aIR-Jumper, Proof-of-concept malware is capable of overthrowing air-gapped network security and deliver the data out of its targeting networks. Infrared LED lights, that are used in security cameras, blink from side to side and transmit information, which is converted into data streams.
Researchers at Ben-Gurion University (M. Guri, D. Bykhovsky and Y. Elovici) detected the attack and came up with the findings stated below.
Attackers are available to use tracing cameras and infrared LED light in order to create bi-directional connection and communication within internal networks and attackers.
The aIR-Jumper must already have infected any addressed air-gapped network that warns about the hack. These networks have links to the tracing cameras that attackers have access to. In addition, the virus is able to control the interface of the camera’s application program, also known as API, in order to adjust the settings of infrared lights and receive data or interpret these lights as commands.
Researchers report that “the IR LEDs in surveillance cameras can be controlled by the appropriate API provided by its firmware. In the most basic way, the state of the IR LEDs can be adjusted from within the camera’s Web interface… The user can set the night vision to manual/automatic mode, in order to turn the IR LEDs on and off and set the level of the IR illumination”.
In addition, the malware can also be set up to infiltrate sensitive information within the air-gapped network and it can be exfiltrated by the security camera’s lights.
Researchers also provide some video illustrations of the leaking data: https://www.youtube.com/watch?v=om5fNqKjj2M
It is clear that the hacker has the access to the camera’s infrared LED lights and flashes. In addition, the blinking IR LED means that the data is transformed into zeroes and ones. In order to decode the information into understandable files, the hacker has to record these blinking lights and decode them by playing back.
The hidden channel shows that information may be secretly stolen from an organization at the speed of 20 bytes per second via tracing security camera.
According to researchers, sensitive information such as passwords, keylogging data, encryption keys and PIN codes can be hacked via air-gapped networks.
Another video demonstration illustrates secret communication via security cameras.
This video shows the data sent from a remote hacker to the networks. These internal networks may contain C&C messages that reside in the organization’s networks provided by aIR-Jumper.
The study of aIR-Jumper malware was concentrated on attacking air-gapped networks over the years. The techniques used to hack these systems vary from xLED, AirHopper, BitWhisper and Fansmitter (optical, electromagnetic, thermal and acoustic, respectively).
Researchers state that technological measures might include the disclosure of the presence of aIR-Jumper, which controls infrared lights, or the camera’s monitor information. “Similarly, detection can be done at the network level, by monitoring the network traffic from hosts in the network to the surveillance cameras”, wrote researchers.