Researchers in Israel have demonstrated how infrared light could be used to plant malware in secure computer networks that aren’t even connected to the internet.
The team, from Ben-Gurion University of the Negev (BGU) demonstrated how security cameras infected with malware can receive covert signals and leak sensitive information using the camera’s infrared emitting LEDs.
The researchers showed how malware can control the intensity of the Infrared LED to relay binary signals to a remote attacker containing sensitive information.
The method, according to researchers, will work on both professional and home security cameras and even LED doorbells, which can detect infrared light not visible to the human eye. Dubbed “aIR-Jumper”, it also enables the creation of bidirectional, covert, optical communication between air-gapped internal networks, which are computers isolated and disconnected from the internet that do not allow for remote access to the organisation.
Attackers could also use this novel covert channel to communicate with malware inside the organisation. An attacker can infiltrate data, transmitting hidden signals via the camera’s IR LEDs. Binary data such as command and control (C&C) messages can be hidden in the video stream, recorded by the surveillance cameras, and intercepted and decoded by the malware residing in the network.
Commenting on how the method might be used by cybercriminals Dr Mordechai Guri, head of research and development for BGU’s Cyber Security Research Center (CSRC), said: “Theoretically, you can send an infrared command to tell a high-security system to simply unlock the gate or front door to your house.”
“Security cameras are unique in that they have ‘one leg’ inside the organisation connected to the internal networks for security purposes, and ‘the other leg’ outside the organisation, aimed specifically at a nearby public space, providing very convenient optical access from various directions and angles,” he added.
The researchers shot two videos to demonstrate the technique. The first shows an attacker hundreds of yards away sending infrared signals to a camera, whilst the second shows the camera infected with malware responding to covert signals by exfiltration data, including passwords.