Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Vulnerabilities / Threats

Invisible Pixel Patterns Can Communicate Data Covertly

University researchers show that changing the brightness of monitor pixels can communicate data from air-gapped systems in a way not visible to human eyes.

Computers disconnected from the Internet can still be used to transmit information by using slight changes to pixels on the screen that are otherwise not visible to humans, a team of researchers from Ben-Gurion University (BGU) of the Negev and Shamoon College of Engineering stated in a paper published on February 4.

The research project, called BRIGHTNESS, assumes that an attacker wants to exfiltrate data from a compromised machine not connected to any network and uses changes in the red values of a collection of pixels to communicate information to any video camera in the vicinity. Such display-to-camera (D2C) communication is a subject of study among academic cybersecurity researchers, but creating a system that is not perceptible to humans is novel.

The groups that have to worry about such threats are not just limited to government facilities, says Mordechai Guri, the head of research and development at BGU's Cyber-Security Research Center and one of the authors of the paper.

"The attack is practical in certain scenarios," he says. "In the finance sector, for example, exfiltrating cryptocurrencies' private keys — which is equal to own[ing] the wallet — from a secure, isolated computer that signs the transactions" is one possible scenario.

Attacks against highly secure systems not connected to a network — known as air-gapped systems — have been a topic of both study and practical attacks for more than two decades. Attacks using information gleaned from electromagnetic emanations, often referred to as TEMPEST attacks, date back the 1990s and even, by some accounts, to even precomputer times.

Monitor screens, hard-drive activity LEDs, network-activity LEDs, and keyboard clicks have all been used to steal information, and in some cases, create a covert communications channel. In 2016, for example, researchers from Tel Aviv University were able to extract the decryption key from a laptop using its emanations. Other attackers have used heat from one system to communicate with another.

In the latest project, the BGU researchers found that, by adjusting the red component of a set of pixels by 3%, they could achieve bit rates of between 5 and 10 bits per second, depending on the distance the camera was from the monitor. In addition, two cameras — a security camera and a webcam — had similar performance, but a smartphone camera could only extract an average of 1 bit per second, according to the report.

Theoretically, the techniques could extract tens of bits per second, Guri says.

"The maximal bit-rate may reach 30 bits/sec [or] more, if more advanced modulation methods are used," he says. For example, an attacker could "use more than 2 brightness levels and more than 1 color."

Are the changes truly invisible to the human eye? The researchers conducted the experiment in a controlled level of ambient lighting and waited until the subjects adapted to the light level. In addition, the frequency at which a blinking image appears to be a steady-state image — a threshold known as the critical fusion frequency (CFF) — varies depending on the ambient lighting, the researchers said.

"The sensitivity of the visual system gradually adapts as one moves from a darker or brighter environment," they researchers wrote, adding that "particularly with low levels of illumination, increasing the duration can increase the likelihood that the stimulus [blinking image] will be detected."

The prerequisite that an air-gapped computer be already compromised is not that rare, Tal Zamir, founder and chief technology officer of Hysolate, a maker of endpoint-security solutions, said in a statement.

"This is not uncommon, as one of the challenges with physically air-gapped solutions is the inability for the user to be productive, and many times, they look for workarounds in order to get their tasks completed — and there lies the introduction of risk into the environment," he said. "Security and productivity have always been seen as a constant balancing act, where the traditional mindset believes that in order for one to thrive the other must suffer.”

Moreover, while the attack is mainly a worry for super-secure facilities that have sensitive or top-secret data on air-gapped systems, the attack could also be used to avoid communicating data over, for example, a heavily monitored network.

Yet, for most companies, hiding covert data in network packets is a far more likely way to secretly communicate, Guri says.

"The traditional network-based covert channels are the issue to watch today," he says. "Finding hidden information within Internet protocols, SSL, HTTPS, emails, and so on, is a challenge by itself."

Related Content

Check out The Edge, Dark Reading's new section for features, threat data, and in-depth perspectives. Today's top story: "C-Level & Studying for the CISSP."

Veteran technology journalist of more than 20 years. Former research engineer. Written for more than two dozen publications, including CNET News.com, Dark Reading, MIT's Technology Review, Popular Science, and Wired News. Five awards for journalism, including Best Deadline ... View Full Bio

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
Cybersecurity Industry: It's Time to Stop the Victim Blame Game
Jessica Smith, Senior Vice President, The Crypsis Group,  2/25/2020
Google Adds More Security Features Via Chronicle Division
Robert Lemos, Contributing Writer,  2/25/2020
Register for Dark Reading Newsletters
White Papers
Current Issue
6 Emerging Cyber Threats That Enterprises Face in 2020
This Tech Digest gives an in-depth look at six emerging cyber threats that enterprises could face in 2020. Download your copy today!
Flash Poll
How Enterprises Are Developing and Maintaining Secure Applications
How Enterprises Are Developing and Maintaining Secure Applications
The concept of application security is well known, but application security testing and remediation processes remain unbalanced. Most organizations are confident in their approach to AppSec, although others seem to have no approach at all. Read this report to find out more.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2020-02-27
In Wireshark 3.2.0 to 3.2.1, 3.0.0 to 3.0.8, and 2.6.0 to 2.6.14, the LTE RRC dissector could leak memory. This was addressed in epan/dissectors/packet-lte-rrc.c by adjusting certain append operations.
PUBLISHED: 2020-02-27
openssl_x509_check_host in lua-openssl 0.7.7-1 mishandles X.509 certificate validation because it uses lua_pushboolean for certain non-boolean return values.
PUBLISHED: 2020-02-27
openssl_x509_check_email in lua-openssl 0.7.7-1 mishandles X.509 certificate validation because it uses lua_pushboolean for certain non-boolean return values.
PUBLISHED: 2020-02-27
openssl_x509_check_ip_asc in lua-openssl 0.7.7-1 mishandles X.509 certificate validation because it uses lua_pushboolean for certain non-boolean return values.
PUBLISHED: 2020-02-27
Type confusion in V8 in Google Chrome prior to 80.0.3987.116 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page.