Visible to the public CTRL-ALT-LED: Leaking Data from Air-Gapped Computers Via Keyboard LEDs

TitleCTRL-ALT-LED: Leaking Data from Air-Gapped Computers Via Keyboard LEDs
Publication TypeConference Paper
Year of Publication2019
AuthorsGuri, Mordechai, Zadov, Boris, Bykhovsky, Dima, Elovici, Yuval
Conference Name2019 IEEE 43rd Annual Computer Software and Applications Conference (COMPSAC)
Date Publishedjul
Keywordsadvanced persistent threat, Air gaps, air-gap, air-gapped computers, airgapped computers, bit rate 120.0 bit/s, bit rate 3000.0 bit/s, Cameras, Caps-Lock, composability, computer network security, covert channel, CTRL-ALT-LED, data leakage prevention systems, evil maid attacks, exfiltrate data, exfiltration, firmware, Human Behavior, human factors, invasive software, keyboard, keyboard LEDs, Keyboards, light emitting diodes, light sensor, malicious insider, Malware, Metrics, modern cyber-attack, modern USB keyboards, Network, Num-Lock, optical, optical communication, optical equipment, Optical sensors, pubcrawl, Receivers, remote cameras, resilience, Resiliency, Scroll-Lock, sensitive optical sensors, smart phones, Trusted Computing, Universal Serial Bus
AbstractUsing the keyboard LEDs to send data optically was proposed in 2002 by Loughry and Umphress [1] (Appendix A). In this paper we extensively explore this threat in the context of a modern cyber-attack with current hardware and optical equipment. In this type of attack, an advanced persistent threat (APT) uses the keyboard LEDs (Caps-Lock, Num-Lock and Scroll-Lock) to encode information and exfiltrate data from airgapped computers optically. Notably, this exfiltration channel is not monitored by existing data leakage prevention (DLP) systems. We examine this attack and its boundaries for today's keyboards with USB controllers and sensitive optical sensors. We also introduce smartphone and smartwatch cameras as components of malicious insider and 'evil maid' attacks. We provide the necessary scientific background on optical communication and the characteristics of modern USB keyboards at the hardware and software level, and present a transmission protocol and modulation schemes. We implement the exfiltration malware, discuss its design and implementation issues, and evaluate it with different types of keyboards. We also test various receivers, including light sensors, remote cameras, 'extreme' cameras, security cameras, and smartphone cameras. Our experiment shows that data can be leaked from air-gapped computers via the keyboard LEDs at a maximum bit rate of 3000 bit/sec per LED given a light sensor as a receiver, and more than 120 bit/sec if smartphones are used. The attack doesn't require any modification of the keyboard at hardware or firmware levels.
Citation Keyguri_ctrl-alt-led_2019