aIR-Jumper: Covert Air-Gap Exfiltration/Infiltration via Security Cameras & Infrared (IR)

TL;DR

This paper demonstrates how security cameras and infrared light can be exploited to establish covert, bidirectional air-gap communication channels for data exfiltration and infiltration, revealing new security vulnerabilities.

Contribution

It introduces novel methods for covert data transfer using IR-enabled surveillance cameras, including implementation details and evaluation of data rates and distances.

Findings

Data exfiltration at 20 bits/sec over tens of meters

Data infiltration at over 100 bits/sec over hundreds of meters

Bidirectional covert communication possible via IR signals

Abstract

Infrared (IR) light is invisible to humans, but cameras are optically sensitive to this type of light. In this paper, we show how attackers can use surveillance cameras and infrared light to establish bi-directional covert communication between the internal networks of organizations and remote attackers. We present two scenarios: exfiltration (leaking data out of the network) and infiltration (sending data into the network). Exfiltration. Surveillance and security cameras are equipped with IR LEDs, which are used for night vision. In the exfiltration scenario, malware within the organization access the surveillance cameras across the local network and controls the IR illumination. Sensitive data such as PIN codes, passwords, and encryption keys are then modulated, encoded, and transmitted over the IR signals. Infiltration. In an infiltration scenario, an attacker standing in a public area (e.g., in the street) uses IR LEDs to transmit hidden signals to the surveillance camera(s). Binary data such as command and control (C&C) and beacon messages are encoded on top of the IR signals. The exfiltration and infiltration can be combined to establish bidirectional, 'air-gap' communication between the compromised network and the attacker. We discuss related work and provide scientific background about this optical channel. We implement a malware prototype and present data modulation schemas and a basic transmission protocol. Our evaluation of the covert channel shows that data can be covertly exfiltrated from an organization at a rate of 20 bit/sec per surveillance camera to a distance of tens of meters away. Data can be covertly infiltrated into an organization at a rate of over 100 bit/sec per surveillance camera from a distance of hundreds of meters to kilometers away.