Location via proxy:   [ UP ]  
[Report a bug]   [Manage cookies]                

xLED Router PDF

Download as pdf or txt
Download as pdf or txt
You are on page 1of 13

xLED: Covert Data Exfiltration from Air-Gapped

Networks via Router LEDs


Mordechai Guri, Boris Zadov, Andrey Daidakulov, Yuval Elovici
Ben-Gurion University of the Negev
Cyber Security Research Center
gurim@post.bgu.ac.il; borisza@gmail.com; daidakul@post.bgu.ac.il; elovici@bgu.ac.il

Video: https://www.youtube.com/watch?v=mSNt4h7EDKo
Air-gap research page: http://cyber.bgu.ac.il/advanced-cyber/airgap

Abstract In this paper we show how attackers can covertly industries [1] [2]. The air-gap isolation is maintained by
leak data (e.g., encryption keys, passwords and files) from enforcing strict policies in the organization. These policies
highly secure or air-gapped networks via the row of status include forbidding external unsecured devices and media from
LEDs that exists in networking equipment such as LAN connecting to the network and using advanced intrusion
switches and routers. Although it is known that some network detection and prevention systems to eliminate intentional and
equipment emanates optical signals correlated with the accidental security breaches. A publicly known example of an
information being processed by the device ('side-channel'), air-gapped network is the Joint Worldwide Intelligence
intentionally controlling the status LEDs to carry any type of Communications System (JWICS), a top secret classified
data ('covert-channel') has never studied before. A malicious network (Top Secret/SCI) belonging to the United States'
code is executed on the LAN switch or router, allowing full Defense Intelligence Agency [3]. JWICS is used to transmit
control of the status LEDs. Sensitive data can be encoded and classified documents between the Department of Defense,
modulated over the blinking of the LEDs. The generated signals Department of State, Department of Homeland Security, and
can then be recorded by various types of remote cameras and Department of Justice.
optical sensors. We provide the technical background on the
A. Breaching air-gapped networks
internal architecture of switches and routers (at both the
hardware and software level) which enables this type of attack. In the past decade it has been shown than even air-gapped
We also present amplitude and frequency based modulation and networks are not immune to breaches. In order to penetrate such
encoding schemas, along with a simple transmission protocol. networks, attackers have used complex attack vectors, such as
We implement a prototype of an exfiltration malware and supply chain attacks, malicious insiders, and social engineering
discuss its design and implementation. We evaluate this method [4]. Using these methods, attackers can penetrate an air-gapped
with a few routers and different types of LEDs. In addition, we network, while bypassing defense measures including firewalls,
tested various receivers including remote cameras, security antivirus programs, intrusion detection and prevention systems
cameras, smartphone cameras, and optical sensors, and also (IDS/IPS), and the like. In 2008, a classified network of the
discuss different detection and prevention countermeasures. United States military was compromised by a computer worm
Our experiment shows that sensitive data can be covertly leaked named Agent.Btz [4]. According to the reports [5], a foreign
via the status LEDs of switches and routers at a bit rates of 10 intelligence agency supplied infected thumb drives to retail
bit/sec to more than 1Kbit/sec per LED. kiosks near NATO headquarters in Kabul. The malicious thumb
drive was put into a USB port of a laptop computer that was
Keywords ezfiltration; air-gap; network; optical; covert- attached to United States Central Command. The worm spread
channel (key words) further to both classified and unclassified networks. Stuxnet [6]
is another well publicized example of an air-gap breach, and
other attacks have also been reported [7] [8] [6] [9] [10].
I. INTRODUCTION B. Leaking data through an air-gap
The air-gap in network security refers to a situation where the After obtain a foothold in an air-gapped network, the attacker
computer network is physically separated from other networks. may, at some point, wish to retrieve information from the
In particular, air-gapped network are carefully kept isolated compromised network. For example, an attacker may want to
form less secure and public networks such as the Internet. leak encryption keys, keylogging information, or specific files,
Today, air-gapped networks are widely used in military defense behaviors commonly used in espionage APTs (Advanced
systems, critical infrastructure, the financial sector, and other Persistent Threats). While infiltrating air-gapped systems has
been shown feasible, the exfiltration of data from systems type of receiver. We also evaluate various types of cameras,
without Internet connectivity is a challenging task. Over the including remote cameras, 'extreme' cameras, security cameras,
years, various out-of-band communication channels have been smartphone cameras, and drone cameras.
proposed. These communication channels allow attackers to
leak data from network-less computers. When such The remainder of the paper is organized as follows. In Section
communication is also covert, it is typically referred as air-gap II we present related work. Section III describes the adversarial
covert channels. Air-gap covert channels use various types of attack model. Technical background is provided in Section IV.
radiation emitted from computer hardware components. Data transmission is discussed in Section V and the
Exploiting electromagnetic radiation is a type of covert channel implementation in Section VI. Section VII presents the
that has been studied for at least twenty years. In this method, a evaluation and results. Countermeasures are discussed in
malware controls the electromagnetic emission from computer Section VIII, and we present our conclusions in Section IX.
parts, such as LCD screens, communication cables, computer
buses, and other hardware peripherals [11] [12] [13] [14] [15].
Leaking data over audible and inaudible sounds [16] [17] and II. RELATED WORK
via heat emission [18] have also been studied in recent years.
The general topic of covert channels used by malware has been
Leaking data via the hard drive activity LED [19], keyboard extensively studied for more than twenty years. In order to
LEDs [20], and screen power LEDs [21] was also proposed. In evade the detection of firewalls and IDS and IPS systems,
these optical methods, data is modulated over the blinks of attackers may hide the leaked data within legitimate Internet
LEDs in such a way that it can be received optically by remote traffic. Over the years many protocols have been investigated
cameras. Notably, most of the methods are not considered in the context of covet channels, including TCP/IP, HTTPS,
completely covert, since they can easily be detected by people SMTP, VOiP, DNS requests, and more [22]. Other types of
who notice the anomalous LED blinking. covert channels include the timing channel in which the attacker
encodes the data with packet timing [23], and image
C. Our contribution
steganography [24] in which the attacker embeds the data into
In this paper, we examine the threat of leaking data from an existing image. A sub-topic of covert channels focuses on
air-gapped networks via the row of LEDs that exists in network the covert leakage of data from air-gapped computers, where
equipment such as switches and routers1. The contributions of Internet connectivity is not available to the attacker. Air-gap
our research are threefold. covert channels, which can be categorized as electromagnetic,
Novel technical discussion. The concept of leaking data by acoustic, thermal, and optical channels, have been the subject
controlling the network equipment LEDs has never been of academic research for the past twenty years.
studied before. Although it is known that network equipment A. Electromagnetic, acoustic and thermal
are emanating optical signals correlated with the information In electromagnetic covert channels, the electromagnetic
being processed by the device [20], intentionally controlling the emission generated by various hardware components within the
status LEDs to modulate and carry data has never studied computer is used to carry the leaked information. Kuhn and
before. We introduce two types of attacks: firmware level Anderson [12] presented an attack ('soft-tempest') involving
attacks in which malware is installed within the firmware of a hidden data transmission using electromagnetic waves
network switch or router, and software level attacks in which emanating from a video cable. The emission is produced when
the malware controls the LEDs from a compromised computer crafted images are transmitted to the screen. In 2014, Guri et al
within the network. introduced AirHopper [11] [25], a type of malware aimed
bridging the air-gap between computers and a nearby mobile
Increased Bandwidth. Our measurements show that the by phone by exploiting FM radio signals emanating from the video
using the router status LEDs, malware can exfiltrate data at a card. In 2015, Guri et al presented GSMem [15], a malware that
rate of more than 1000 bit/sec per LED. We show that the can generate electromagnetic emission at cellular frequencies
bandwidth can be increased further when multiple LEDs are (GSM, UMTS, and LTE) from the memory bus of a PC. This
used. This rate allows the exfiltration of files, keylogging data, study showed that data modulated over the emission can be
and encryption keys relatively quickly. picked by a rootkit residing in the baseband firmware of a
nearby mobile phone. USBee [26], presented in 2016 by Guri
The Successful Use of Optical Sensors. We examine and et al, used the USB data bus to generate electromagnetic signals
evaluate the use of optical sensors as part of the attack. Optical and modulate digital data over these signals. Similarly,
sensors are used to measure the light levels and can be sampled Funtenna [27] utilized the general GPIO buses of embedded
at very high rates, hence allowing reception of data at a higher devices to generate electromagnetic signals. Other types of
bit rate than standard cameras. We discuss the characteristics of magnetic covert channels are discussed in [28] and [29].
optical sensors and the appropriate modulation method for this

