Leaking (a lot of) Data from Air-Gapped Computers via the (small) Hard Drive LED (LED-it-GO)

Highly secure systems are often ‘Air Gapped’, or removed from any internet connected network to make it more difficult to illegally or maliciously access them. Attacks in recent years have shown that it is possible and perhaps not even particularly complex to have users load malicious software onto an air gapped computer (e.g. with a dropped or infected USB or a complicit insider). A more difficult task is to remove data from the machine without being noticed. An approach to this is to cross purpose systems in the machine to create ad-hoc networks to transmit data using system component that radiate energy in some form to a sensor able to detect variations in that energy; such as system speakers and nearby microphones.

Mordechai Guri, Boris Zadov, Eran Atias,Yuval Elovici Ben-Gurion University of the Negev in Israel have tested the effectiveness of using the LED hard disk drive activity indicator as a light source to transmit information and a nearby video camera to receive the information. A flickering LED on a computer is not unusual and as such can go unnoticed allowing data to be exfiltrated via a nearby camera. This means that a CCTV system could be compromised to remove data, an insider could use a mobile phone or a drone outside the building could remove the data if the computer is visible from a window. The increasing sophistication and near disposable cost of drone could make this a feasible means of data extraction. This might not seem like the kind of attack that would go unnoticed, but a drone with a zoom lens or a very camera with a very long lens from a fixed position. could observe from an unanticipated distance and angle.

The moral of the story is that air-gapped systems should be isolated with more than just air. To control for data exfiltration by light, secure data centers should not have windows (better for temperature management anyway), have access control, CCTV camera should be placed to identify persons and activity and not the computers and their systems should be included in security reviews regardless of if they are connected to the TCP/IP network.



Guri, M., Zadov, B., Atias, E., & Elovici, Y. (2017). LED-it-GO: Leaking (a lot of) Data from Air-Gapped Computers via the (small) Hard Drive LED. arXiv preprint arXiv:1702.06715.



document from cyber.bgu.ac.il