jumpers use infrared cameras to steal data [with video address]

Posted by santillano at 2020-03-14

The malicious software of the Israeli research team uses the infrared function of the camera as the data transmission channel, and can also receive the control command.

The malware, named airjumper, is installed on a computer that interacts with a surveillance camera, or on the same network as the camera. Attackers can enter the device through the above methods.

Infrared LED of camera can be used for data stealing and control

The working principle of malware is to collect data from the infected computer, decompose it into binary data, and use the camera API to make the infrared LED of the device flash, using this mechanism to realize the transmission of data from the penetrated network.

As long as the attacker is in the infrared LED receiving range of the camera, or can record flashing, special software can be used to read the data.

Similarly, an attacker can use an infrared led to send commands to a camera within an infected network. Malware can watch video feedback from the camera, detect infrared LED transmissions at preset intervals, and convert incoming flashes into new commands to execute.

The camera equipped with infrared generally enables night vision function. Because people can't see infrared, it is not easy to be detected.

Airjumper can also receive and control data when the camera is not connected to the Internet. But examples are limited to a range of one to hundreds of meters.

Very low speed, but airjumper is more reliable

"Our assessment shows that attackers can use infrared to communicate with cameras, tens to hundreds of meters away," the researchers said.

The researchers added: "data can be leaked from the [a] network at a bit rate of 20 bits per second (per camera) and transmitted to the network at a bit rate of more than 100 bits per second (per camera).".

Compared with similar experiments conducted by the same group of researchers, the transmission speed is lower. Previous research results show that router LED is the best medium for data transmission from the air network.

Nevertheless, routers and switches are often placed in corporate data centers or in more hidden locations, while cameras are open, allowing attackers to easily interact with devices.

In addition, the researchers believe that infrared signal is more suitable than router led, because the infrared signal bounces off the nearby surface with high reflectivity, and the attacker does not necessarily need to secure the camera in the visible range.

In addition, the researchers say airjumper can be modified to work with other devices that use infrared LEDs, such as smart doorbells.

In the research report entitled "air Jumper: covert air gap Exfiltration / infrastructure via security cameras and infrared (IR)", the researchers proposed a series of mitigation measures for software and hardware, such as window shielding, firmware control, disabling IR support, red LED activity monitoring, camera API function interface access, etc.

The researchers also published two videos on how to send commands to airjumper malware through a security camera and how to seep data from affected networks.

Airjumper malware was created by a group of talented researchers from the center for cybersecurity research, Gurion University, Negev, Israel. The same team is also a variety of other malicious data penetration experiments that combine malware and the physical world.

Video address:

Hide communication through security camera

Leaking data through security camera

LED-it-Go - exfiltrate data from air-gapped systems via an HDD's activity LEDSPEAKE(a)R - use headphones to record audio and spy on nearby users9-1-1 DDoS - launch DDoS attacks that can cripple a US state's 911 emergency systemsUSBee - make a USB connector's data bus give out electromagnetic emissions that can be used to exfiltrate dataAirHopper - use the local GPU card to emit electromagnetic signals to a nearby mobile phone, also used to steal dataFansmitter - steal data from air-gapped PCs using sounds emanated by a computer's GPU fanDiskFiltration - use controlled read/write HDD operations to steal data via sound wavesBitWhisper - exfiltrate data from non-networked computers using heat emanations

Unnamed attack - uses flatbed scanners to relay commands to malware infested PCs or to exfiltrate data from compromised systems

xLED - use router or switch LEDs to exfiltrate data

Shattered Trust - using backdoored replacement parts to take over smartphones