1
In this paper we refer to networking equipment (LAN
switches and routers) as routers.
Method Bitrate Type
AirHopper [11] [25] (graphic card, video cable) 480 bit/sec Electromagnetic
GSMem [26] (RAM-CPU bus) 1 to 1000 bit/sec
USBee [27] (USB bus) 4800 bit/sec
Funthenna [13] (GPIO) N/A
[17] [16] [30] [32] [39] (speakers) <100 bit/sec Acoustic
Fan noise (Fansmitter) [33] (computer fans) 0.25 bit/sec
Hard disk noise (DiskFiltration) [32] (Hard-Disk Drive) 3 bit/sec
BitWhisper [35] (CPU, PC heat sensors) 1-8 bit/h Thermal
Hard Drive LED (LED-it-GO) [19] 15 - 4000 bit/sec Optical
Visisploit (invisible pixels) < 100 bit/sec
Keyboard LEDs [20] 150 bit/sec
Screen LEDs [21] 20 bit/sec
Implanted infrared LEDs [36] 15 bit/sec
Switches/Routers (the current research) 10 - 1000 bit/sec (per LED)
Table 1. Different types of air-gap covert channels and their bitrate

Hanspach introduced a method called acoustical mesh networks al presented a method codenamed LED-it-GO [19], which
in air, which enables the transmission of data via high frequency enables data leakage from air-gapped networks via the hard
sound waves [16]. They used laptop speakers and microphones drive indicator LED which exists in almost any PC, server, and
for the transmission and reception. The concept of laptop today. They showed that a malware can indirectly
communicating over inaudible sounds has been studied in [30] control the hard drive LED at a rate of 5800 Hz which exceeds
and was also extended for laptops and mobile phones. In 2016, the visual perception capabilities of humans. VisiSploit [35] is
Guri et al presented Fansmitter [31] and DiskFiltration [32], an optical covert channel in which data is leaked through a
two methods enabling exfiltration of data via sound waves, hidden image projected on an LCD screen. With this method,
even when the computers are not equipped with speakers or the 'invisible' QR code that is embedded on the computer screen
audio hardware. This research show how to utilize computer is obtained by a remote camera and is then reconstructed using
fans and hard disk drive actuator arms to generate covert sound basic image processing operations. Brasspup [36] demonstrated
signals. how to project invisible images on a modified LCD screen. His
method is less practical in a real attack model, since it requires
BitWhisper, presented in 2015, exploits the computers heat
physically removing the polarization filter of the targeted LCD
emissions and the PC thermal sensors to create a so-called
screen.
thermal covert channel [33]. This method enabled bidirectional
covert communication between two adjacent air-gapped Table 1 summarizes the different types of existing air-gap
computers. covert channels and presents their maximum bandwidth and
effective distance. Unlike previous work, this study focuses
B. Optical
entirely on the network equipment LEDs (switches and routers)
In 2002, Loughry and Umphress discussed the threat of as a leaking medium, a threat that has not been studied before.
information leakage from optical emanations [20]. In particular, We examine the boundaries of this technique on different types
they showed that LED status indicators on various of network equipment and evaluate it with various types of
communication equipment carries a modulated optical signal cameras and optical sensors as receivers. With one LED we
correlated with information being processed by the device. In achieved an exfiltration speed of more than 1000 bit/sec per
Appendix A they presented the threat of using the keyboard LED.
LED for data exfiltration and were able to achieve a
transmission bit rate of 150 bit/sec for each LED with an III. ADVERSARIAL ATTACK MODEL
unmodified keyboard. In the same way, Sepetnitsky and Guri As a typical covert channel our adversarial attack model
presented the risks of intentional information leakage through consists of a transmitter and a receiver. The transmitter in our
signals sent from the screen power LED [21]. The main case is a network switch or router in which the data is exfiltrated
drawback of these methods is that they are not completely via its LEDs. The receiver is a remote camera or optical sensor
covert: given that the keyboard and screen LEDs dont typically which record the LEDs signals. Following we briefly discuss
blink, it is possible for users to detect the communication. the relevant consideration in a context of the attack model.
Recently, Lopes presented a hardware based approach for
leaking data using infrared LEDs maliciously installed on a A. The transmitter
storage device [34]. By blinking the infrared LEDs, malware As part of the attack model the attacker must execute malicious
can leak sensitive data stored on the device at a speed of 15 code within the targeted router to enable control of the status
bit/sec. Note that their approach requires the attacker to deploy LEDs. We present two types of attacks that can be used for this
the compromised hardware in the organization. In 2017, Guri et purpose: (1) modifying the firmware on a router, and (2)
executing a malicious script or shellcode on an unmodified surveillance, closed-circuit TV, or IP camera positioned in a
router. location where it has a line of sight with the transmitting

Figure 1. The attack illustration. Data is encoded in binary form and covertly transmitted over a stream of LED signals emitted from
a router or LAN switch.

