Researchers at Ben-Gurion University in Israel have discovered a way to infiltrate an air-gapped computer system, through a malware infected All-In-One printer. It works by flashing a visible light or infrared light an open scanner lid. Basically, Air- gaping also known as air wailing is securing a computer system by isolating it from other unsecure local network or the internet, it is a widely used defense to secure high sensitive information such as in a military environment.
Ideally, breaking into an air-gaped computer network would require a hacker to physically access the network and introduce a malware using a USB thumb drive. The attacker would still not be able to control the malware remotely because there is no internet
However, during a Keynote speech at the Black Hat Europe conference in Amsterdam, Ahmed Shamir described how a malicious hacker could use and malware infected All-in-one (AIO) printer to extract data from an Air-gapped network, using a long distance laser. A vulnerability he named “Scangate”.
“We developed a new technique called Scangate and we are solving the holy grail of cyber-attacks to get malware into an air gapped system. It is protected and if you want to send data and in and out, we showed that a printer can be the most dangerous of air gapped components. If you have one, throw it away!” said Shamir
Shamir, who is a Professor of Applied Mathematics at the Weizmann Institute of Science alongside researchers Yuval Elovici and Moti Guri, both from Ben-Gurion University carried out and experiment to find out how to control a malware running on an air-gapped system and remotely steal information from the network.
The aim was to subvert the idea of preventing internet based attacked by using an air-gapped system and show that an attacker could use a malware infected AIO to “issue commands to a malicious Programme by flashing visible or infrared light at the scanner lid when open”.
For the tests, the three used an AIO HP office Jet pro 8500 located in a government building in Beersheba. They found out that a malware in printer could read signals from a blue laser which is more than a kilometer away via the scanner.
“If a source of light is pointed repeatedly at the white coating on the inside of the scanner’s lid during scanning, the image will have a series of white lines on darker background[s], which match the light hitting the lid,” said Shamir.
According to Lucian Constantin a reporter of the PC Advisor newswire, the researchers successfully tested the Scangate at a range of 200, 900 and 1200 meters from the building. A more power laser beam could launch an attack 5 kilometers from the target.
Technically, the laser broadcast the equivalent of Morse code, sending binary instruction –zeros and ones by pulsing at different intervals. “When the laser is operating, you see it as a white line and when it is shut off, you see it as a dark line,” says Shamir. A malware in the printer would analyze and interpret the patter as instructions. Shamir says hundreds of data bits could be sent in one scan, which is enough to send small command initiating several functionality.
Asked whether the attack would be successful when the lid is closed Shamir said the result would be “less spectacular”, but it unlikely that people will always close the lid. Furthermore an attack does not require hitting a specific target on the lid. “You don’t have to hit a particular area of the open lid. You can attack unless you protect the entire office from any incoming light.”
Meanwhile exfiltration of the data requires a reverser technology which is more tedious and slow. An attacker would have to decode the flickering light from the scanner. This would require a more sophisticated equipment especially from a long distance. In the experiment the researchers used a drone hovering 100 meters above the building to record any decodable signal from the scanner.
“Detecting the light generated by the scanner from far away would require very sensitive equipment and if the computer is located in an office on a higher floor, the attacker would have a hard time getting good visibility. This can be solved by using a quad-copter drone to get closer and observing the scanner from a better angle,” Shamir told his audience.
Industry experts have questioned the practicality of Scangate, some dismissing it as far-fetched theory with limited applications. According to Professor Peter Sommer, a digital forensics security expert, Scangate is among things that intrigue researchers and make good “demonstrations at geek conferences but have very little practical value.”
Nigel Stanley, a risk and compliance practice director at OpenSky cybersecurity, said Scangate, though a good idea would be the last tool a hacker would use, after all others methods have failed. “I think this approach shows how creative security researchers have become in recent years, in terms of using technology to bypass existing security layers, and beat the existing human and electronic security systems seen on so-called air-gapped computers,” he explained.