Exfiltrating data from an air-gapped system through a screen-camera covert channel

Longlong Li; Yuliang Lu; Xuehu Yan; Dingwei Tan; Longlong Li; Yuliang Lu; Xuehu Yan; Dingwei Tan

doi:10.3934/mbe.2019374

Mathematical Biosciences and Engineering

2019, Volume 16, Issue 6: 7458-7476. doi: 10.3934/mbe.2019374

Previous Article Next Article

Research article Special Issues

Exfiltrating data from an air-gapped system through a screen-camera covert channel

National University of Defense Technology, No. 460 Huangshan Road, Hefei 230037, China

Received: 30 March 2019 Accepted: 29 July 2019 Published: 16 August 2019

In recent years, many methods of exfiltrating information from air-gapped systems, including electromagnetic, thermal, acoustic and optical covert channels, have been proposed. However, as a typical optical channel, the screen-camera method has rarely been considered; it is less covert because it is visible to humans. In this paper, inspired by the rapid upgrades of cameras and monitors, we propose an air-gapped screen-camera covert channel with decreased perceptibility that is suitable for complex content. Our method exploits the characteristics of the human vision system (HVS) and embeds quick response (QR) codes containing sensitive data in the displayed frames. This slight modification of the frames cannot be sensed by the HVS but can be recorded by the cameras. Then, using certain image processing techniques, we reconstruct the QR codes to some degree and extract the secret data with a certain level of robustness due to the error correction capacity of QR codes. In the scenario to which our method applies, we assume that a program has been installed in the target system and has the authority to modify the frames without affecting the normal operations of valid users. Cameras, such as web cameras, surveillance cameras and smartphone cameras, can be receivers in our method. We illustrate the applicability of our method to frames with complex content using several different cover images. Experiments involving different angles between the screen and the camera were conducted to highlight the feasibility of our method with angles of $ 0°, 15°$ and 30° .
- covert channels, screen-camera communication, air-gapped, data exfiltration
Citation: Longlong Li, Yuliang Lu, Xuehu Yan, Dingwei Tan. Exfiltrating data from an air-gapped system through a screen-camera covert channel[J]. Mathematical Biosciences and Engineering, 2019, 16(6): 7458-7476. doi: 10.3934/mbe.2019374

Related Papers:

Abstract

In recent years, many methods of exfiltrating information from air-gapped systems, including electromagnetic, thermal, acoustic and optical covert channels, have been proposed. However, as a typical optical channel, the screen-camera method has rarely been considered; it is less covert because it is visible to humans. In this paper, inspired by the rapid upgrades of cameras and monitors, we propose an air-gapped screen-camera covert channel with decreased perceptibility that is suitable for complex content. Our method exploits the characteristics of the human vision system (HVS) and embeds quick response (QR) codes containing sensitive data in the displayed frames. This slight modification of the frames cannot be sensed by the HVS but can be recorded by the cameras. Then, using certain image processing techniques, we reconstruct the QR codes to some degree and extract the secret data with a certain level of robustness due to the error correction capacity of QR codes. In the scenario to which our method applies, we assume that a program has been installed in the target system and has the authority to modify the frames without affecting the normal operations of valid users. Cameras, such as web cameras, surveillance cameras and smartphone cameras, can be receivers in our method. We illustrate the applicability of our method to frames with complex content using several different cover images. Experiments involving different angles between the screen and the camera were conducted to highlight the feasibility of our method with angles of $ 0°, 15°$ and 30° .