Firmware modification. In this type of attack the adversary computer [45], (4) a malicious insider, also known as the evil
has to infect a router with a malicious firmware. This firmware maid [46], carrying a smartphone or wearable video camera
contains additional code to control the LEDs and encoding a (e.g., hidden camera [47] ) that can position him/herself so as to
data over it. The Infection of a router can be achieved via have a line of sight with the transmitting router, (5) an optical
supply chain attacks, social engineering techniques, or the use sensor capable of sensing the light emitted from the router
of hardware with preinstalled malware [37] [38] [39]. Notably, LEDs. Such sensors are used extensively in VLC (visible light
in recent years there have been several cases in which routers communication) and LED to LED communication [48].
have been infected with malicious code as a part of an attack. Notably, optical sensors are capable of sampling LED signals
In 2014, the Guardian published an article that stated that some at high rates, enabling data reception at a higher bandwidth than
network devices were infected by a backdoor before they were a typical video camera. An example of the air-gap covert
delivered to the customer [40]. channel is provided in Figure 1 in which data is encoded in
Remote code execution. In this case, the targeted router doesn't binary form and covertly transmitted over a stream of LED
have to be infected with a malicious firmware. Instead, it is signals. A hidden video camera films the activity in the room,
controlled remotely (e.g., from a compromised computer within including the router and LAN switch LEDs. The attacker can
the network) via standard remote management channels such as then decode the signals and reconstruct the modulated data.
SSH and telnet or by exploiting certain vulnerabilities in the
router. The transmitting code is then uploaded to the router in
the form of a shellcode or a shell script. Hijacking routers IV. TECHNICAL BACKGROUND
remotely is a common type of attack that has been demonstrated There are different types of network devices and LEDs. A
many times in recent years [38] [41]. Other types of flaws and typical network switch includes two LEDs for each LAN port:
remote code execution vulnerabilities in routers have been the link LED and the status/mode LED. The link LED usually
found in the wild [42] [43]. For example, in 2017, Cisco found indicates that the port is currently enabled and receiving data
a new critical zero-day vulnerability that affects more than 300 from a connected network device. The status/mode LED
of its switch models. The vulnerability on the Cisco IOS and displays various information about the connection such as mode
Cisco IOS XE software, allows remote attackers to remotely (half/duplex) and speed (100Mb, 1 GB, etc.). In many types of
execute malicious code on the device and gain root privileges routers and network switches there are additional custom LEDs
to take full control of the device [44]. for internal fault alerts, fan speed monitoring, and test displays
[49]. The most prevalent LED colors in network devices are
green and orange, but other colors also in use [49].
B. The receiver
The receiver is a digital camera or optical sensor which has a A. Hardware Level
line of sight with the compromised routers LED panel. There At the hardware level, typical network switches and routers
are several types of equipment that can play the role of the consist of an embedded computer with several network
receiver in this attack model: (1) a hidden camera that has a line controller interfaces. The network interfaces are connected to
of sight to the transmitting router, (2) a high resolution camera the main computation unit (via a system bus), in which the
which is located outside the building but positioned so it has a traffic is routed and processed. Switches mainly operate in the
line of sight with the transmitting router, (3) a video
frames of the data link layer (layer 2), and hence consist of less V. DATA TRANSMISSION
powerful hardware (CPU, RAM, etc.), than those of routers, In this section we discuss the data transmission and describe
which operate on packets in the network layer (layer 3). The various modulation methods, along with their implementation
device LEDs and button are controlled via GPIO pins connected details. Note that the topic of visible light communication has
to the device's PCB (printed circuit board). been widely studied in the last decade. In particular, various
The circuit in Figure 2 is a common driver circuit used for router modulations and encoding schemes have been proposed for
LEDs. The GPIO ports in the microcontroller are based on open LED to LED communication [48] [54] [55]. For our purposes,
collector BJT (Bipolar Junction Transistor) transistor. The we present basic modulation schemes and describe their
LEDs are connected to power supply throw the R1 resistor, characteristics and relevancy to the attack model. As is typical
which limit its maximum forward current. The R and in LED to LED communication, the carrier is the state of the
R2 resistors functions as voltage dividers and provide the LED, and the basic signal is generated by turning the router
voltage DC working point of the LEDs. The LEDs' blinking LEDs on and off. For convenience, we denote the two states of
speed can reach couple of MHz. The LED's maximal blinking an LED (on and off) as LED-ON and LED-OFF, respectively.
speed depend on its physical characteristics, the parasitic
capacitance, the galvanic connection to the board, and software A. Data modulation
or hardware limitations at the controller level. We present four basic modulation schemes: (1) on-off keying
V+
Microcontroler (OOK) with a single LED, (2) Binary Frequency-Shift Keying
R
GPIO R1 LED (B-FSK) with a single LED, and (3) Manchester Encoding
Signal with a single LED, and (4) ]Amplitude Shift Keying (ASK)
Input R2 with multiple LEDs.
R
GPIO R1 LED 1) On-Off Keying (OOK) - single LED
Signal On-Off keying is the simplest form of the more general
Input R2 amplitude-shift keying (ASK) modulation. The absence of a
signal for a certain duration encodes a logical zero ('0'), while
its presence for the same duration encodes a logical one ('1'). In
our case, LED-OFF for duration of encodes '0' and LED-
R
LED
ON for a duration encodes '1.' Note that in the simple case
GPIO R1
Signal = . In its basic form, this scheme uses a single LED to
Input R2 modulate data. The OOK encoding is described in Table 2.

