back to article How to leak data from an air-gapped PC – using, er, a humble scanner

Cybercriminals managed to infect a PC in the design department of Contoso Ltd through a cleverly crafted spear-phishing campaign. Now they need a way to communicate with the compromised machine in secret. Unfortunately, they know Contoso's impenetrable network defenses will detect commands sent to their malware. To avoid …

Silver badge

Is this some James Bond-esque fantasy ?

I thought this was going to be an article about a credible-but-obscure threat. Instead, I get a Rube Goldberg machination that would only work in a Hollywood spy film.

Let's list the setup requirements :

1) a bot-infiltrated network

2) an open scanner next to a window

3) a drone with a laser

4) nobody looking out the window wondering what the heck a drone is doing there while a document is being scanned

5) nobody standing between the scanner and the drone while a document is being scanned

6) the document being scanned is miraculously transparent to laser light while simultaneously being scannable

7) no heavy gust of wind during the entire process

I can accept that, to scan a document, the user leaves the cover open. I have done that very thing every time I had a sheaf of papers to scan. But, if I have a sheaf of papers to scan, I am not moving from in front of the scanner, which would put me squarely in the path of the laser beam. And if I am only scanning one (or two), then I always close the cover.

Plus, on multifunction printers these days, the cover is likely not just a cover, but integrates a paper-feed mechanism that is way too heavy to effectively leave the cover open.

And, if we're talking big multifunction printers, they're in a separate room, likely without windows, or a window high up.

All of that to spend over 3 seconds sending "d x.pdf", which is 7 bytes. God forbid you need to send a dozen ddos orders - you'll be there all day and somebody will end up taking a shotgun to your drone (or, more realistically, calling security).

If this is your solution to sending commands to your virus bot, you're going to die of hunger before next month.

19
0

Re: Is this some James Bond-esque fantasy ?

I'm hoping this article is a satirical look at the recent surge of papers being published on rather ridiculous out-of-band attack vectors.

"researchers have shown they can exfiltrate data by blinking an HDD led."

"researchers have shown they can exfiltrate data by vibrating a cd rom in a certain way"

"researchers have found they can exfiltrate data via ultrasound, assuming speakers are attached"

All of which assume they've compromised the computer in the first place, and are close enough to pick up vibrations and sounds from it. Thus making it all a bit redundant.

11
0
Silver badge

Re: Is this some James Bond-esque fantasy ?

April 1 come early this year?

2
0
Silver badge

Re: Is this some James Bond-esque fantasy ?

"April 1 come early this year?"

Nope, it's exactly on time - in New Zealand...

1
0

Re: Is this some James Bond-esque fantasy ?

You forgot the most obvious issue - why is the scanner lid opening TOWARD the frickin' window??

1
0
Silver badge

I see a fatal flaw ...

Contoso, as we all know, uses nothing but Microsoft products. Therefor, the "impenetrable network defenses" don't exist.

14
3
Gold badge
Thumb Up

Oh right,

1st April Fool.

Got it.

4
0
Silver badge

Re: Oh right,

For me, the giveaway was transmitting their command in 3.2 seconds. Including start and stop bits they would barely get two bytes per second. "d x.pdf\n" would require at least 4 seconds even without authentication and error correction.

2
0
Silver badge
Boffin

Re: Oh right,

Considering that its being published on Thursday March 30, not so much.

But one should point out that 'ultra high' secure buildings have little electric 'tumblers' that are placed in the corner of the windows and vibrate the windows so that no optical eavesdropping can occur. Also the windows are shielded to block radio signals so you can't get cell phone signals in the building...

Also the equipment may be on line conditioning power supplies that could impact that vector too.

(Although I think that would only work if the machine was set up to use the power line as a way to communicate. ... )

1
0

Re: Oh right,

Re windows, if you use a pulsed laser and range gate the timing of which reflection you monitor, you can use reflections from whatever shiny surface you can find inside the room (hello mr pot plant) not just the window

0
0
Silver badge
Pint

Re: Oh right,

A day or two early...

But yes, clearly.

0
0
Anonymous Coward

Soo...

We've had computer hdd light and now scanner light.

What's next? Using the fans to transfer data by air pressure.

Keep up the useless work chaps.

4
1
Silver badge

Morse code by clicking a pen, that's my bet.

1
0
Silver badge

If slow speed data extraction is acceptable; one can use malware to cause the PC to turn itself off (or not) at certain times of the day..

One then monitors for power changes, the frequency of "FFS!" utterances, calls to support, or use a drone to watch the power LED.

Or maybe the hacker crew could just set themselves up a support service, get dodgy kit into a site, sit back and wait for the unsuspecting users to report back the seemingly meaningless error codes which annoyingly pop-up every half hour.

2
0
Silver badge
Boffin

Or I could just tailgate you through a door with a badge tucked into my top pocket, mumble I've a meeting with 'John' at 11am find an empty seat and plug in my hacking kit of choice.

