back to article How to leak data from an air-gapped PC – using, er, a humble scanner

Cybercriminals managed to infect a PC in the design department of Contoso Ltd through a cleverly crafted spear-phishing campaign. Now they need a way to communicate with the compromised machine in secret. Unfortunately, they know Contoso's impenetrable network defenses will detect commands sent to their malware. To avoid …

  1. Pascal Monett Silver badge

    Is this some James Bond-esque fantasy ?

    I thought this was going to be an article about a credible-but-obscure threat. Instead, I get a Rube Goldberg machination that would only work in a Hollywood spy film.

    Let's list the setup requirements :

    1) a bot-infiltrated network

    2) an open scanner next to a window

    3) a drone with a laser

    4) nobody looking out the window wondering what the heck a drone is doing there while a document is being scanned

    5) nobody standing between the scanner and the drone while a document is being scanned

    6) the document being scanned is miraculously transparent to laser light while simultaneously being scannable

    7) no heavy gust of wind during the entire process

    I can accept that, to scan a document, the user leaves the cover open. I have done that very thing every time I had a sheaf of papers to scan. But, if I have a sheaf of papers to scan, I am not moving from in front of the scanner, which would put me squarely in the path of the laser beam. And if I am only scanning one (or two), then I always close the cover.

    Plus, on multifunction printers these days, the cover is likely not just a cover, but integrates a paper-feed mechanism that is way too heavy to effectively leave the cover open.

    And, if we're talking big multifunction printers, they're in a separate room, likely without windows, or a window high up.

    All of that to spend over 3 seconds sending "d x.pdf", which is 7 bytes. God forbid you need to send a dozen ddos orders - you'll be there all day and somebody will end up taking a shotgun to your drone (or, more realistically, calling security).

    If this is your solution to sending commands to your virus bot, you're going to die of hunger before next month.

    1. as2003

      Re: Is this some James Bond-esque fantasy ?

      I'm hoping this article is a satirical look at the recent surge of papers being published on rather ridiculous out-of-band attack vectors.

      "researchers have shown they can exfiltrate data by blinking an HDD led."

      "researchers have shown they can exfiltrate data by vibrating a cd rom in a certain way"

      "researchers have found they can exfiltrate data via ultrasound, assuming speakers are attached"

      All of which assume they've compromised the computer in the first place, and are close enough to pick up vibrations and sounds from it. Thus making it all a bit redundant.

    2. itzman

      Re: Is this some James Bond-esque fantasy ?

      April 1 come early this year?

      1. Anonymous Blowhard

        Re: Is this some James Bond-esque fantasy ?

        "April 1 come early this year?"

        Nope, it's exactly on time - in New Zealand...

    3. Bluto Nash

      Re: Is this some James Bond-esque fantasy ?

      You forgot the most obvious issue - why is the scanner lid opening TOWARD the frickin' window??

  2. jake Silver badge

    I see a fatal flaw ...

    Contoso, as we all know, uses nothing but Microsoft products. Therefor, the "impenetrable network defenses" don't exist.

  3. John Smith 19 Gold badge
    Thumb Up

    Oh right,

    1st April Fool.

    Got it.

    1. Flocke Kroes Silver badge

      Re: Oh right,

      For me, the giveaway was transmitting their command in 3.2 seconds. Including start and stop bits they would barely get two bytes per second. "d x.pdf\n" would require at least 4 seconds even without authentication and error correction.

    2. Ian Michael Gumby Silver badge

      Re: Oh right,

      Considering that its being published on Thursday March 30, not so much.

      But one should point out that 'ultra high' secure buildings have little electric 'tumblers' that are placed in the corner of the windows and vibrate the windows so that no optical eavesdropping can occur. Also the windows are shielded to block radio signals so you can't get cell phone signals in the building...

      Also the equipment may be on line conditioning power supplies that could impact that vector too.

      (Although I think that would only work if the machine was set up to use the power line as a way to communicate. ... )

      1. LondonGull

        Re: Oh right,

        Re windows, if you use a pulsed laser and range gate the timing of which reflection you monitor, you can use reflections from whatever shiny surface you can find inside the room (hello mr pot plant) not just the window

    3. JeffyPoooh Silver badge

      Re: Oh right,

      A day or two early...

      But yes, clearly.

  4. Anonymous Coward
    Anonymous Coward


    We've had computer hdd light and now scanner light.

    What's next? Using the fans to transfer data by air pressure.

    Keep up the useless work chaps.

    1. Halfmad

      Morse code by clicking a pen, that's my bet.

    2. Jason Bloomberg Silver badge

      If slow speed data extraction is acceptable; one can use malware to cause the PC to turn itself off (or not) at certain times of the day..

