Xerox Day Vulnerability
Ben Nassi * Adi Shamir ** Yuval Elovici *
*Ben-Gurion University of the Negev **Weizmann Institute of Science
In the area of espionage between countries, an infiltration covert channel used to trigger a silent malware installed on a network of a critical organization (such as 911 services and missile launching facility) from the outside world is extremely dangerous to the target country's security. In order to prevent attackers from establishing such a channel, these organizations take various steps to secure their networks, to make the establishment of this type of covert channel very challenging and almost impractical to achieve; the current state of the art methods are very limited and ineffective. In this paper, we show that even a strong isolation technique, such as air-gapping the network, can be circumvented by using an organizational multifunction printer (MFP) to establish an infiltration covert channel in order to communicate with a malware installed on an isolated organization from the outside. We show how an attacker can leverage the light sensitivity of an MFP and use different light sources to infiltrate commands to the malware in the organization. We analyze the influence of light intensity, distance, transmission rate, ambient light, and wavelength on the covert channel. In addition we demonstrate the attack on a real organization using: 1) a laser attached to a tripod stand; 2) a laser carried by a drone; and 3) a hijacked smart bulb that is not even connected to the organization's network and is accessed and controlled by an attacker in a passing car. We prove that locating the scanner in an inner room inside an organization does not prevent an attacker from establishing the covert channel. We show how our covert channel can be established from a greater distance (900 m) and at a higher transmission rate of 200 bits/s than other methods used to infiltrate data to an organization, even using invisible light (covertly).
What vulnerability is being exploited by attackers?
MFP are sensitive to changes in ambient light, allowing attackers to influence their output by projecting on them with a laser.
What are the uses of infiltration covert channels?
Infiltration covert channels are mostly used as red-buttons (i.e. triggering a silent malware for specific purpose).
What is the novelty behind this research?
It demonstrates an invisible method to create an optical covert channel with a malware installed on air-gapped networks via a connected multi function printer.
What permissions are required by the malware?
User space permissions. The malware should be able to launch a scan via the connected MFP and read its output.
What is the maximal effective distance for such a method?
We were able to establish a channel from 900 meters, however it is highly depends on the intensity of the laser.
How can attackers apply this method invisibly?
MFP are sensitive to infrared and ultraviolet light so attacker can transmit their message to the MFP by using invisible lasers.
Is my organization secured if there isn't a direct line of sight to the MFP?
No. We other devices that emit light (e.g., smart bulbs) can be hijacked by attackers in order to modulate commands.