Table 2. On-Off-Keying (OOK) modulation


Figure 2. The hardware microcontroller led driver schematics
Logical bit Duration LED state
0 LED-OFF
B. OS Level 1 LED-ON
There are various proprietary and open-source operating 2) Binary Frequency-Shift Keying (B-FSK) - single LED
systems for network devices. For example, the Cisco IOS is a Frequency-shift keying (FSK) is a modulation scheme in which
Linux based operating system used on most of Cisco's s routers digital information is modulated through frequency changes in
and network switches [50]. The Juniper Network Operating a carrier signal. In binary frequency-shift keying (B-FSK) only
System, Junos OS is a FreeBSD based operating system that is two frequencies, usually representing zero and one, are used for
used in Juniper Networks routers and security devices [51]. the modulation. In our case, LED-ON for duration of
Open-source operating systems for network devices include the encodes logical '0' and LED-ON for a duration
OpenWrt, DD-WRT, and others [52]. encodes logical '1.' Note that in the simple case = . We
C. LED Control separate between two sequential bits by setting the LED in the
OFF state for time interval . In its basic form, this scheme
In most Linux based OSs, the GPIOs are exported to the user
uses a single LED to modulate data. The B-FSK encoding is
space processes via the GPIO sysfs memory mapped entries.
described in Table 3.
Controlling the status LEDs from a user space is fast enough for
most of the applications needs, but still has an overhead of
Table 3. Binary Frequency-Shift Keying (B-FSK) modulation
invoking system calls and the context switching from user space
to kernel space. When faster access is required, the Logical bit Duration LED state
corresponding GPIOs can be controlled from a kernel driver by 0 LED-ON
directly accessing the I/O pins [53]. Note that sometimes the 1 LED-ON
status LED pins are multiplexed such as they are directly Interval LED-OFF
controlled by the hardware. In these cases the corresponding
GPIOs must be demultiplexed (via a kernel driver) before the 3) Manchester Encoding - Single LED
can be controlled by a software.
In Manchester encoding each logical bit is modulated using a intensity and color of the transmitting LED. The payload is the
transition in the physical signal. The sequence of physical raw data to be transmitted. In our case, we arbitrarily choose
signals '01' (LED-OFF, LED-ON) encodes a logical '0' and the 256 bits as the payload size. For error detection, we add a CRC
sequence of physical signals '10' (LED-ON, LED-OFF) (cyclic redundancy check) value, which is calculated on the
encodes a logical '1.' Manchester encodings transfer rate is half payload and added to the end of the frame. The receiver
that of OOK, since it uses two physical signals for each logical calculates the CRC for the received payload, and if it differs
bit. This type of encoding is considered more reliable because from the received CRC, an error is detected. More efficient bit
of the redundancy of each transmitted bit and it is heavily used framing may employ variable length frames, error correction
in communication. The Manchester encoding is described in codes, and compression, which are eliminated from our
Table 4. discussion for simplicity.
Table 4. Manchester encoding, single LED
Logical bit Duration LED states VI. IMPLEMENTATION
0 LED-ON, LED-OFF
To evaluate the covert channel we implement a transmitter for
1 LED-OFF, LED-ON the OpenWrt operating system [56]. The OpenWrt is an open-
source Linux based OS, used on embedded devices such as
4) Amplitude Shift Keying (ASK) - Multiple LEDs routers, gateways, and handheld devices. It supports many type
In this scheme we use several LEDs to represent a series of bits. of routers from a wide range of vendors including Cisco,
As in the OOK encoding, the absence of a signal for a certain Linksys, D-Link, and others [57]. Using OpenWrt, we were
time duration encodes a logical zero ('0') for a specific LED, able to develop the LED control module and test it on different
while its presence for the same time duration encodes a logical types of hardware. Note that the OpenWrt source-code includes
one ('1') for a specific LED. In the case of multiple LEDs, all many extra features such as advanced routing, firewalling,
LEDs remain in the same status for a duration of and then tunneling, and load balancing.
change to the next state. This encoding is relevant for cases
A. LED Control
where several LEDs in the router are available for the
transmission (e.g., a case in which some LAN ports are In Linux, the hardware LEDs may be accessed from the kernel
available). We separate between two sequence of bits by setting space driver or user space process [58]. The kernel space driver
the all LED in the OFF state for time interval . The ASK can directly access the appropriate GPIO pins in order to turn
encoding for a case of eight LEDs is described in Table 5. the LEDs on and off. Such low-level implementation is device
specific and requires compilation of the LED driver for the
Table 5. Amplitude Shift Keying (ASK), multiple LEDs specific target hardware. The LEDs are also exposed to user
space processes through the /sys/class/leds entries. The
Logical Dur OS operation (=8)
bits atio entry /sys/class is exported by the kernel at run time,
n exposing the hierarchy of the system abstraction, in order to
(0x00) LED1 = OFF, LED2= OFF, , LED = OFF keep it generic enough to be tested on different hardware.
(0x01) LED1 = ON, LED2 = OFF, , LED = OFF /sys/class/leds/ contains the properties of each LED,
such as name and brightness level. Note that most LEDs don't
(0x02) LED1 = OFF, LED2 = ON, , LED = OFF
have hardware brightness support, and hence the brightness
value represents only two states (ON / OFF). In addition to the
(0xFF) LED1 = ON, LED2 = ON, , LED = ON /sys/class/leds directory, the kernel may also expose the
Interval LED1= OFF, LED2 = OFF, , LED = OFF GPIO interface to the user space through sysfs via the
/sys/class/gpio/directory [59].
B. Bit Framing
Algorithm 1 ModulateOOK
The data is transmitted in a small packets called frames. Each
1: procedure ModulateOOK(nLED, data, T)
frame is composed of a preamble, a payload, and a checksum
2: openLED(nLED); //opens the LED file for writing
(Table 6). 3: while(data[i] !=0)
Table 6. Bit framing 4: if(data[i] == 0) //modulate 0 by turning the LED off
Preamble Payload Checksum 5: setLEDOff(nLED);
8 bit 256 bit 16 bit 6: if(data[i] == 1) //modulate 1 by turning the LED on
7: setLEDOn(nLED);
8: i++;
The preamble consists of a sequence of eight alternating bits 9: sleep(T); // sleep for time period of T
('10101010') and is used by the receiver to periodically 10: closeLED(nLED); // closes the LED file descriptor
determine the properties of the channel, such as and
(or the in case of multiple LEDs). In addition, the preamble Algorithm 1 shows the pseudocode for the simplest case of
header allows the receiver to identify the beginning of a OOK modulation. The ModulateOOK procedure receives the
transmission and calibrate other parameters, such as the target LED number (nLED) to modulate the data on, an array
of data to transmit, and the bit duration (T). The LED's
brightness file is opened in line 1. The algorithm iterates on the Table 7. The tested routers
data array and extracts the current bit. If the bit to transmit is '0' # Router # of LEDs
then the LED is turned off for time period T (line 5). If the bit R1 TL-WR841N (TP-LINK) 7 + 1 (the power
to transmit is '1' the LED is turned on for time period T (line 7). white LED)
We present the implementation only for the OOK modulation;
R2 TL-WR941ND (TP_LINK) 8 + 1 (the power
Manchester encoding, FSK, and the ASK with multiple LEDs
yellow LED)
are omitted for simplicity.
R3 AC1750 or Archer c7 8 + 1 (the power
(Archer) black LED)
B. Shellscript
We also implemented a version of the transmitter which For the evaluation we used the Linux DD-WRT and Linux
requires no persistency within the router firmware. In this OpenWrt operating systems. A list of the LED control sysfs
version, a compromised computer within the network is entries exposed by the kernel and the on/off values of the LEDs
connecting to the target router though a standard remote are provided in Table 8.
connection such as telnet or SSH, or by exploiting a
vulnerability from the network. The attacker then executes the Table 8. The tested routers OS control
transmitting shellcode or script that controls the router LEDs.
# Entry On/off values Firmware
Note that this type of malware is not persistent and will not
survive a router reset. We used a router with a standard DD- R1 /sys/class/leds/ 0xFF / 0x00 DD-WRT
<led_name>/brigh 0x00 / 0xFF
WRT firmware that has a telnet server. After connecting to the tness (depend on the
(version
router from a computer in the network, we execute a script LED) 3.18.48)
which controls the LEDs and modulates the data. The basic R2 /sys/class/leds/ 0xFF / 0x00 OpenWrt
LED control commands used by our script are shown below. generic_<led>/br
ightness
(Version
3.18.23)
// Method #1 R3 /sys/class/leds/ 0x00 / 0xFF DD-Wrt
tp-
// turn the LED on link:green:name/
(version
1: echo 0 > /sys/class/leds/led_name/brightness brightness 3.18.48)
// turn the LED off
2: echo 255 > /sys/class/leds/led_name/brightness
// Method #2 A. Camera receviers
3: echo 1 > /proc/gpio/X_out // turn the LED on There are two types of receivers relevant to the attack model:
4: echo 0 > /proc/gpio/X_out // turn LED off cameras and light sensors. Receiving the optical signals by a
camera depends on the line of sight and visibility of the router
Note that we used two different methods to control the LEDs. LEDs. After receiving the recorded video, the attacker has to
In the first method the LED directory /sys/class/leds/ process the video in order to detect the location of each
exported by the kernel is used, and in the second method the transmitting LED. The video is processed frame by frame to
GPIO interface /proc/gpio/ is used. The names of the identify the LED status (on or off) of each frame. Finally, the
directory and files may vary between different devices and OSs. binary data is decoded based on the encoding scheme. The main
Moreover, a router may not expose the LEDs and GPIO factor in determining the maximum bit rate for video cameras
interface to the user level (e.g., the appropriate driver has is the number of frames per second (FPS). In our experiments,
disabled or removed). In this case, the attacker has to execute a we identified two to three frames per bit as the optimal setting
kernel level shellcode which directly controls the GPIOs. needed to successfully detect the LED transmissions. Table 9
show the maximal bit rate when various types of video cameras
are used as receivers.
VII. EVALUATION
In this section we evaluate the optical covert channel. Our Table 9. Maximum bit rate of different receivers
evaluation focuses on the optical characteristics of router LEDs Tested FPS Max bit rate Eight LEDs
and the transmission rate. In our experiments we adapt the Camera/Sensor (per LED)
approach commonly used in visible light communication Entry-level DSLR 60 15 bit/sec 120 bit/sec
(VLC), which assumes a line of sight between the light source (Nikon D7100)
and the camera [20] [54]. We implemented a prototype of the High-end security 30 15 bit/sec 120 bit/sec
previously described transmitter on three types of routers that camera
are shown in Table 7. Note that all of them are Wi-Fi routers, (Sony SNCEB600)
and hence are not the typical devices installed on air-gapped Extreme camera 60 - 100-120 bit/sec 800-960
networks. However, our goal is to evaluate the characteristics (GoPro Hero5) 240 bit/sec
Webcam (HD) 30 15 bit/sec 120 bit/sec
of router LEDs as a medium for a covert channel, so the type of
router is less relevant.
(Microsoft Figure 4 shows the signals received from R1 when its leftmost
LifeCam) LED is repeatedly turned on and off. The sampling rate in this
Smartphone camera 30 - 15-60 bit/sec 120- test is 500K samples per second. As can be seen, the minimal
(Samsung Galaxy 120 480bit/sec LED-ON time is ~120s. The minimal blinking time (LED-
S6) ON, LED-OFF) is ~700s which implies a bit rate of 1400
Wearable camera 30 15 bit/sec 120
bit/sec in the simplest OOK modulation. During the LED-ON
(Google Glass bit/sec
Explorer Edition) time the sampled amplitude is approximately 14mV, while for
LED-OFF the time is 4mV (generated by the ambient light in
B. Light sensor receivers the room). The blue line is the raw sampled signal, and the red
A photodiode is a semiconductor that converts light into line is the signal smoothed with the Savitzky-Golay filter [63].
electrical current. To evaluate the transmissions at high speeds,
we built a measurement setup based on photodiode light sensors
6.19
(Figure 3). The Thorlabs PDA100A light sensor [60] (Figure
Signal
3,a) is connected to an internal charge amplifier and a data up envelop
acquisition system (Figure 3,b). We also used an optical zoom 6.18 lo envelop