      One then monitors for power changes, the frequency of "FFS!" utterances, calls to support, or use a drone to watch the power LED.

      Or maybe the hacker crew could just set themselves up a support service, get dodgy kit into a site, sit back and wait for the unsuspecting users to report back the seemingly meaningless error codes which annoyingly pop-up every half hour.

  5. 0laf Silver badge

    Or I could just tailgate you through a door with a badge tucked into my top pocket, mumble I've a meeting with 'John' at 11am find an empty seat and plug in my hacking kit of choice.

    Ok not nearly as 'Bond-like' as the story but will work in a large number of sites without 6 months of fecking around.

    So really, worry about the basic threats before you start defending against Ninjas and SMERSH.

    1. Allan George Dyer Silver badge

      But Bond does exactly that...

      in Diamonds are Forever, to gain entry to the Whyte laboratory.

    2. Anonymous Coward
      Anonymous Coward


      At the IBM labs in Markham outside of Toronto, the secure part of the building has a turn style so that you can't get access via tailgating, along with cameras that are tied back to a security desk. (Just in case you want to try to use the door that they have to allow for carts...)

  6. Jimmy2Cows

    Wait... days?

    It took them days to realise scanners are usually closed when scanning stuff to, you know... scan the thing on the bed and not the office ceiling...?

    Hands up who's immediate first thought was "wait... scanners have a lid".

    Never mind other problems like keeping the drone laser focussed on the scanner sensors in ambient weather conditions, glass distortion, glass coatings, the rather obvious drone hovering outside the office window...

    Keep up the good work guys.

    1. Pen-y-gors Silver badge

      Re: Wait... days?

      Hand up

  7. Allan George Dyer Silver badge
    Paris Hilton

    My plan...

    involves malware with OCR, a webcam and a drone with a cardboard sign with the instructions printed on it.

    "Why's there a sign saying 'rm -r /' hovering outside?"

    1. Crazy Operations Guy Silver badge

      Re: My plan...

      TO be pedantic, 'rm -r /' isn't going to do anything on a modern Linux system... There aren't any system critical files in the root directory, just sub-directories as far as the eye can see.

      I believe you mean 'rm -rf /'...

      1. disgustedoftunbridgewells Silver badge

        Re: My plan...

        I believe you mean:

        rm -r -no-preserve-root /

      2. Allan George Dyer Silver badge

        Re: My plan...

        Curses! Foiled Again!

        1. jake Silver badge

          Re: My plan...

          curses is a whole 'nuther kettle o'worms ...

  8. Anonymous Coward
    Anonymous Coward

    I've got another way of gaining access to a air-gaped network using a radish.

    First you need to have access to the building and the opportunity to get close to one of the machines.

    Place the radish on the desk to the right of the machine.

    Then say to the user "Oh look a radish"

    When they turn to look and pick up the radish you quickly slip a 4g dongle with an sd card loaded with malware and you're good to go.

    I think this has more chance of success than the technique developed using a scanner, it's cheaper too as radishes are much cheaper than drones.

    1. Buzzword

      re: slip a 4g dongle

      One of the first steps in network security is to disable all USB ports. D+; must try harder.

      1. Anonymous Coward
        Anonymous Coward

        Re: re: slip a 4g dongle

        Good point I stand corrected.

        Then you would two radishes.

        You would place the other at reception after alerting their presence to the first radish you inform them of the other one, curiosity being what it is they would have to go and look at which point you reboot the machine and enable the usb port in the bios.

        Still cheaper and has more chance of success.

        1. Simon Harris Silver badge

          Re: re: slip a 4g dongle

          Shut up about your radish plans!

          I quite like radishes, and if Amber Rudd gets wind of your scheme she's bound to ban them!

          1. Anonymous Coward
            Anonymous Coward

            Re: re: slip a 4g dongle

            It's best I stop anyway because the nuclear power plant 3 radish shutdown technique needs to stay a secret for all our safety.

        2. jake Silver badge

          Re: re: slip a 4g dongle

          I disable USB ports with two part epoxy. (They shouldn't exist on "secure" hardware to begin with, but bean counters being bean counters ... )

          1. Anonymous Coward

            Re: re: slip a 4g dongle

            I disable USB ports with two part epoxy. (They shouldn't exist on "secure" hardware to begin with, but bean counters being bean counters ... )

            OK 2 radishes and a cute kitten.

            Whip off case, put usb cable on internal headers, copy data, remove cable and replace lid.

          2. x 7

            Re: re: slip a 4g dongle

            "I disable USB ports with two part epoxy. (They shouldn't exist on "secure" hardware to begin with, but bean counters being bean counters ... )"

            Must make fitting a keyboard and mouse to a modern PC a real PITA.