Ok not nearly as 'Bond-like' as the story but will work in a large number of sites without 6 months of fecking around.

So really, worry about the basic threats before you start defending against Ninjas and SMERSH.

7
0
Silver badge
Boffin

But Bond does exactly that...

in Diamonds are Forever, to gain entry to the Whyte laboratory.

3
0
Anonymous Coward

@0laf

At the IBM labs in Markham outside of Toronto, the secure part of the building has a turn style so that you can't get access via tailgating, along with cameras that are tied back to a security desk. (Just in case you want to try to use the door that they have to allow for carts...)

0
0
Meh

Wait... days?

It took them days to realise scanners are usually closed when scanning stuff to, you know... scan the thing on the bed and not the office ceiling...?

Hands up who's immediate first thought was "wait... scanners have a lid".

Never mind other problems like keeping the drone laser focussed on the scanner sensors in ambient weather conditions, glass distortion, glass coatings, the rather obvious drone hovering outside the office window...

Keep up the good work guys.

3
0
Silver badge

Re: Wait... days?

Hand up

0
0
Silver badge
Paris Hilton

My plan...

involves malware with OCR, a webcam and a drone with a cardboard sign with the instructions printed on it.

"Why's there a sign saying 'rm -r /' hovering outside?"

11
0
Silver badge

Re: My plan...

TO be pedantic, 'rm -r /' isn't going to do anything on a modern Linux system... There aren't any system critical files in the root directory, just sub-directories as far as the eye can see.

I believe you mean 'rm -rf /'...

4
1
Silver badge

Re: My plan...

I believe you mean:

rm -r -no-preserve-root /

3
0
Silver badge
Mushroom

Re: My plan...

Curses! Foiled Again!

3
0
Silver badge

Re: My plan...

curses is a whole 'nuther kettle o'worms ...

1
0
Anonymous Coward

I've got another way of gaining access to a air-gaped network using a radish.

First you need to have access to the building and the opportunity to get close to one of the machines.

Place the radish on the desk to the right of the machine.

Then say to the user "Oh look a radish"

When they turn to look and pick up the radish you quickly slip a 4g dongle with an sd card loaded with malware and you're good to go.

I think this has more chance of success than the technique developed using a scanner, it's cheaper too as radishes are much cheaper than drones.

6
0
Silver badge

re: slip a 4g dongle

One of the first steps in network security is to disable all USB ports. D+; must try harder.

2
0
Anonymous Coward

Re: re: slip a 4g dongle

Good point I stand corrected.

Then you would two radishes.

You would place the other at reception after alerting their presence to the first radish you inform them of the other one, curiosity being what it is they would have to go and look at which point you reboot the machine and enable the usb port in the bios.

Still cheaper and has more chance of success.

2
0
Silver badge

Re: re: slip a 4g dongle

Shut up about your radish plans!

I quite like radishes, and if Amber Rudd gets wind of your scheme she's bound to ban them!

7
0
Silver badge

Re: re: slip a 4g dongle

I disable USB ports with two part epoxy. (They shouldn't exist on "secure" hardware to begin with, but bean counters being bean counters ... )

2
0
Anonymous Coward

Re: re: slip a 4g dongle

It's best I stop anyway because the nuclear power plant 3 radish shutdown technique needs to stay a secret for all our safety.

9
0
Silver badge
Coat

Re: re: slip a 4g dongle

I disable USB ports with two part epoxy. (They shouldn't exist on "secure" hardware to begin with, but bean counters being bean counters ... )

OK 2 radishes and a cute kitten.

Whip off case, put usb cable on internal headers, copy data, remove cable and replace lid.

2
0
Silver badge
Boffin

Re: re: slip a 4g dongle

Then you would two radishes.

Two quantum-spinlocked radishes. You keep one, and offer the other to your target to eat. Then after a while, some of the radish molecules will end up in the target's brain, in particular the vision cortex. Then, through the quantum coupling, the other radish will receive a duplicate of what the target sees: computer screens, printouts, even the entire interior of the secure facilities. Then all that's left is turning that information into a format that can be stored and processed further.

4
0
Silver badge

Re: re: slip a 4g dongle

No, no, no ....it's carrots that are used to improve vision, as any fule kno.

0
0
x 7
Silver badge

Re: re: slip a 4g dongle

"I disable USB ports with two part epoxy. (They shouldn't exist on "secure" hardware to begin with, but bean counters being bean counters ... )"

Must make fitting a keyboard and mouse to a modern PC a real PITA.

Or do you glue them in and chuck the PC away when the mouse or keyboard fails?

0
0
Silver badge

Re: re: slip a 4g dongle

I spec PS/2 ports for mice/keybr0ads on secure systems. Works for me, YMMV.

0
0

Oh look a Daily Mail April fool

0
0
Anonymous Coward

Sometimes

It would be great if El Reg still had "Rate This Article".

3
0
Silver badge

Re: Sometimes

It's almost as if the PFY was allowed to try his hand at writing a BOFH article.