lens to focus the sensing area and reduce the optical noise. The
data is sampled with the National Instruments cDAQ portable 6.17

Sensor amplitude (V)


sensor measurement system [61] via a 16-bit ADC NI-9223
card [62] which is capable of 1M samples per second. The light 6.16

emitted from the transmitting router (Figure 3,c) is sampled by


the sensor and processed by a MATLAB DSP program (Figure 6.15
3,d).
6.14

0.5 1 1.5 2 2.5 3 3.5


Time (msec)
c a b d
Figure 5. Maximal blinking frequency (R2)
Figure 3. The measurement setup with the Thorlabs PDA100A
light sensor and NI-9233 data acquisition hardware
Figure 5 shows the signals received from R2 when its leftmost
LED is repeatedly turned on and off. As can be seen, the
1) Blinking frequency minimal LED-ON time is ~190s. The minimal blinking time
In this experiment we tested the maximum frequency at which (LED-ON, LED-OFF) is ~290s which implies a bit rate of
the router LEDs can blink when controlled from a user space 3450 bit/sec with the simplest OOK modulation. During the
program or shellcode running within the router's OS. The LED-ON time the sampled amplitude is approximately 30mV,
blinking frequency is important, since it defines the maximal while for LED-OFF the time is 6.14V. As can be seen in Figure
speed of the basic signal carried by the LED. 5, the room's backlights are flickering at 500 Hz (the dashed
line).
Raw signal
14 Filtered signal
0.186
12
0.184
Sensor amplitude (mV)

10
0.182
Sensor amplitude (V)

8 0.18

6 0.178

4 0.176

0.174
2

0.172
0
0.17
2-
0.5 1 1.5 2 2.5 3 0.168

Time (msec) 0.166


Figure 4. Maximal blinking frequency (R1) 0 0.5 1 1.5 2 2.5 3 3.5 4 4.5 5
Time (msec)
Figure 6. Seven LEDs blinking at maximal frequency (R1)
Figure 6 shows the signals received from R1 when all seven
111
LEDs are repeatedly turned on and off. By using all of the LEDs
Raw signal
together for modulation, we significantly increase the optical Filtered signal
signals emitted from the transmitting router. This method can 0.165
110
be used when the optical signal generated by a single LED is 101
too low for successful reception. As can be seen, with multiple 0.16
100

Sensor amplitude )V(


LEDs the minimal blinking time (LED-ON, LED-OFF) is 011
~240s which implies a bit rate of 4000 bit/sec at the simplest
0.155
OOK modulation. 010

2) Amplitude Modulation 0.15


With a camera receiver it is possible to distinguish between two 001

or more different transmitting LEDs. In this case the bit rate is 0.145
000

derived from the number of LEDs available for modulation.


That is, with LEDs we can generate 2 different signals.
0.14
Unlike camera receivers, light sensors can only measure the
amount of light emitted from the router and not distinguish 0 0.05 0.1 0.15 0.2 0.25 0.3 0.35 0.4 0.45

between different LEDs. One straightforward strategy is to use Time (msec)


OOK modulation when 0 is modulated with all of the LEDs in Figure 8. Eight amplitudes modulated by seven LEDs, 300s per
amplitude (R1)
the OFF state, and 1 is modulated with all of the LEDs in the
ON state. Obviously, this type of modulation limits the
transmission rate. We found that under some circumstances it Note that we only distinguish between the numbers of LEDs
is also possible to distinguish between different amounts of turned on, as opposed to their location (e.g., the states 1100000,
light emitted when using different number of LEDs, even with 0110000, and 0011000 represent the same amplitude). As can
a light sensor. Consequentially, we are able to increase the bit be seen in Figure 8, we can distinguish between eight different
rate by modulating multiple bits with several LEDs (using ASK levels, when each amplitude level is modulated over 300s.
modulation) when a light sensor is used for reception. Under This implies a rate of ~3.3K levels per second or 10000 bit/sec.
optimal conditions different amplitudes can modulate In Figure 8 the blue line is the raw sampled signal, and the red
2 () values. line is the signal smoothed with the Savitzky-Golay filter [63].

