Boffins exfiltrate data by blinking hard drives’ LEDs

That roll of tape you use to cover the Webcam? Better use some of it on your hard-drive LED, because it can be a data exfiltration vector.

Exfiltration experts from Ben-Gurion University of the Negev’s Cyber Security Research Center have added to previous techniques like fan modulation, GSM transmissions, or listening to the RF from USB2 transmissions, have now created malware to control hard drive LEDs.

The team led by veteran exfiltrator Mordechai Guri flashes the LED at atound 5,800 on/off cycles per second as a data channel, good enough for 4 Kbps of transmission.

That performance also depends on what you use as the receiver: it might be a Digital SLR or high-end security camera (15 bps), a GoPro-level camera (up to 120 bps), a Webcam or Google Glass Explorer (also 15 bps), or a smartphone camera (up to 60 bps).

If you can lay hands on a good photodiode sensor – they’re not expensive, the Thorlabs PDA100A they used can be had on eBay for less than US$100 – you’ll get around 4 Kbps.

In the video below, the researchers fitted the detector to a drone, flew it to a window through which the infected disk was visible and started sucking data.

Youtube Video

Since PCs lack any generic API to control the hard disk LED, the malware from Guri’s team takes the direct approach: a small chunk of code to perform reads and writes to the disk, along with a protocol to tell the receiver what it’s looking for.

Here’s the prize – the algorithm that flashes the HDD lamp.

1: procedure transmitBits(bits, T0, ReadSize)
2: sync(); //drop cache
3: hddDev = open(/dev/sda)
4: offset = 0
5: offsetIncrement = BLOCK_SIZE;
6: seek(hddDev, offset);
7: for(b in bits)
8: if (b='0') then
9: sleep (T0);
10: if (b='1') then
11: seek(hddDev, offset);
12: read(hddDev, ReadSize);
13: offset += offsetIncrement
14: end for
15: return;


Bootnote: There’s a little bit of life imitating art here, as in Neal Stephenson’s Crytponomicon, the sysadmin protagonist decrypts data on his laptop and outputs the result as morse code flashed on his laptop’s LEDs.

Source: The Register – Security @ February 22, 2017 at 11:36PM