensitive to this type of light. In this paper, we show how attackers can use surveillance cameras and infrared light to establish bi-directional covert communication between the internal networks of organizations and remote attackers. We present two scenarios: exfiltration (leaking data out of the network) and infiltration (sending data into the network). Exfiltration. Surveillance and security cameras are equipped with IR LEDs, which are used for night vision. In the exfiltration scenario, malware within the organization access the surveillance cameras across the local network and controls the IR illumination. Sensitive data such as PIN codes, passwords, and encryption keys are then modulated, encoded, and transmitted over the IR signals. Infiltration. In an infiltration scenario, an attacker standing in a public area (e.g., in the street) uses IR LEDs to transmit hidden signals to the surveillance camera(s). Binary data such as command and control (C&C) and beacon messages are encoded on top of the IR signals. The exfiltration and infiltration can be combined to establish bidirectional, 'air-gap' communication between the compromised network and the attacker. We discuss related work and provide scientific background about this optical channel. We implement a malware prototype and present data modulation schemas and a basic transmission protocol. Our evaluation of the covert channel shows that data can be covertly exfiltrated from an organization at a rate of 20 bit/sec per surveillance camera to a distance of tens of meters away. Data can be covertly infiltrated into an organization at a rate of over 100 bit/sec per surveillance camera from a distance of hundreds of meters to kilometers away.

• The paper presents a novel technique that leverages IR LEDs on security cameras to covertly exfiltrate sensitive data at 20 bit/sec from air-gapped networks.
• The paper shows how external IR signals directed at surveillance cameras can infiltrate networks by transmitting command and control data at speeds exceeding 100 bit/sec.
• The paper highlights the risk inherent in using standard surveillance infrastructure, urging the development of countermeasures to secure air-gapped environments.

Covert Air-Gap Communication using Infrared and Security Cameras

The paper "aIR-Jumper: Covert Air-Gap Exfiltration/Infiltration via Security Cameras & Infrared (IR)" by Mordechai Guri et al. presents an innovative method of establishing bidirectional covert communication channels between isolated computer networks (air-gapped) and external attackers using infrared light and surveillance cameras. This research explores a two-pronged approach comprising data exfiltration and infiltration, utilizing the inherent features of security cameras and infrared light to breach secure network environments without conventional network connectivity.

Exfiltration Technique

In the exfiltration context, the authors describe how malicious software installed within a target organization can manipulate IR LEDs in security cameras, typically used for night vision, to modulate and transmit sensitive information. Such data, ranging from passwords to encryption keys, can be encoded over IR signals and intercepted by an adversary using simple recording equipment with a line of sight from tens of meters away. Notably, the proposed method achieves a transmission rate of 20 bit/sec per camera, which, while limited, is feasible for leaking critical but compact data forms like encryption keys or authentication credentials.

Infiltration Technique

Infiltration is achieved through the transmission of command and control (C&C) messages using external IR LEDs directed at the surveillance cameras. By encoding data within these IR signals, an attacker can impart commands to malware residing within the protected network. This infiltration can occur at rates exceeding 100 bit/sec, permitting more substantial data transfers and effective remote manipulation of compromised systems.

Implications and Considerations

The implications of this research are significant, illustrating a novel vulnerability within ostensibly secure air-gapped systems that rely on optical and electromagnetic isolation. The paper successfully challenges the assumption that air-gapped networks are impervious to external threats that do not involve physical media transportation or insider complicity.

Furthermore, the invisibility of IR light to human observers enhances the effectiveness of the covert channel, presenting a challenge for detection and mitigation. The use of existing infrastructure — the ubiquitous surveillance cameras already embedded within organizational environments — underscores the practicality and low-cost nature of this adversarial approach.

Practical and Theoretical Implications

Practically, this research necessitates reconsideration of the deployment and functionality settings of surveillance equipment within sensitive environments, as well as the development of countermeasures that do not solely rely on physical security. Theoretically, it extends the discourse on the breadth and scope of covert communication channels, pushing the boundary of what constitutes a secure network perimeter in the presence of smart, adaptable adversaries.

Future Developments

Future developments could expand on this research by optimizing the modulation and transmission protocols to enhance data rates while maintaining steganographic stealth. There may also be advancements in IR detection algorithms and hardware filters that balance security needs with operational requirements like night vision capabilities. Moreover, the expansion of this methodology to other optical communications technologies or alternative radiation types could yield a broader spectrum of air-gap channel exploitation techniques.

In conclusion, "aIR-Jumper" serves as a compelling addition to the body of knowledge regarding covert data transmission across air-gapped networks, illuminating paths for both enhanced security posture assessments and potential future research into novel covert channels.