Researchers at Ben-Gurion University in Israel developed a proof-of-concept exploit called aIR-Jumper that uses lights within security cameras for both data exfiltration and infiltration of air-gapped networks. How does this attack work? Should enterprises take any preventative steps with their security cameras?
Side-channel, covert channels and similar sensor-based attacks are typically used for targeted campaigns because they are resource-intensive, require physical access to a particular system and take a high level of skill. Even though these prerequisites decrease the chance that an enterprise will be attacked in this way, it doesn't mean that enterprises should stop assessing the risk of targeted attacks in their high security environments.
Once the highest risks are addressed, an enterprise may want to determine if any resources should be devoted to targeted attacks. Likewise, manufactures of devices and systems that are used in high security environments should evaluate their products to see if they can prevent them from being used in a targeted attack.
The researchers at Ben-Gurion University developed aIR-Jumper to leverage lights within security cameras as a covert channel to transmit data. As surveillance cameras are not known to incorporate general security practices, it's not surprising that they open an environment to significant unknown risk when they're not secured.
In this attack, it is assumed that malicious software is installed on an air-gapped network, and that security cameras are accessible from the infected system. This is a reasonable scenario in a remote location that lacks an internet connection.
The aIR-Jumper attack uses preinstalled malware to connect to unsecured security cameras, and it can then turn the infrared light on and off to transmit data. Some security cameras can be controlled via API calls to the web interface, which is how the researchers were able to turn the infrared light on and off to create the covert channel. The malware receives data by monitoring the video stream for the same infrared signals used to transmit the data, and then decodes it to use for a command-and-control connection.
Regardless of the attack details, enterprises should ensure security cameras and other insecure devices are separate from the rest of their network to limit risks from insecure devices.
Ask the expert:
Have a question about enterprise threats? Send it via email today. (All questions are anonymous.)