Figure 7 and Figure 8 shows eight amplitude levels as measured 3) Transmission


from R1 when all seven LEDs are in use. We employ eight
different states, starting with all seven LEDs in the off state and 1s 1s 1s 1s 1s 1s 1s 1s 1s
0.078
sequentially turning the LEDs on until all of the LEDs are on
0.076
(0000000, 1000000, 1100000 1111111).
0s 0s 0s 0s 0s 0s 0s 0s 0s 0s
0.074
Sensor amplitude )V(

0.072
7 LEDs
0.255 0.07
6 LEDs

0.068
0.25 5 LEDs

0.066
4 LEDs
Sensor amplitude (V)

0.245
0.064
3 LEDs
0.24 0.062
2 LEDs
1 LED 0.06
0.235
0 LEDs
4 6 8 10 12 14
0.23
Time (msec)
0.225
Figure 9. OOK modulation with one LED (R2)

0.22 Figure 9 shows the measurements in which 32 bits


200 400 600 800 1000 1200
(010110111011100100111011011010) are transmitted
Time (msec)
Figure 7. Eight amplitudes modualted by seven LEDs, 10ms per from R2 using the OOK modulation via a single LED. The 32
amplitude (R1) bits were transmitted in 9ms which implies a bit rate of 3555
bit/sec. The bit error rate (BER) measured in this case was under
5%.
embedded device requires the involvement of OEMs and may
0.09
L2 also affect the usability of the LEDs.
Detection. Technological countermeasures may include the
0.085
detection of the presence of malware that triggers the router
0.08
status LED. Mitigating firmware level attacks involves
detecting (statically or dynamically) whether the firmware of a
Sensor amplitude )V(