References

[1]	M. G. Kuhn and R. J. Anderson, Soft tempest: Hidden data transmission using electromagnetic emanations, International Workshop on Information Hiding, 1998, 124–142. Available from: https://link.springer.com/chapter/10.1007/3-540-49380-8 10.
[2]	M. Guri, G. Kedma, A. Kachlon, et al., Air hopper: Bridging the air-gap between isolated networks and mobile phones using radio frequencies, Proceedings of the 9th IEEE International Conference on Malicious and Unwanted Software: The Americas (MALWARE), 2014, 58–67. Available from: https://ieeexplore.ieee.org/abstract/document/6999418/.
[3]	M. Guri, A. Kachlon, O. Hasson, et al., GSMem: Data exfiltration from air-gapped computers over GSM frequencies, 24th USENIX Security Symposium (USENIX Security 15), 2015, 849–864. Available from: https://www.usenix.org/conference/usenixsecurity15/technical-sessions/presentation/guri.
[4]	M. Guri, M. Monitz and Y. Elovici, USBee: Air-gap covert-channel via electromagnetic emission from USB, 2016 14th Annual Conference on Privacy, Security and Trust (PST), 2016, 264–268. Available from: https://ieeexplore.ieee.org/abstract/document/7906972.
[5]	S. O'Malley and K.-K. Choo, Bridging the air gap: Inaudible data exfiltration by insiders, 20th Americas Conference on Information Systems (AMCIS 2014), 2014. Available from: https://papers.ssrn.com/sol3/papers.cfm?abstract id=2431593.
[6]	E. Lee, H. Kim and W. Y. Ji, Various threat models to circumvent air-gapped systems for preventing network attack, International workshop on information security applications, 2015. Available from: https://link.springer.com/chapter/10.1007/978-3-319-31875-2 16citeas.
[7]	M. Guri, Y. Solewicz, A. Daidakulov, et al., Fansmitter: Acoustic data exfiltration from (speakerless) air-gapped computers, arXiv preprint arXiv, (2016).
[8]	M. Guri, Y. A. Solewicz, A. Daidakulov, et al., Diskfiltration: Data exfiltration from speakerless air-gapped computers via covert hard drive noise, 98–115. arXiv preprint arXiv: 1608.03431, (2016).
[9]	M. Guri, M. Monitz, Y. Mirski, et al., Bitwhisper: Covert signaling channel between air- gapped computers using thermal manipulations, 2015 IEEE 28th Computer Security Foundations Symposium, 2015. Available from: https://ieeexplore.ieee.org/abstract/document/7243739.
[10]	Y. Mirsky, M. Guri and Y. Elovici, Hvacker: Bridging the air-gap by manipulating the environment temperature, Magdeburger J. zur Sicherheitsforschung, 14 (2017), 815–829.
[11]	V. Sepetnitsky, M. Guri and Y. Elovici, Exfiltration of information from air-gapped machines using monitor's LED indicator, 2014 IEEE Joint Intelligence and Security Informatics Conference,IEEE, 2014, 264–267. Available from: https://ieeexplore.ieee.org/abstract/document/6975588.
[12]	A. Lopes and D. Aranha, Platform-agnostic low-intrusion optical data exfiltration, 3rd International Conference on Information Systems Security and Privacy (ICISSP 2017), 2017, 474–480. Available from: http://dx.doi.org/10.5220/0006211504740480.
[13]	M. Guri, B. Zadov and Y. Elovici, LED-it-GO: Leaking (a lot of) data from air-gapped computers via the (small) hard drive LED, International Conference on Detection of Intrusions and Malware, and Vulnerability Assessment, 2017, 161–184. Available from: http://arxiv.org/abs/1702.06715.
[14]	M. Guri, B. Zadov, A. Daidakulov, et al., xLED: Covert data exfiltration from air-gapped networks via router leds, arXiv preprint arXiv, (2017).
[15]	Z. Zheng, W. Zhang, Z. Yang et al., Exfiltration of data from air-gapped networks via unmodulated led status indicators, arXiv preprint arXiv, (2017).