            Or do you glue them in and chuck the PC away when the mouse or keyboard fails?

            1. jake Silver badge

              Re: re: slip a 4g dongle

              I spec PS/2 ports for mice/keybr0ads on secure systems. Works for me, YMMV.

        3. Stoneshop Silver badge

          Re: re: slip a 4g dongle

          Then you would two radishes.

          Two quantum-spinlocked radishes. You keep one, and offer the other to your target to eat. Then after a while, some of the radish molecules will end up in the target's brain, in particular the vision cortex. Then, through the quantum coupling, the other radish will receive a duplicate of what the target sees: computer screens, printouts, even the entire interior of the secure facilities. Then all that's left is turning that information into a format that can be stored and processed further.

          1. jake Silver badge

            Re: re: slip a 4g dongle

            No, no, no's carrots that are used to improve vision, as any fule kno.

  9. Rob Crawford

    Oh look a Daily Mail April fool

  10. Anonymous Coward
    Anonymous Coward


    It would be great if El Reg still had "Rate This Article".

    1. John Brown (no body) Silver badge

      Re: Sometimes

      It's almost as if the PFY was allowed to try his hand at writing a BOFH article.

  11. Anonymous Coward
    Anonymous Coward

    Badly written

    Why did we need the fantasy narrative with this article, it didn't work.

  12. thesykes

    I misread the headline as using a humble spanner.

    Turns out it was much more improbable than that.

  13. Ian Michael Gumby Silver badge


    So is this a fail because its being released two days too early, or that the 'possible attack' isn't plausible but gives El Reg the chance to go out and play with a drone for the photo shoot. (Free clue... the names of the security products? )

    If you're going to create a fake story, at least make it seem more plausible. Here's a more plausible scenario...

    They managed to infect the machine. Since they are afraid to use the normal network, the Malware disables the LED attached to the camera so that the camera light that tells you its on is inactivated. Then they shine the low powered laser on the camera to pass along the information.

    Oh and because the drone is moving and its possible that some bits get lost along the way, they have to send 3 copies of the command along with an id number so that they could be sent and received out of order....

    (Wasn't it SNOBAL or some other language that allowed for the punch cards to be sent out of order? )

    Anyway... that's much more feasible that trying to program a scanner which BTW would be a network based piece of equipment as part of the scan/print/copy/fax machine.

  14. Anonymous Coward
    Anonymous Coward

    Why all the messing about?

    I was getting training at a firm that was next door to one of the main UK sites for a bank. Our window overlooked the side door which had no staff on it, just a keypad. Over the course of less than half a day we figured out the code for the door and all 10 of us went through it just after 4PM when training had ended, we weren't challenged until we'd spoken to the concierge chap at the front door and ASKED about the side door security at which point they got rather miffed. Oddly enough the course we were on was about information security so it was quite appropriate.

    People were coming and going constantly, there was now cowl to hide the keypad, no attempt to block it made by staff and it was only 6 digits, which repeated 727727

    It was only a few weeks afterwards I realised the code on a telephone pad would be able to spell out RBSRBS :)

  15. 2+2=5 Silver badge

    > Over the course of less than half a day we figured out the code for the door...

    Interesting as the sister-in-law worked for a bank at one of their cheque processing centres and not only was the door code an individual pin (linked to a badge that had to be swiped as well), but the code only worked during your shift times. While super-secure, it had the unfortunate side-effect when staff swapped shifts and the team lead forgot to inform 'the system', you could go out for a fag break and not be able to get back in again. :-)

  16. davidp231

    rm -rf

    I see your rm -rf and raise you with:

    nohup cd /; rm -rf * > /dev/null 2>&1 &'

    Output to null, and continue even if logged out. What fun...

    1. disgustedoftunbridgewells Silver badge

      Re: rm -rf

      Wouldn't you want a -- after nohup?

      1. davidp231

        Re: rm -rf

        Dunno - it was a direct copy/paste from the article. Dare you question the almighty BOfH? ;)

  17. Crazy Operations Guy Silver badge

    Why bother with Rube Goldberg contraptions?

    If you are near the building in question and have the funds to pull something like this off, why not have someone on your team just apply to be a janitor?

    A janitor is issued a card that allows them access to pretty much every part of a building, they have a cart that can easily hide several laptops and other hardware, no one even blinks when they seem them rooting about in the ceilings, walls, etc. And they are -expected- to be in the building when no one else is. Most companies tend to not bother verifying the identity / credentials of such candidates, especially if you walk in with a thick Eastern European or Central American accent (most companies are afraid that if they run a person's ID, then they'll have to pay them minimum wage, lest they get busted by the government).