0.075
L1 router has been compromised. Although the detection of
firmware attacks has been studied in the recent years [70], most
0.07 solutions focus on detecting the attack in the network traffic.
Detecting an already compromised firmware installed within an
0.065 embedded device such as a switch or router is still a challenging
L0
task [71]. The comparison of the device firmware with a clean
0.06 image to identify malicious changes has been proposed [72],
however extracting the device firmware is not always possible.
0.055
0 2 4 6 8 10 12 14 More recently, Guri et al. proposed using the device's JTAG
Time (msec) debugging interface to extract the memory for security purposes
Figure 10. ASK modulation (R2, two LEDs) [71]. Such a method is considered invasive and involves
opening the device for physical forensic investigation, and
Figure 10 shows the measurements in which 32 bits hence it is not a practical scalable solution. Addressing a
(010110111011100100111011011010) are transmitted software level attack in which the network device is
from R2 using the ASK modulation via two LEDs. The 32 bits compromised via a computer within the network is possible
were transmitted in 9ms which implies a bit rate of 3555 bit/sec. using conventional intrusion detection and prevention
Note that the 32 bits are encoded with three amplitude levels techniques. This type of signature and behavioral based defense
(L0, L1, and L2). The BER measured in this case was again has been shown to be limited in detecting zero-day and
under 5%. advanced attacks [73]. Another possible countermeasure is
monitoring the router LEDs in order to detect covert signaling
patterns. Again, practical implementation would be difficult,
VIII. COUNTERMEASURES because most network device LEDs routinely blink due to
Prevention and detection are the two main types of frequent traffic activity. Consequentially, this kind of external
countermeasures targeted at emanation based data leakage. monitoring solution would likely suffer from a high rate of false
Prevention. Common countermeasures may include policies alarms.
aimed to restrict the accessibility of network equipment by The countermeasures are summarized in Table 10.
placing it in classified rooms where only authorized staff may
access it. Typically, all types of cameras are banned from such Table 10. List of countermeasures
secured rooms. The NATO TEMPEST standards such as the Type Countermeasure Limitations
NATO SDIP-27 (levels A/B/C) and SDIP-28 define classified Prevention Zoning, camera banning, Insider threats (e.g.,
zones which refer to the perimeter needed to prevent accidental and area restriction cameras in the
or intentional leakage of signals [64] [65] [66] [67]. In these building and
areas, the presence of surveillance cameras may serve as a insiders)
Prevention LED covering Degradation of
deterrence measure. However, as mentioned previously in the
functionality and
attack model, the surveillance camera itself may be user experience
compromised by a malware [68] [45]. A less elegant Prevention Window shielding High price
countermeasure against LED attacks is to cover the status LEDs Prevention Signal jamming Requires OEM
with black tape to physically block the optical emanation [20]. intervention,
Covering the switch and router LEDs may affect user Degradation of user
experience, for example, when testing the device or checking experience
its functionality. Device and cable shielding is another common Detection LED activity monitoring Price, false alarms
countermeasure recommended by the NATO standards to (external camera)
address other types of TEMPEST attacks, particularly Detection Firmware forensic Technical
electromagnetic TEMPTEST attacks. A special window film extraction and investigation challenges (e.g.,
(e.g., JTAG). extracting the
that prevents optical eavesdropping may be installed [69]; note
device image),
that this type of countermeasure doesn't protect against insiders invasive operation
attacks, or cameras located within the building. Another Detection Malicious traffic detection Limited detection
approach is to interrupt the emitted signals by intentionally (software attack) rate (e.g., zero-day
invoking random LED blinking. In this way, the optical signal and advanced
generated by the malicious code will get mixed up with random attacks)
noise. Implementing such a noise generator within an
r.html?_r=2&adxnnl=1&ref=technology&adxnnlx=142
3562532-hJL+Kot1FP3OEURLF9hjDw.
IX. CONCLUSION
[8] D. Goodin, "How omnipotent hackers tied to NSA hid
Network devices (e.g., LAN switches and routers) typically for 14 yearsand were found at last," ars technica, 2015.
include activity and status LEDs in various sizes and colors.
Such LEDs are used for monitoring the traffic activity, [9] ICS-CERT, "malware infections in the conrol
providing alerts in cases of hardware or software failure, testing environment," 2012.
the device, and so on. We show that these LEDs can be [10] S. Stasiukonis, "social-engineering-the-usb-way," 2006.
controlled by a malicious code which runs on the device. In a [Online]. Available:
typical attack model, data such as files, encryption keys, and http://www.darkreading.com/attacks-breaches/social-
keylogging data is encoded and modulated over the LEDs engineering-the-usb-way/d/d-id/1128081?.
blinking patterns. An attacker with a remote camera or optical [11] G. Mordechai, G. Kedma, A. Kachlon and Y. Elovici,
sensor with a line of sight with the transmitting equipment can "AirHopper: Bridging the air-gap between isolated
receive the data and decode it back to a binary information. We networks and mobile phones using radio frequencies," in
examine the internal architecture of network switches and Malicious and Unwanted Software: The Americas
routers at the hardware and software level and show how their (MALWARE), 2014 9th International Conference on,
LEDs can be controlled programmatically by accessing the IEEE, 2014, pp. 58-67.
corresponding GPIO controls. We developed a prototype of the [12] M. G. Kuhn and R. J. Anderson, "Soft Tempest: Hidden
transmitter using open-source firmware (OpenWRT and DD- data transmission using electromagnetic emanations," in
WRT) and tested it on three different home routers. We Information hiding, Springer-Verlag, 1998, pp. 124-142.
investigate the covert channel with different types of receivers,
including digital cameras and optical sensors. We also discuss [13] M. G. Kuhn, "Compromising emanations:
different detection and prevention countermeasures. Our Eavesdropping risks of computer displays," University of
research shows that data can be exfiltrated from an air-gapped Cambridge, Computer Laboratory, 2003.
network via switch and router LEDs at a bit rate of tens to [14] M. Vuagnoux and S. Pasini, "Compromising
thousands of bits per second per LED, depending on the type of Electromagnetic Emanations of Wired and Wireless
receiver and the number of LEDs in use. Keyboards," in USENIX security symposium, 2009.
[15] M. Guri, A. Kachlon, O. Hasson, G. Kedma, Y. Mirsky
and Y. Elovici, "GSMem: Data Exfiltration from Air-
X. BIBLIOGRAPHY
Gapped Computers over GSM Frequencies," in 24th
USENIX Security Symposium (USENIX Security 15),
[1] Federation of American Scientists , [Online]. Available: Washington, D.C., 2015.
http://fas.org/irp/program/disseminate/jwics.htm. [16] M. Hanspach and M. Goetz, "On Covert Acoustical Mesh
[2] McAfee, "Defending Critical Infrastructure Without Air Networks in Air.," Journal of Communications, vol. 8,
Gaps And Stopgap Security," [Online]. Available: 2013.
https://blogs.mcafee.com/executive- [17] T. Halevi and N. Saxena, "A closer look at keyboard
perspectives/defending-critical-infrastructure-without- acoustic emanations: random passwords, typing styles
air-gaps-stopgap-security/. and decoding techniques," in ACM Symposium on
[3] [Online]. Available: Information, Computer and Communications Security,
https://en.wikipedia.org/wiki/Joint_Worldwide_Intellige 2012.
nce_Communications_System. [18] M. Guri, M. Monitz, Y. Mirski and Y. Elovici,
[4] [Online]. Available: "BitWhisper: Covert Signaling Channel between Air-
http://www.newyorker.com/magazine/2017/03/06/trump Gapped Computers using Thermal Manipulations," in
-putin-and-the-new-cold-war. Computer Security Foundations Symposium (CSF), 2015
[5] [Online]. Available: IEEE 28th, 2015.
https://en.wikipedia.org/wiki/2008_cyberattack_on_Uni [19] M. Guri, B. Zadov, E. Atias and Y. Elovici, "LED-it-GO:
ted_States. Leaking (a lot of) Data from Air-Gapped Computers via
[6] S. Karnouskos, "Stuxnet worm impact on industrial the (small) Hard Drive LED," no. arXiv:1702.06715
cyber-physical system security," in IECON 2011-37th [cs.CR].
Annual Conference on IEEE Industrial Electronics [20] J. Loughry and A. D. Umphress, "Information leakage
