# CTRL-ALT-LED: Leaking Data from Air-Gapped Computers via Keyboard LEDs

**Authors:** Mordechai Guri, Boris Zadov, Dima Bykhovsky, Yuval Elovici

arXiv: 1907.05851 · 2019-07-15

## TL;DR

This paper demonstrates that keyboard LEDs can be exploited to covertly exfiltrate data from air-gapped computers using optical signals, with high data rates and without hardware modifications, posing a significant security threat.

## Contribution

It provides a comprehensive analysis of LED-based data exfiltration, introduces a practical malware implementation, and evaluates various optical receivers including smartphones.

## Key findings

- Maximum data rate of 3000 bits/sec with light sensors
- Data exfiltration achievable at over 120 bits/sec using smartphones
- Attack does not require hardware or firmware modifications

## Abstract

Using the keyboard LEDs to send data optically was proposed in 2002 by Loughry and Umphress [1] (Appendix A). In this paper we extensively explore this threat in the context of a modern cyber-attack with current hardware and optical equipment. In this type of attack, an advanced persistent threat (APT) uses the keyboard LEDs (Caps-Lock, Num-Lock and Scroll-Lock) to encode information and exfiltrate data from airgapped computers optically. Notably, this exfiltration channel is not monitored by existing data leakage prevention (DLP) systems. We examine this attack and its boundaries for today's keyboards with USB controllers and sensitive optical sensors. We also introduce smartphone and smartwatch cameras as components of malicious insider and 'evil maid' attacks. We provide the necessary scientific background on optical communication and the characteristics of modern USB keyboards at the hardware and software level, and present a transmission protocol and modulation schemes. We implement the exfiltration malware, discuss its design and implementation issues, and evaluate it with different types of keyboards. We also test various receivers, including light sensors, remote cameras, 'extreme' cameras, security cameras, and smartphone cameras. Our experiment shows that data can be leaked from air-gapped computers via the keyboard LEDs at a maximum bit rate of 3000 bit/sec per LED given a light sensor as a receiver, and more than 120 bit/sec if smartphones are used. The attack doesn't require any modification of the keyboard at hardware or firmware levels.

## Full text

_Full body text omitted from this summary view._ Fetch the complete paper as Markdown: https://tomesphere.com/paper/1907.05851/full.md

## Figures

29 figures with captions in the complete paper: https://tomesphere.com/paper/1907.05851/full.md

## References

36 references — full list in the complete paper: https://tomesphere.com/paper/1907.05851/full.md

---
Source: https://tomesphere.com/paper/1907.05851