Last year Israeli cryptographers Adi Shamir, Yuval Elovici and Moti Guri, from Ben-Gurion University, demonstrated at the Black Hat Europe conference how air-gapped networks — that is, computer systems that have been separated from the Internet for protection — can be hacked. Not surprisingly, this is an accomplishment that intelligence agencies around the world may or may not have accomplished, undoubtedly at high cost.
The researchers, though, were able to accomplish the task with a long-distance laser delivered by drone. The entry point? An HP Officejet Pro 8500 printer. The end result? The transfer of stolen data within seconds.
It wasn’t pretty.
This is how Bit4Id Chief Information Security Officer Pierluigi Paganini described it in his security affairs blog:
The team used a blue laser that blinks malware in binary code, the data were sent by the researchers from a distance greater than 1 kilometer away, and according to experts the range could reach as high as 5 kilometers.
The printer’s scanner inside the network works as a bridge, it is used to read that code and convert it in instructions that are sent within the network to the malware. The siphoned data could be sent back to the attacker with the same scanner that has read the code, it could transform data in blinks of light which is captured by a small drone equipped with a video camera.
Shorter distances too
At shorter distances, the laser doesn’t even have to be all that expensive. At the Black Hat USA 2009 security conference in Las Vegas, Andrea Barisani and Daniele Bianco, researchers for network security consultancy Inverse Path, showed that merely drawing a bead on a machine with a laser works just fine. "No expensive piece of equipment is required," they wrote.
It's very simple actually, according to a Kaspersky blog post on (as it turns out) the many ways an air-gapped system can be hacked. Each computer key generates its own pattern of vibrations that can be detected when the laser is directed at a part of the keyboard that reflects light well. The logotype of the manufacturer is a good example.
How to counter it? Kaspersky is not much comfort. "These methods work only in the immediate vicinity. Try not to let spies close to you." Or presumably corporate spies or saboteurs.
Lasers can make computing safer too
So it is a nice contrast to read of research under way at the Massachusetts Institute of Technology that could lead to safer infotech — and by the way, advances in quantum computing.
Sergio Cantu, a second-year Ph.D. student in physics who conducts research in MIT’s Center for Ultracold Atoms, tells of the advances of atomic physics that allows researchers to control a laser frequency with much higher precision and accuracy and hence, give them better control over their interaction with atoms.
Cantu’s research uses light as an information carrier in computing and calculating. To address that pesky issue of the speed of light being too fast for researchers to imprint information, Cantu and his colleagues used a technique called electromagnetically-inducted transparency to slow the speed of propagation of light to about 100 meters per second.
This allowed the researchers to manipulate the clusters of atoms one unit of light at a time. Cantu and his team mapped interactions between light and atoms, using them as a way to transmit and exchange information.
So how does this research make computers safer?
Computing at the level of photons, which is what the team is doing, prohibits lasers from intercepting the data, or at least all of the data.
Rather, the would-be hacker would get bits and pieces of it, rendering it useless. Meanwhile the intended recipient would also receive incomplete data and presumably realize what had happened.
Cantu believes eventually this level of security could be applied in personal computers.
From where he sits, quantum computing's great benefit is that it will allow people to interact online much more securely, "and for me that’s a huge advantage no matter who you are or what you’re sending.”