Extracting Data from Air-Gapped PCs via Screen Brightness Changes

By Serena ClarkDigital Forensics

Experts Demonstrate Data Extraction from Air-Gapped PCs Using Screen Brightness Changes

Researchers from Israel’s Ben-Gurion University have introduced a new method for extracting data from computers that are physically isolated from any networks and potentially dangerous peripherals. Such computers are often found in government systems and corporate networks, storing secret documents as well as sensitive and confidential information.

The attack, named BRIGHTNESS, focuses solely on the theft of data. However, it’s important to note that before this method can be used, the attacker must first infect the isolated machine with malware.

How the BRIGHTNESS Attack Works

Once the malware is on the machine, it collects the data to be stolen. When it’s time to exfiltrate the data, the malware changes the monitor’s settings to alter the screen’s brightness. These brightness fluctuations represent a sequence of zeros and ones—binary code—allowing the data to be transmitted bit by bit. The attacker only needs to record the screen’s flickering and later analyze the video to reconstruct the stolen file.

After testing BRIGHTNESS on several configurations, the researchers achieved the best results by changing the brightness of red pixels by about 3%. Such minor changes are almost impossible to notice with the naked eye, but modern cameras—including webcams, surveillance cameras, and cameras in smartphones and laptops—can easily detect them.

Limitations of the Attack

The main drawback of this attack is its data transfer speed. According to the tests, the maximum speed was only 5–10 bits per second, making it the slowest among all exotic data exfiltration methods developed by researchers (see the list below). In practice, the BRIGHTNESS attack might only be useful for stealing a small encryption key; transferring a 1 GB archive this way is simply not feasible.

The researchers note that the simplest way to protect against such attacks is to apply a polarizing film to monitor screens.

Other Data Exfiltration Methods from Ben-Gurion University

The Ben-Gurion University team has developed several other innovative data exfiltration techniques, including:

  • USBee: Turns almost any USB device into an RF transmitter to send data from a secured PC.
  • DiskFiltration: Captures information by recording the sounds made by a computer’s hard drive during operation.
  • AirHopper: Uses a mobile phone’s FM receiver to analyze electromagnetic emissions from a computer’s video card and convert them into data.
  • Fansmitter: Controls the speed of a computer’s fan, changing its tone so it can be recorded and decoded as data.
  • GSMem: Sends data from an infected PC to any GSM phone, even the oldest models, using GSM frequencies.
  • BitWhisper: Utilizes thermal sensors and fluctuations in heat energy to transmit data.
  • Unnamed attack: Uses flatbed scanners and smart bulbs for data transmission.
  • HVACKer and aIR-Jumper: Steals data using surveillance cameras equipped with IR LEDs, and leverages HVAC systems as a bridge to isolated networks.
  • MOSQUITO: Proposes extracting data using ordinary headphones or speakers.
  • PowerHammer: Suggests using standard power cables for data exfiltration.
  • CTRL-ALT-LED: Uses the Caps Lock, Num Lock, and Scroll Lock LEDs to transmit information.

Leave a Reply