    I paid for grad school by working for a Red Team Pen-test company and that is how I'd get in to do the reconnaissance phase. My grandparents were Polish and I had learned several words and phrases as well as how to properly imitate the accent. Got into a lot of supposedly high security facilities that way...

  18. Anonymous Coward
    Anonymous Coward

    A much simpler but less 'newsworthy' approach

    And then there's also the option of being a copier maintenance technician.

    Less newsworthy, not least because it's not a new tactic. But this tactic was still plausible in 2015, and probably still works in some places today, even on allegedly 'secure' sites.

    One UK 'List X' site I was familiar with had all kinds of advance notice rules for the (alleged) security clearance of visitors. Typically a fortnight's notice was needed for someone to be checked.

    But if a photocopier ever failed, someone not known to the site could get in with no verifiable ID, with unescorted access, and get access to various places and to the internals of *large* devices connected to the sitewide LAN.

    In fact there wasn't any need for a broken machine, just turn up a the entrance gatehouse (outsourced security wouldn't have a clue about who's allowed in or not), get a contractor's badge, off you go.

    Copier technician could then even stick a single card ciomputer inside the innards of the copier.

    Someone did ask the security people why this was permissible. Answer came there none.

    Proper job. Not.

    1. Acme

      Re: A much simpler but less 'newsworthy' approach

      Clock watching before I go home - but your story has reminded me of something that somewhere, probably on this very site, a story about the yanks in the cold war bribing engineers to install hidden cameras in the Russian photocopying machines. Then they would collect the film every couple of weeks!

  19. Anonymous Coward
    Anonymous Coward

    I thought this was a news story!

    'twas just complete twaddle.

  20. Dave 32


    I may (or may not; you'll have to decide) have some knowledge of secure buildings/systems.

    Some installations do not allow outside repair personnel into restricted areas. Any failing equipment must be removed from the restricted area, which usually requires "sanitizing" the equipment. Any equipment reinstalled in the restricted area must be examined and approved for information leakage purposes. This gets around the issue of the "copier repair" person having access to the restricted area, or from removing the hard disk from the copier that contains copies of all of the images ever scanned (Look it up if you don't believe me!).

    As for the scanner, remember that most Silicon photosensors are highly sensitive to infrared, well, unless a rather expensive infrared filter has been installed on them. So, just mount an infrared laser on the drone and have it sit 250 feet away from the building and pump out infrared all day (Or, mount the laser on a fixed item, such as another building, or a television/cell-phone tower, or...). Yeah, the window will absorb/reflect some of the infrared, but probably not too much for near infrared. How many high security installations regularly do an infrared scan of their buildings? (Darn. Just gave away a new job opportunity!).

    If y'all want to do some research in the library, go look up how early black epoxy encapsulated transistors were sensitive to infrared light, so much so that removing the cover from a piece of equipment, and holding a light over it would dramatically change the bias conditions on the circuits being examined. The problem, as it turned out, was that that "black" epoxy was only black for optical wavelengths of light; For infrared light, it was almost completely transparent. That's been fixed now. Mostly.

    That still leaves LEDs exposed, and LEDs can make great photosensors, at least if the circuit that they're wired into makes for reading from the port pin that the LED is connected to (And, when is the last time any of you examined the circuit connections for the machine you're using, with LEDs on it? Heck, when they're connected to an IC, can you even guess whether that pin on an IC is an output, an input, or some programmable combination of I/O?).

    Of course, rather than going to all of the trouble to fit a laser on a drone, it'd probably be easier to just drop a pr*n magazine outside the building, with the commands/data encoded steganographically in some of the images. (Darn! I'm giving away all of my good ideas today.).

    As for getting hired in as a janitor, the other option is to get hired in as a security guard. Not too long after the introduction of the PC, one of the security guards at the place I worked at was caught loading up the trunk of his car with the company's PCs. Whoopsie.

    Then, again, it's sometimes easier just to call the network administrator and tell them that you forgot your password. :-(


    P.S. I'll get my coat. It's the one with the punched card deck in the pocket that's labeled "Top Secret".

  21. x 7

    Was this article translated from the original gibberish by Google Translate? An average eight year old kid could have written better structured prose. Trying to write a news story in the present tense is just wrong.

  22. Number6

    My cat is trained to sit on the scanner if it's left open when unattended. Normally it's closed to keep the glass clear of dust and cat fur.

  23. PNGuinn

    Now. If your'e feeling REALLY evil ...

    Just get an IOT device into the "secure" area.

    Simples - everyone loves shiny.

  24. Bitbeisser

    Is it already April 1st in Blighty?

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2019