CCTV cameras can be compromised to create a pathway for attackers to infiltrate and steal information from air-gapped networks.
A cybersecurity team from Ben-Gurion University of the Negev, Israel, led by Dr. Mordechai Guri, published research on Tuesday demonstrating the attack.
Air-gapped networks and PCs are isolated from the Internet and are also physically separated from local networks in order to prevent attackers compromising weak links in a chain to eventually reach these systems which may be used to process or store valuable, sensitive, and confidential data.
By design, these networks are focused on security and should be difficult to infiltrate. However, the new attack, dubbed aIR-Jumper, uses infrared light to bypass these protections.
According to the research paper, infrared light may be invisible to human senses, but cameras are sensitive to the presence of this kind of light. CCTV cameras are equipped with IR LEDs, used for night vision, and are perfect for the aIR-Jumper technique to exploit.
As such, malware used to compromise surveillance cameras can be used to establish “bi-directional covert communication” between internal corporate networks and remote attackers. The malicious code can also be used to “access the surveillance cameras across the local network and controls the IR illumination” in order to transmit data.
Guri says that the lights can be used to transmit hidden signals to surveillance cameras, including PIN codes, passwords, and encryption keys which are modulated, encoded, and then transferred to attackers.
In two scenarios, the team demonstrated how the lighting systems could be used to connect attackers to a compromised network. In one case, exfiltration — the leak of data — was possible, while in an infiltration attack scenario, data was sent into the network.
“In an infiltration scenario, an attacker standing in a public area (e.g., in the street) uses IR LEDs to transmit hidden signals to the surveillance camera(s),” the paper reads. “Binary data such as command and control (C&C) and beacon messages are encoded on top of the IR signals.”
“Our evaluation of the covert channel shows that data can be covertly exfiltrated from an organization at a rate of 20 bit/sec per surveillance camera to a distance of tens of meters away,” the researchers say. “Data can be covertly infiltrated into an organization at a rate of over 100 bit/sec per surveillance camera from a distance of hundreds of meters to kilometers away.”
This is not the first time the team at the university has explored how lighting can be used to infiltrate air-gapped networks. Earlier this year, Dr. Guri described a method to steal information using LED lights found on routers and switches.
The research paper (.PDF) explained that custom malware can extract binary data from LED lighting, alongside encryption keys, passwords, and files.
The team has also created a number of other attacks, such as Bitwhisper, which uses thermal currents; GSMem, which uses GSM frequencies to steal information from air-gapped networks, and AirHopper, a technique which uses radio frequencies.
Previous and related coverage