University researchers show that changing the brightness of monitor pixels can communicate data from air-gapped systems in a way not visible to human eyes.

4 Min Read

Computers disconnected from the Internet can still be used to transmit information by using slight changes to pixels on the screen that are otherwise not visible to humans, a team of researchers from Ben-Gurion University (BGU) of the Negev and Shamoon College of Engineering stated in a paper published on February 4.

The research project, called BRIGHTNESS, assumes that an attacker wants to exfiltrate data from a compromised machine not connected to any network and uses changes in the red values of a collection of pixels to communicate information to any video camera in the vicinity. Such display-to-camera (D2C) communication is a subject of study among academic cybersecurity researchers, but creating a system that is not perceptible to humans is novel.

The groups that have to worry about such threats are not just limited to government facilities, says Mordechai Guri, the head of research and development at BGU's Cyber-Security Research Center and one of the authors of the paper.

"The attack is practical in certain scenarios," he says. "In the finance sector, for example, exfiltrating cryptocurrencies' private keys — which is equal to own[ing] the wallet — from a secure, isolated computer that signs the transactions" is one possible scenario.

Attacks against highly secure systems not connected to a network — known as air-gapped systems — have been a topic of both study and practical attacks for more than two decades. Attacks using information gleaned from electromagnetic emanations, often referred to as TEMPEST attacks, date back the 1990s and even, by some accounts, to even precomputer times.

Monitor screens, hard-drive activity LEDs, network-activity LEDs, and keyboard clicks have all been used to steal information, and in some cases, create a covert communications channel. In 2016, for example, researchers from Tel Aviv University were able to extract the decryption key from a laptop using its emanations. Other attackers have used heat from one system to communicate with another.

In the latest project, the BGU researchers found that, by adjusting the red component of a set of pixels by 3%, they could achieve bit rates of between 5 and 10 bits per second, depending on the distance the camera was from the monitor. In addition, two cameras — a security camera and a webcam — had similar performance, but a smartphone camera could only extract an average of 1 bit per second, according to the report.

Theoretically, the techniques could extract tens of bits per second, Guri says.

"The maximal bit-rate may reach 30 bits/sec [or] more, if more advanced modulation methods are used," he says. For example, an attacker could "use more than 2 brightness levels and more than 1 color."

Are the changes truly invisible to the human eye? The researchers conducted the experiment in a controlled level of ambient lighting and waited until the subjects adapted to the light level. In addition, the frequency at which a blinking image appears to be a steady-state image — a threshold known as the critical fusion frequency (CFF) — varies depending on the ambient lighting, the researchers said.

"The sensitivity of the visual system gradually adapts as one moves from a darker or brighter environment," they researchers wrote, adding that "particularly with low levels of illumination, increasing the duration can increase the likelihood that the stimulus [blinking image] will be detected."

The prerequisite that an air-gapped computer be already compromised is not that rare, Tal Zamir, founder and chief technology officer of Hysolate, a maker of endpoint-security solutions, said in a statement.

"This is not uncommon, as one of the challenges with physically air-gapped solutions is the inability for the user to be productive, and many times, they look for workarounds in order to get their tasks completed — and there lies the introduction of risk into the environment," he said. "Security and productivity have always been seen as a constant balancing act, where the traditional mindset believes that in order for one to thrive the other must suffer.”

Moreover, while the attack is mainly a worry for super-secure facilities that have sensitive or top-secret data on air-gapped systems, the attack could also be used to avoid communicating data over, for example, a heavily monitored network.

Yet, for most companies, hiding covert data in network packets is a far more likely way to secretly communicate, Guri says.

"The traditional network-based covert channels are the issue to watch today," he says. "Finding hidden information within Internet protocols, SSL, HTTPS, emails, and so on, is a challenge by itself."

Related Content

Check out The Edge, Dark Reading's new section for features, threat data, and in-depth perspectives. Today's top story: "C-Level & Studying for the CISSP."

About the Author(s)

Robert Lemos, Contributing Writer

Veteran technology journalist of more than 20 years. Former research engineer. Written for more than two dozen publications, including CNET News.com, Dark Reading, MIT's Technology Review, Popular Science, and Wired News. Five awards for journalism, including Best Deadline Journalism (Online) in 2003 for coverage of the Blaster worm. Crunches numbers on various trends using Python and R. Recent reports include analyses of the shortage in cybersecurity workers and annual vulnerability trends.

Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

You May Also Like


More Insights