Society, 2011. from optical emanations," ACM Transactions on
[7] B. Knowlton, "Military Computer Attack Confirmed," Information and System Security (TISSEC), vol. 5, no. 3,
2010. [Online]. Available: pp. 262-289, 2002.
http://www.nytimes.com/2010/08/26/technology/26cybe [21] V. Sepetnitsky, M. Guri and Y. Elovici:, "Exfiltration of
Information from Air-Gapped Machines Using Monitor's
LED Indicator," in Joint Intelligence & Security [35] M. Guri, O. Hasson, G. Kedma and Y. Elovici, "An
Informatics Conference (JISIC-2014) , 2014. optical covert-channel to leak data through an air-gap,"
[22] S. Zander, G. Armitage and P. Branch, "A survey of in 14th Annual Conference on Privacy, Security and
covert channels and countermeasures in computer Trust (PST) , 2016.
network protocols," IEEE Communications Surveys & [36] S. Griffith, "How to make a computer screen
Tutorials , vol. 9 , no. 3, pp. 44 - 57, 2007. INVISIBLE," dailymail, [Online]. Available:
[23] S. Cabuk, C. E. Brodley and C. Shields, "IP covert timing http://www.dailymail.co.uk/sciencetech/article-
channels: design and detection," in Proceedings of the 2480089/How-make-screen-INVISIBLE-Scientist-
11th ACM conference on Computer and communications shows-make-monitor-blank-using-3D-glasses.html.
security, 2004. [37] A. Gostev, "Agent.btz: a Source of Inspiration?,"
[24] A. Cheddad, J. Condell, K. Curran and P. M. Kevitt, SecureList, [Online]. Available:
"Digital image steganography: Survey and analysis of http://securelist.com/blog/virus-watch/58551/agent-btz-
current methods," Signal Processing, vol. 90, no. 3, p. a-source-of-inspiration/.
727752, 2010. [38] Kaspersky Labs' Global Research & Analysis Team, "A
[25] M. Guri, M. Monitz and Y. Elovici, "Bridging the Air Fanny Equation: "I am your father, Stuxnet"," [Online].
Gap between Isolated Networks and Mobile Phones in a Available: https://securelist.com/blog/research/68787/a-
Practical Cyber-Attack," ACM Transactions on fanny-equation-i-am-your-father-stuxnet/.
Intelligent Systems and Technology (TIST), vol. 8, no. 4, [39] D. Goodin, "Meet badBIOS, the mysterious Mac and
2017. PC malware that jumps airgaps," ars technica, [Online].
[26] M. Guri, M. Monitz and Y. Elovici, "USBee: Air-Gap Available:
Covert-Channel via Electromagnetic Emission from http://arstechnica.com/security/2013/10/meet-badbios-
USB," no. arXiv:1608.08397 [cs.CR]. the-mysterious-mac-and-pc-malware-that-jumps-
airgaps/.
[27] funtenna. [Online]. Available:
https://github.com/funtenna. [40] www.theguardian.com, "Glenn Greenwald: how the
NSA tampers with US-made internet routers," [Online].
[28] N. Matyunin, J. Szefer, S. Biedermann and S.
Available:
Katzenbeisser, "Covert channels using mobile device's
https://www.theguardian.com/books/2014/may/12/glenn
magnetic field sensors," in 2016 21st Asia and South
-greenwald-nsa-tampers-us-internet-routers-snowden.
Pacific Design Automation Conference (ASP-DAC),
2016. [41] M. Horowitz, "Router Bugs Flaws Hacks and
Vulnerabilities," [Online]. Available:
[29] V. Calmette, V. Stphane, E. Filiol and G. L. Bouter,
http://routersecurity.org/bugs.php.
"Passive and Active Leakage of Secret Data from Non
Networked Computer," in Black-Hat 2008, 2008. [42] C. S. Advisory, "Cisco IOS and IOS XE Software Cluster
Management Protocol Remote Code Execution
[30] E. Lee, H. Kim and J. W. Yoon, "Attack, Various Threat
Vulnerability," 2017. [Online]. Available:
Models to Circumvent Air-Gapped Systems for
https://tools.cisco.com/security/center/content/CiscoSec
Preventing Network," Information Security Applications,
urityAdvisory/cisco-sa-20170317-cmp.
vol. 9503, pp. 187-199, 2015.
[43] "Multiple Netgear routers are vulnerable to arbitrary
[31] M. Guri, Y. Solewicz, A. Daidakulov and Y. Elovici,
command injection," [Online]. Available:
"Fansmitter: Acoustic Data Exfiltration from
https://www.kb.cert.org/vuls/id/582384.
(Speakerless) Air-Gapped Computers," in
arXiv:1606.05915, 2016. [44] [Online]. Available:
http://thehackernews.com/2017/03/cisco-network-
[32] M. Guri, Y. Solewicz, A. Daidakulov and Y. Elovici,
switch-exploit.html.
"DiskFiltration: Data Exfiltration from Speakerless Air-
Gapped Computers via Covert Hard Drive Noise," in [45] A. Costin, "Security of CCTV and Video Surveillance
arXiv:1608.03431, 2016. Systems: Threats, Vulnerabilities, Attacks, and
Mitigations," in TrustED '16 Proceedings of the 6th
[33] M. Guri, G. Kedma, A. Kachlon and Y. Elovici,
International Workshop on Trustworthy Embedded
"AirHopper: Bridging the Air-Gap between Isolated
Devices, New York, 2016.
Networks and Mobile Phones using Radio Frequencies,"
in 9th IEEE International Conference on Malicious and [46] TechTarget, "evil maid attack," [Online]. Available:
Unwanted Software (MALCON 2014), Puero Rico, http://searchsecurity.techtarget.com/definition/evil-
Fajardo, 2014. maid-attack.
[34] A. C. Lopes and D. F. Aranha, "Platform-agnostic low- [47] TripWire, Irfhan Khimji, "The Malicious Insider,"
intrusion optical data exfiltration," in Conference: 3rd [Online]. Available: http://www.tripwire.com/state-of-
International Conference on Information Systems security/security-awareness/the-malicious-insider/.
Security and Privacy (ICISSP 2017), Porto, 2016.
[48] S. Schmid, G. Corbellini, S. Mangold and T. R. Gross, [66] United States Air Force (USAF), "AFSSI 7700:
"An LED-to-LED Visible Light Communication System Communications and information emission security,"
with Software-Based Synchronization," [Online]. Secretary of the Air Force, 2007.
Available: [67] R. J. Anderson, "Emission security," in Security
http://www.bu.edu/smartlighting/files/2012/10/Schmid_ Engineering, 2nd Edition, Wiley Publishing, Inc., 2008,
.pdf. pp. 523-546.
[49] [Online]. Available: [68] ZDNET, "Surveillance cameras sold on Amazon infected
http://h20566.www2.hpe.com/hpsc/doc/public/display?d with malware," Apr 2016. [Online]. Available:
ocLocale=en_US&docId=emr_na- http://www.zdnet.com/article/amazon-surveillance-
c04434575&sp4ts.oid=7268889. cameras-infected-with-malware/. [Accessed Jan 2017].
[50] [Online]. Available: [69] [Online]. Available:
https://en.wikipedia.org/wiki/Cisco_IOS. https://www.signalsdefense.com/products.
[51] [Online]. Available: [70] A. Costin, A. Zarras and A. Francillon, "Automated
https://en.wikipedia.org/wiki/Junos_OS. Dynamic Firmware Analysis at Scale: A Case Study on
[52] [Online]. Available: Embedded Web Interfaces," in ACM Asia Conference on
https://en.wikipedia.org/wiki/List_of_router_and_firewa Computer and Communications Security, 2015/2016.
ll_distributions. [71] M. Guri, Y. Poliak, B. Shapira and Y. Elovici, "JoKER:
[53] [Online]. Available: http://derekmolloy.ie/kernel-gpio- Trusted Detection of Kernel Rootkits in Android Devices
programming-buttons-and-leds/. via JTAG Interface," in Trustcom/BigDataSE/ISPA,
[54] D. Giustiniano, N. O. Tippenhauer and S. Mangold, 2015 IEE, 2015.
"Low-complexity Visible Light Networking with LED- [72] A. Costin, J. Zaddach, A. Francillon, D. Balzarotti and S.
to-LED communication," in Wireless Days (WD), 2012 Antipolis, "A Large Scale Analysis of the Security of
IFIP, 2012. Embedded Firmwares," in USENIX Security Symposium,
[55] phys.org, "Siemens Sets New Record for Wireless Data 2014.
Transfer using White LEDs," [Online]. Available: [73] G. Hoglund and J. Butler, Rootkits: Subverting the
https://phys.org/news/2010-01-siemens-wireless- Windows Kernel, Addison-Wesley , 2006.
white.html. [74] S. J. OMalley and K.-K. R. Choo, "Bridging the Air
[56] [Online]. Available: https://openwrt.org/. Gap: Inaudible Data Exfiltration by Insiders," in
[57] [Online]. Available: Americas Conference on Information Systems, 2014.
https://wiki.openwrt.org/toh/views/toh_extended_all. [75] L. Deshotels, "Inaudible Sound as a Covert Channel in
[58] "LED handling under Linux," [Online]. Available: Mobile Devices," in USENIX Workshop for Offensive
https://www.kernel.org/doc/Documentation/leds/leds- Technologies, 2014.
class.txt. [76] M. Hanspach and M. Goetz, "On Covert Acoustical Mesh
[59] "GPIO Sysfs Interface for Userspace," [Online]. Networks in Air," arXiv preprint arXiv:1406.1213, 2014.
Available:
https://www.kernel.org/doc/Documentation/gpio/sysfs.t
xt.
[60] [Online]. Available:
https://www.thorlabs.com/thorproduct.cfm?partnumber
=PDA100A.

[61] [Online]. Available: http://www.ni.com/en-


il/support/model.cdaq-9174.html.
[62] [Online]. Available:
http://sine.ni.com/nips/cds/view/p/lang/en/nid/209139.
[63] R. W. Schafer, "What Is a Savitzky-Golay Filter?," IEEE
SIGNAL PROCESSING MAGAZINE , 2011.
[64] [Online]. Available: http://sst.ws/tempest_standards.php.
[65] J. McNamara, "The Complete, Unofficial TEMPEST
Information Page," 1999. [Online]. Available:
http://www.jammed.com/~jwa/tempest.html.

You might also like