Organizations use to protect their internal networks from Internet attacks by using firewalls, intrusion detection systems(IDSs) and intrusion prevention systems (IPSs). For a higher degree of protection, so-called ‘air-gap‘ isolation is used.
Once the malware deployed attackers try to establish communication over the covert channel to bypass IPS, IDS, and Firewalls. Over the years various covert channels used by attackers.
Security researchers from Ben-Gurion University of the Negev (BGU) introduced a new covert channel which uses the Infrared and Surveillance camera as a Communication Channel and they Named as aIR-Jumper.
Targeting air-gapped Computers
Air-gap computers need to be compromised with Malware by using Social Engineering methods are by using Insiders. Once deployed malware search for Surveillance camera by using Open ports, IP address and MAC header Response.
Once network mapped malware tries to connect with cameras by stealing the password from Computer or by exploiting the vulnerability to control the IR LEDs. Researchers published a PoC explaining technical details.
Also Read AES-256 keys can be sniffed within Seconds Using €200 Worth Hardware kit
Data Exfiltration and Infiltration – Surveillance Cameras
With Exfiltration scenario, Malware that presents inside the organization can get to the surveillance cameras across the local network and controls the IR illumination.
Then it transfers sensitive data like PIN codes, passwords, and encryption keys are then modulated, encoded and transmitted over the IR signals.An attacker who is sitting in the line of sight can retrieve these IR signals and decode it.
Many surveillance and security cameras monitor public areas which allow attackers to easily establish a line of sight with them.
Researchers said For testing and evaluation, we executed a program which encodes a binary file and transmits it by means of the IR LEDs. The program catches the camera’s IP, the encoding along with the IR intensities’ (amplitudes) timing parameters and the binary file to transmit.
Infiltration
With the infiltration scenario, an attacker standing in a public area uses IR LEDs to send hidden signals to the surveillance camera(s). Binary data such as command and control (C&C) and beacon messages are encoded on top of the IR signals.
The signals covered in the video stream are then intercepted and decoded by the malware residing on the network. The exfiltration and infiltration can be combined to establish bidirectionally, ‘air-gap’ communication between the compromised network and the attacker.
Since surveillance cameras can receive light in the IR wavelength, it is conceivable to deliver data into the organization through the video stream recorded by the surveillance cameras, using covert IR signals.
Detection and Countermeasures
Detection can be done at the network level by deep packet inspection, by monitoring the network traffic from hosts in the network to the surveillance cameras.
Disabling the IR LEDs in the surveillance cameras may prevent the exfiltration channel presented in this paper.
The infiltration channel can be prevented by adding an IR filter to the surveillance camera.
