• Home
  • News
  • Security
  • Flatbed Scanners Used as Relay Point for Controlling Malware in Air-Gapped Systems

Flatbed Scanners Used as Relay Point for Controlling Malware in Air-Gapped Systems

  • March 30, 2017
  • 05:25 PM
  • 0

Scanner attack

Scientists from two Israeli universities have come up with a way to use flatbed scanners as relay points when sending commands to malware installed on an air-gapped computer. Further research also revealed the scanner could also be used to relay stolen data to a nearby attacker.

The technique they come up with revolves around the idea that a beam of light could be interpreted as a binary 1 and the lack of visual stimulant can be considered a binary 0.

For this technique to work, two conditions must be met. First, the flatbed scanner lid must be left open in an upright position so an attacker can aim light beams at its sensors.

Second, an attacker must find a way to install malware on an air-gapped system. Further, the malware installed on the infected PC must also be programmed to start a scan at a specific date and time. At a minimum, only this initial scan needs to be carefully planned and executed, as other scans can be scheduled during this first attacks.

Attackers can use lasers, smart lightbulbs

The attack itself can be carried out in different ways, depending on the air-gapped system setup and the attacker's creativity. Researchers experimented with different setups during their tests.

For example, in an attack, they used a laser pointer mounted on a drone to send commands to the printer (video below). This attack worked at 15 meters (50 feet) away from the scanner, but researchers say an attacker can mount a powerful laser on a fixed stand and increase the attack distance up to 900 meters (0.56 miles).

Similarly, scientists hacked a smart lightbulb that was installed in the same room as the air-gapped PC, and made it pulsate in a controlled manner that relayed commands to the scanner, and to the attached air-gapped PC (video below).

One of the scientists involved in this research previously developed an IoT worm that used smart lightbulbs to propagate, and could be used to plunge communities in city-wide blackouts.

This type of attack is also stealthy, researchers discovered. For example, normal flatbed scanners can pick up changes in the lightbulb's intensity of 5%, which are barely perceptible.

During their tests, researchers sent various commands to the PC, such as "d x.pdf" (delete file x.pdf) and "en q" (encrypt folder q). Relaying such commands took between 50 to 100 milliseconds.

Attack can be reversed and used to steal data

Reversing the attack, researchers say that malware on the air-gapped system could use the scanner's built-in light to emit light pulses which a nearby attacker can record and reassemble back into binary code.

The data exfiltration capacity is small, though, as it was proven in a similar experiment that used hard drive activity LEDs to steal data from air-gapped systems.

This research is titled "Oops!...I think I scanned a malware," and is the work of two researchers from the Cyber Security Research Center at the Ben-Gurion University of the Negev in Israel, and one researcher from the Computer Science Department, Weizmann Institute of Science, Rehovot, Israel.

The attack is too inefficient to be useful in practice, but this is the type of research this team of scientists has been exploring. Previously, the Ben-Gurion team has come up with various wacky hacking techniques, such as:

LED-it-Go - exfiltrate data from air-gapped systems via an HDD's activity LED
SPEAKE(a)R - use headphones to record audio and spy on nearby users
9-1-1 DDoS - launch DDoS attacks that can cripple a US state's 911 emergency systems
USBee - make a USB connector's data bus give out electromagnetic emissions that can be used to exfiltrate data
AirHopper - use the local GPU card to emit electromagnetic signals to a nearby mobile phone, also used to steal data
Fansmitter - steal data from air-gapped PCs using sounds emanated by a computer's GPU fan
DiskFiltration - use controlled read/write HDD operations to steal data via sound waves
BitWhisper - exfiltrate data from non-networked computers using heat emanations

Related Articles:

Mirai IoT Malware Uses Aboriginal Linux to Target Multiple Platforms

Ad Clicker Hiding as Google Photos App Found in Microsoft Store

CoinMiners Use New Tricks to Impersonate Adobe Flash Installers

New Reports Show Increased CyberThreats, User Risks Remain High

Spectre and Meltdown Hardware Protection Added to Intel's 9th Gen CPUs

Catalin Cimpanu
Catalin Cimpanu is the Security News Editor for Bleeping Computer, where he covers topics such as malware, breaches, vulnerabilities, exploits, hacking news, the Dark Web, and a few more. Catalin previously covered Web & Security news for Softpedia between May 2015 and October 2016. The easiest way to reach Catalin is via his XMPP/Jabber address at campuscodi@xmpp.is. For other contact methods, please visit Catalin's author page.
Post a Comment Community Rules
You need to login in order to post a comment

Not a member yet? Register Now

You may also like:

Newsletter Sign Up

To receive periodic updates and news from BleepingComputer, please use the form below.


Remember Me
Sign in anonymously


Help us understand the problem. What is going on with this comment?

Learn more about what is not allowed to be posted.