Hackers circumvent 'air gap' security with a drone that 'reads' the lights on a computer

If you weren’t concerned about the sight of a drone hovering outside your window peering in at you (and, for the record, you probably should be!), you certainly will when you hear that it could be extracting sensitive data from your computer.

That is according to researchers in the Cyber Security Research Labs at Ben-Gurion University of the Negev in Beersheba, Israel, who have demonstrated an espionage technique that would make James Bond blush, in which a quadcopter films the flashing LED lights on a computer and uses this to steal your data, via a Morse code-style message.

“In this work, we found a novel method to extract data from a computer in a very covert and speedy way,” researcher Mordechai Guri, the research and development manager at Cyber Security Research Labs, told Digital Trends.

The attack method is designed to get around computers which use an “air gap” to protect them, basically removing them from the internet so they can’t be hacked in traditional ways.

Fortunately, things are a bit more complicated than simply getting a camera-equipped drone to play peeping tom. To work, the targeted computer first needs to be infected with malware on a USB or SD card, so would-be villains will need to think of a clever way to smuggle one of those into your office before they even think about firing up a UAV.

No, it’s not enormously practical — but due to the speed that LED lights can blink (faster than a human eye), it is possible for hackers to achieve up to 4,000 bits-per-second in data transfer. A couple of megabytes an hour means that it would take aggressors a long time to extract your HD copy of Rogue One: A Star Wars Story, but it does mean that stealing an encryption key wouldn’t take too long.

“We’re academic researchers. We don’t deal with use-cases, but just establish and analyze possible ways to do this,” Guri said. “Certainly, this is not a usual regular grade attack. However, there are organizations such as banks that have air-gapped computers with valuable, sensitive information they want to keep private. In that case, it’s not unimaginable that we may see more extreme methods used to extract data.”

So how should they protect against such an ultra high-tech attack? Ironically, in the most low-fi ways possible. “You could try putting tape over the LEDs, but that’s not an elegant solution,” Guri continued. “Another solution would be to have the computer in a room with blacked-out windows or curtains to reduce the optical visibility of the computer from outside.”

So, basically, the anti-hacking security version of ‘have you tried turning it off and on again?’ advice.