All-in-one printers can be used to control infected air-gapped systems from far away

Researchers have developed Morse code for transmitting data via pulses of light sent to an operating scanner

Pulses of light flashed at a scanner lid during scanning results in white lines

Pulses of light flashed at a scanner lid during scanning results in white lines

Isolating computers from the Internet, called "air gapping," is considered one of the best ways to defend critical systems and their sensitive data from cyberattacks, but researchers have found that can be undermined using an all-in-one printer.

Renowned cryptographer Adi Shamir, co-inventor of the widely used RSA cryptographic system, and researchers Yuval Elovici and Moti Guri from Ben-Gurion University in Israel recently set out to find methods of controlling malware running on air-gapped systems, subverting the goal of preventing Internet-based attacks. Theoretically, if a malicious program is installed on an air-gapped computer by an unsuspecting user via, say, a USB thumb drive, attackers should have a hard time controlling the malicious program or stealing data through it because there is no Internet connection.

But the researchers found that if a multifunction printer is attached to such a computer, attackers could issue commands to a malicious program running on it by flashing visible or infrared light at the scanner lid when open. Shamir presented the unusual attack, which he dubbed Scangate, Thursday during his keynote at the Black Hat Europe security conference in Amsterdam.

The researchers observed that if a source of light is pointed repeatedly at the white coating on the inside of the scanner's lid during a scanning operation, the resulting image will have a series of white lines on darker background. Those lines correspond to the pulses of light hitting the lid and their thickness depends on the duration of the pulses, Shamir explained.

Using this observation the researchers developed Morse code that can be used to send pulses of light at different intervals and interpret the resulting lines as binary data -- 1s and 0s. Malware running on an air-gapped system could be programmed to initiate a scanning operation at a certain time -- for example, during the night -- and then interpret the commands sent by attackers using the technique from far away.

Shamir estimated that several hundred bits of data can be sent during a single scan. That's enough to send small commands that can activate various functionality built into the malware.

The researchers successfully tested the attack from 200, 900 and 1,200 meters against a computer and printer located in a building in Beersheba, Israel, where EMC, Oracle and other big companies have research centers. They used a laser to flash visible light at the window of the office where the scanner was located, illuminating the room.

Using a more powerful laser could produce reliable results from up to 5 kilometers away, according to Shamir. An attacker would likely use infrared light because it's invisible to the naked eye, but the researchers only tested with infrared light over a short distance because using a high-powered infrared laser can be harmful to people's eyesight.

Instead of waiting for the malware to initiate a scan, attackers could also wait until a person in the office scans a document with the lid open and then run their attack. In that case, the lines would appear on the sides of the scanned document because of the scanner's larger surface that leave an uncovered border.

The researchers also found a way for the malware to send data back to the attackers by using the light produced by the scanner itself. Since the malware can initiate and cancel scanning operations, attackers can derive information from the amount of time the scanner's light is on and reflects off the opened lid.

This is not as efficient as receiving commands, but can be used to exfiltrate a few bits of data at a time. The operation can be repeated to eventually exfiltrate critical information, like encryption keys, Shamir said.

Detecting the light generated by the scanner from far away would require very sensitive equipment and if the computer is located in an office on a higher floor, the attacker would have a hard time getting good visibility. This can be solved by using a quadcopter drone to get closer and observing the scanner from a better angle, Shamir said.

The technique is similar to the so-called side-channel attacks that can be used to derive cryptographic keys by analyzing a computer system's power consumption, electromagnetic leaks or even sound during a cryptographic operation.

There are other examples of air-gapped systems being infected. The Stuxnet cybersabotage worm which is believed to have been developed by the U.S. and Israeli intelligence services, was introduced on air-gapped computers at Iran's nuclear facility in Natanz through USB drives, possibly by insiders.

Join the newsletter!

Or

Sign up to gain exclusive access to email subscriptions, event invitations, competitions, giveaways, and much more.

Membership is free, and your security and privacy remain protected. View our privacy policy before signing up.

Error: Please check your email address.

Tags malwarespywareintrusion

Keep up with the latest tech news, reviews and previews by subscribing to the Good Gear Guide newsletter.
Lucian Constantin

Lucian Constantin

IDG News Service
Show Comments

Cool Tech

Bang and Olufsen Beosound Stage - Dolby Atmos Soundbar

Learn more >

Toys for Boys

Nakamichi Delta 100 3-Way Hi Fi Speaker System

Learn more >

Sony WF-1000XM3 Wireless Noise Cancelling Headphones

Learn more >

ASUS ROG, ACRONYM partner for Special Edition Zephyrus G14

Learn more >

Family Friendly

Mario Kart Live: Home Circuit for Nintendo Switch

Learn more >

Philips Sonicare Diamond Clean 9000 Toothbrush

Learn more >

Stocking Stuffer

SunnyBunny Snowflakes 20 LED Solar Powered Fairy String

Learn more >

Teac 7 inch Swivel Screen Portable DVD Player

Learn more >

Christmas Gift Guide

Click for more ›

Most Popular Reviews

Latest Articles

Resources

PCW Evaluation Team

Tom Pope

Dynabook Portégé X30L-G

Ultimately this laptop has achieved everything I would hope for in a laptop for work, while fitting that into a form factor and weight that is remarkable.

Tom Sellers

MSI P65

This smart laptop was enjoyable to use and great to work on – creating content was super simple.

Lolita Wang

MSI GT76

It really doesn’t get more “gaming laptop” than this.

Jack Jeffries

MSI GS75

As the Maserati or BMW of laptops, it would fit perfectly in the hands of a professional needing firepower under the hood, sophistication and class on the surface, and gaming prowess (sports mode if you will) in between.

Taylor Carr

MSI PS63

The MSI PS63 is an amazing laptop and I would definitely consider buying one in the future.

Christopher Low

Brother RJ-4230B

This small mobile printer is exactly what I need for invoicing and other jobs such as sending fellow tradesman details or step-by-step instructions that I can easily print off from my phone or the Web.

Featured Content

Product Launch Showcase

Don’t have an account? Sign up here

Don't have an account? Sign up now

Forgot password?