3
0
Anonymous Coward

Badly written

Why did we need the fantasy narrative with this article, it didn't work.

4
0

I misread the headline as using a humble spanner.

Turns out it was much more improbable than that.

3
0
Silver badge
Facepalm

Meh.

So is this a fail because its being released two days too early, or that the 'possible attack' isn't plausible but gives El Reg the chance to go out and play with a drone for the photo shoot. (Free clue... the names of the security products? )

If you're going to create a fake story, at least make it seem more plausible. Here's a more plausible scenario...

They managed to infect the machine. Since they are afraid to use the normal network, the Malware disables the LED attached to the camera so that the camera light that tells you its on is inactivated. Then they shine the low powered laser on the camera to pass along the information.

Oh and because the drone is moving and its possible that some bits get lost along the way, they have to send 3 copies of the command along with an id number so that they could be sent and received out of order....

(Wasn't it SNOBAL or some other language that allowed for the punch cards to be sent out of order? )

Anyway... that's much more feasible that trying to program a scanner which BTW would be a network based piece of equipment as part of the scan/print/copy/fax machine.

3
0
Anonymous Coward

Why all the messing about?

I was getting training at a firm that was next door to one of the main UK sites for a bank. Our window overlooked the side door which had no staff on it, just a keypad. Over the course of less than half a day we figured out the code for the door and all 10 of us went through it just after 4PM when training had ended, we weren't challenged until we'd spoken to the concierge chap at the front door and ASKED about the side door security at which point they got rather miffed. Oddly enough the course we were on was about information security so it was quite appropriate.

People were coming and going constantly, there was now cowl to hide the keypad, no attempt to block it made by staff and it was only 6 digits, which repeated 727727

It was only a few weeks afterwards I realised the code on a telephone pad would be able to spell out RBSRBS :)

7
0
Silver badge

> Over the course of less than half a day we figured out the code for the door...

Interesting as the sister-in-law worked for a bank at one of their cheque processing centres and not only was the door code an individual pin (linked to a badge that had to be swiped as well), but the code only worked during your shift times. While super-secure, it had the unfortunate side-effect when staff swapped shifts and the team lead forgot to inform 'the system', you could go out for a fag break and not be able to get back in again. :-)

1
0
Bronze badge

rm -rf

I see your rm -rf and raise you with:

nohup cd /; rm -rf * > /dev/null 2>&1 &'

Output to null, and continue even if logged out. What fun...

https://www.theregister.co.uk/2006/02/24/bofh_2006_episode_8/

0
0
Silver badge

Re: rm -rf

Wouldn't you want a -- after nohup?

1
0
Bronze badge

Re: rm -rf

Dunno - it was a direct copy/paste from the article. Dare you question the almighty BOfH? ;)

0
0
Silver badge

Why bother with Rube Goldberg contraptions?

If you are near the building in question and have the funds to pull something like this off, why not have someone on your team just apply to be a janitor?

A janitor is issued a card that allows them access to pretty much every part of a building, they have a cart that can easily hide several laptops and other hardware, no one even blinks when they seem them rooting about in the ceilings, walls, etc. And they are -expected- to be in the building when no one else is. Most companies tend to not bother verifying the identity / credentials of such candidates, especially if you walk in with a thick Eastern European or Central American accent (most companies are afraid that if they run a person's ID, then they'll have to pay them minimum wage, lest they get busted by the government).

I paid for grad school by working for a Red Team Pen-test company and that is how I'd get in to do the reconnaissance phase. My grandparents were Polish and I had learned several words and phrases as well as how to properly imitate the accent. Got into a lot of supposedly high security facilities that way...

3
0
Anonymous Coward

A much simpler but less 'newsworthy' approach

And then there's also the option of being a copier maintenance technician.

Less newsworthy, not least because it's not a new tactic. But this tactic was still plausible in 2015, and probably still works in some places today, even on allegedly 'secure' sites.

One UK 'List X' site I was familiar with had all kinds of advance notice rules for the (alleged) security clearance of visitors. Typically a fortnight's notice was needed for someone to be checked.

But if a photocopier ever failed, someone not known to the site could get in with no verifiable ID, with unescorted access, and get access to various places and to the internals of *large* devices connected to the sitewide LAN.

In fact there wasn't any need for a broken machine, just turn up a the entrance gatehouse (outsourced security wouldn't have a clue about who's allowed in or not), get a contractor's badge, off you go.

Copier technician could then even stick a single card ciomputer inside the innards of the copier.

Someone did ask the security people why this was permissible. Answer came there none.

Proper job. Not.

2
0

Re: A much simpler but less 'newsworthy' approach

Clock watching before I go home - but your story has reminded me of something that somewhere, probably on this very site, a story about the yanks in the cold war bribing engineers to install hidden cameras in the Russian photocopying machines. Then they would collect the film every couple of weeks!

2
0
Anonymous Coward

I thought this was a news story!

'twas just complete twaddle.

3
0

Page:

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Forums

Biting the hand that feeds IT © 1998–2017