Do You Trust Your Hard Drive Indication Light?

Researchers in the past have exfiltrated information through air gaps by blinking all sorts of lights from LEDs in keyboards to the main display itself. However, all of these methods all have one problem in common: they are extremely noticeable. If you worked in a high-security lab and your computer screen started to blink at a rapid pace, you might be a little concerned. But fret not, a group of researchers has found a new light to blink (PDF warning). Conveniently, this light blinks “randomly” even without the help of a virus: it’s the hard drive activity indication light.

All jokes aside, this is a massive improvement over previous methods in more ways than one. Since the hard drive light can be activated without kernel access, this exploit can be enacted without root access. Moreover, the group’s experiments show that “sensitive data can be successfully leaked from air-gapped computers via the HDD LED at a maximum bit rate of 4000 bit/s (bits per second), depending on the type of receiver and its distance from the transmitter.” Notably, this speed is “10 times faster than the existing optical covert channels for air-gapped computers.”

We weren’t born last night, and this is not the first time we’ve seen information transmission over air gaps. From cooling fans to practical uses, we’ve seen air gaps overcome. However, there are also plenty of “air gaps” that contain more copper than air, and require correspondingly less effort.

[via /r/hacking]

48 thoughts on “Do You Trust Your Hard Drive Indication Light?

      1. Just looked and it’s my battery light that flashes I don’t have a hdd light on my laptop. I use an SSD so I wonder if that would make it blink a lot faster if I had one? anyone know?

          1. If its blinking fast enough to meaningfully exfiltrate data, you would not be able to tell with your eyes that it wasn’t continuous, so that’s not really a guarantee.

    1. Or just open it up and unplug the web camera.
      Actually a good feature manufacture could easily add would be to add a switch to the V+ or one of the data lines to the camera as most laptop cameras are actually USB devices.
      The device is USB so electrically it is hot pluggable.
      Do the same with the internal microphone.

  1. I’ve seen this instantly get picked up by a local TV with doomsday titles and the works. I think it’s pretty unlikely it will ever be worthwhile. I mean it, requires physical access to the computer to install software on, if you have physical access then whats the point of security. What kind of noob sysadmin would ever let people run stuff off an external drive if he’s smart enough to have the PC on a closed network.. And what about that LED, sure is pretty bright. Don’t get me started on the drone..

    I say it’s a pretty slim use case.

    1. The way I see it is that yes you are right there is a very slim chance of getting to use this for malicious purposes in the wild or /and there may be a lot of better options. Having said that if you work in surveillance/hacking/snooping circles this is just another tool that you can use. It probably won’t ever be needed but one day it might be the right tool for the job for someone.

    2. Agreed… unfortunately it won’t stop the “IT security consultants” who make a living off spreading FUD in the name of fattening their personal bank accounts. Never mind the practicality of the “vulnerability” scenario they pulled out of their ass. As long as they can make a profit from it, it’s all that matters to them. I’d be more worried about the human factors side of the security equation. Much easier to pay off the employee with some cold hard cash in a suitcase in return for whatever secrets are on those drives.

      (like the infamous xkcd crypto-nerd comic – breaking someones kneecaps to get a password from them is easier than trying to crack their password).

      1. Still, some security is better than none. The best solution is a bit of security and not being an interesting target. But if you have the money to have a consultant regularly, then it is probably well spent money.

    3. How I’d get the software onto the target make a bunch of USB rubber duckies put them in USB thumb drive cases marked porn etc some thumb drives can be turned into a ducky and throw them on the ground in the parking lot or by the bus terminal etc.
      Someone is bound to plug one in.

      1. You don’t need physical access to the machine, you just need to get your code running on the machine. Doesn’t even need root access in order to control the hardware.

        The only physical access you *need* is line-of-sight to the LED. Which could be through a window.

        1. You still need physical access to the air gapped system to get the code onto there or get a the user to inadvertently install it via a USB drive or similar device such as a compromised software dongle or keyboard with a USB rubber ducky build in.

    1. It isn’t necessarily using the actual drone camera for the data recovery (frame rate is waaay too slow), they discuss using a high-speed photo-diode sensor to read the flashing.

      But you’re right, even just using the camera is enough to get an encryption key out.

  2. ok, the next one will be using the power network to leak data. simply hogging the cpu for a period of time, then releasing. if you can do it long enough, even sub bps speeds can actually deliver data. you just need to watch the power meter’s visual indicator :-)
    but running on battery power can protect you.

    1. That’s been done, as has using the waste heat, and the cooling fan. In fact, there’s quite a few. Network hub lights have been done for ages too.
      Ultrasonic is probably my favourite one – ad tracking networks have used that to correlate phones to desktop and laptops.

      1. Do you have any documentation / sources for the ultrasonic? I know a similar system has been used in the US for radio and TV metrics – but I’ve never heard of it being used on computing devices.

  3. Just add a large enough electrolytic capacitor across the LED. This will mean the light will have a very slow decay time. That will mean it will take a few seconds to go off, but that is good enough for an indicator light. If you want visible high speed flicker = risk. The other thing would be to overlay the LED flicker with fake flicker to make enough clutter to ruin the idea, Hell, a simple circuit would make totally random fale flicker, or even fake information flivker…

    1. Good idea taking it farther have the HDD activity light go into the the trigger of a 555 one shot setup for a half second or more time which would ruin it for data transfer.
      A funnier counter would be to do add some extra LEDs to a uC and have it flash out something like f–k off in ascii or Morse.

    2. Forget the random flicker thing. Engineers have been teasing signal from noise ever since the invention of the radio. The electrolytic will do much better. Of course, with slow enough of a data rate that can still be worked around. Disconnecting or taping over the LED are the only sure ways.

  4. How do they compensate for the LED actually indicating actual HDD use? Or just repeat the message until all parts gets there eventually? How about instead of covering the LED with a duct tape, we cover the shady person in a hoodie pointing a camera at out HDD LED?

  5. However they fail to account for the fact that it’s usually the person running the computer being asked questions at the bar by a cute girl(boy/other) that is the real data leak.

    1. could you explain your comment with some extra information?
      You could mean:
      A – cover you HHD LED with cow excrement in order to block the light.
      B – cover the Windows …in order to create a physical optical barrier between computer and observer outside the building.
      C – this article is not making any sense to you?
      D – we should be using bullshit instead of HDD’s because on most HDD’s the information on it is already on that level
      E – none of the above

      1. F — add a good sized cap to HDD LED. Makes the LED not flash at all but come on steady when there’s lots of activity and fade out slowly when hard drive is idle for a while. Even if some hacker figured this out and adjust malware to “talk” more slowly, it won’t be worth it because trying to steal secret file at rate slower than 5 seconds per bit would take forever and can be interrupted.

Leave a Reply

Please be kind and respectful to help make the comments section excellent. (Comment Policy)

This site uses Akismet to reduce spam. Learn how your comment data is processed.