[16]	M. Guri, D. Bykhovsky and Y. Elovici, Air-jumper: Covert air-gap exfiltration/infiltration via security cameras & infrared (IR), Comput. Secur., 82 (2019), 15–29.
[17]	K. Jo, M. Gupta and S. K. Nayar, DisCo: Display-Camera Communication Using Rolling Shutter Sensors, ACM Trans. Graphics., 35 (2016), 1–13.
[18]	H. Hao, L. Rujun, Q. Guolei et al., Covert-optical transmission channel based on LED display, Commun. Technol., 51 (2018), 1689–1693.
[19]	M. Guri, O. Hasson, G. Kedma, et al., An optical covert-channel to leak data through an air-gap 2016 14th Annual Conference on Privacy, Security and Trust (PST), IEEE, 2016. Available from: https://ieeexplore.ieee.org/document/7906933.
[20]	Kolb Helga, Much of the construction of an image takes place in the retina itself through the use of specialized neural circuits, in How the Retina Works, American Scientist, (2003), 28–35.
[21]	J. L. Ecker, G. S. Lall, S. Haq, et al., Melanopsin cells are the principal conduits for rod cone input to non-image-forming vision, Nature, 7191 (2008), 102–106.
[22]	G. Buchsbaum, An Analytical Derivation of Visual Nonlinearity IEEE Trans. Biomed. Eng.,5(1980), 237–242.
[23]	D. Mandal, K. Panetta and S. Agaian, Human visual system inspired object detection and recognition, 2012 IEEE International Conference on Technologies for Practical Robot Applications (TePRA), IEEE, 2012, 145–150. Available from:http://dx.doi.org/10.1109/TePRA.2012.6215669.
[24]	E. Simonson and J. Brozek, Flicker fusion frequency; background and applications, Physiol. Rev., 32 (1952), 349–378.
[25]	S. D. Perli, N. Ahmed and D. Katabi, PixNet: Interference-free wireless links using LCD-camera pairs, 16th Annual Conference on Mobile Computing and Networking, MobiCom 2010 (2010), 1952, 137–148. Available from: http://dx.doi.org 10.1145/1859995.1860012.
[26]	T. Hao, R. Zhou and G. Xing, COBRA: Color barcode streaming for smartphone systems, Proceedings of the 10th international conference on Mobile systems, applications, and services, ACM, 2012, 85–98. Available from: http://dx.doi.org/10.1145/2307636.2307645.
[27]	W. Hu, Lightsync: Unsynchronized visual communication over screen-camera links, Proceedings of the 19th annual international conference on Mobile computing & networking, ACM, 2013, 15–26. Available from: http://dx.doi.org/10.1145/2500423.2500437.
[28]	T. Li, C. An, X. Xiao, et al., Real-time screen-camera communication behind any scene Proceedings of the 13th Annual International Conference on Mobile Systems, Applications, and Services, ACM, 2015, 197–211. Available from: http://dx.doi.org/10.1145/2742647.2742667.
[29]	A. Wang, C. Peng, O. Zhang, et al., InFrame: Multiflexing full-frame visible communication channel for humans and devices, Proceedings of the 13th ACM Workshop on Hot Topics in Networks, ACM, 2014. Available from: http://dx.doi.org/10.1145/2670518.2673867.
[30]	A. Wang, Z. Li, C. Peng, et al., Inframe++: Achieve simultaneous screen-human viewing and hidden screen-camera communication, Proceedings of the 13th Annual International Conference on Mobile Systems, Applications, and Services, ACM, 2015, 181-195. Available from: http://dx.doi.org/10.1145/2742647.2742652.
[31]	A. Costin, Security of cctv and video surveillance systems: Threats, vulnerabilities, attacks, and mitigations, Proceedings of the 6th international workshop on trustworthy embedded devices, ACM, 2016.Available from: https://dl.acm.org/citation.cfm?id=2995290.

Reader Comments

Your name:*

Email:*
© 2019 the Author(s), licensee AIMS Press. This is an open access article distributed under the terms of the Creative Commons Attribution License (http://creativecommons.org/licenses/by/4.0)