Scientists from two Israeli universities have come up with a way to use flatbed scanners as relay points when sending commands to malware installed on an air-gapped computer. Further research also revealed the scanner could also be used to relay stolen data to a nearby attacker.
The technique they come up with revolves around the idea that a beam of light could be interpreted as a binary 1 and the lack of visual stimulant can be considered a binary 0.
For this technique to work, two conditions must be met. First, the flatbed scanner lid must be left open in an upright position so an attacker can aim light beams at its sensors.
Second, an attacker must find a way to install malware on an air-gapped system. Further, the malware installed on the infected PC must also be programmed to start a scan at a specific date and time. At a minimum, only this initial scan needs to be carefully planned and executed, as other scans can be scheduled during this first attacks.
The attack itself can be carried out in different ways, depending on the air-gapped system setup and the attacker's creativity. Researchers experimented with different setups during their tests.
For example, in an attack, they used a laser pointer mounted on a drone to send commands to the printer (video below). This attack worked at 15 meters (50 feet) away from the scanner, but researchers say an attacker can mount a powerful laser on a fixed stand and increase the attack distance up to 900 meters (0.56 miles).
Similarly, scientists hacked a smart lightbulb that was installed in the same room as the air-gapped PC, and made it pulsate in a controlled manner that relayed commands to the scanner, and to the attached air-gapped PC (video below).
One of the scientists involved in this research previously developed an IoT worm that used smart lightbulbs to propagate, and could be used to plunge communities in city-wide blackouts.
This type of attack is also stealthy, researchers discovered. For example, normal flatbed scanners can pick up changes in the lightbulb's intensity of 5%, which are barely perceptible.
During their tests, researchers sent various commands to the PC, such as "d x.pdf" (delete file x.pdf) and "en q" (encrypt folder q). Relaying such commands took between 50 to 100 milliseconds.
Reversing the attack, researchers say that malware on the air-gapped system could use the scanner's built-in light to emit light pulses which a nearby attacker can record and reassemble back into binary code.
The data exfiltration capacity is small, though, as it was proven in a similar experiment that used hard drive activity LEDs to steal data from air-gapped systems.
This research is titled "Oops!...I think I scanned a malware," and is the work of two researchers from the Cyber Security Research Center at the Ben-Gurion University of the Negev in Israel, and one researcher from the Computer Science Department, Weizmann Institute of Science, Rehovot, Israel.
The attack is too inefficient to be useful in practice, but this is the type of research this team of scientists has been exploring. Previously, the Ben-Gurion team has come up with various wacky hacking techniques, such as:
LED-it-Go - exfiltrate data from air-gapped systems via an HDD's activity LED
SPEAKE(a)R - use headphones to record audio and spy on nearby users
9-1-1 DDoS - launch DDoS attacks that can cripple a US state's 911 emergency systems
USBee - make a USB connector's data bus give out electromagnetic emissions that can be used to exfiltrate data
AirHopper - use the local GPU card to emit electromagnetic signals to a nearby mobile phone, also used to steal data
Fansmitter - steal data from air-gapped PCs using sounds emanated by a computer's GPU fan
DiskFiltration - use controlled read/write HDD operations to steal data via sound waves
BitWhisper - exfiltrate data from non-networked computers using heat emanations