Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Vulnerabilities / Threats

Invisible Pixel Patterns Can Communicate Data Covertly

University researchers show that changing the brightness of monitor pixels can communicate data from air-gapped systems in a way not visible to human eyes.

Computers disconnected from the Internet can still be used to transmit information by using slight changes to pixels on the screen that are otherwise not visible to humans, a team of researchers from Ben-Gurion University (BGU) of the Negev and Shamoon College of Engineering stated in a paper published on February 4.

The research project, called BRIGHTNESS, assumes that an attacker wants to exfiltrate data from a compromised machine not connected to any network and uses changes in the red values of a collection of pixels to communicate information to any video camera in the vicinity. Such display-to-camera (D2C) communication is a subject of study among academic cybersecurity researchers, but creating a system that is not perceptible to humans is novel.

The groups that have to worry about such threats are not just limited to government facilities, says Mordechai Guri, the head of research and development at BGU's Cyber-Security Research Center and one of the authors of the paper.

"The attack is practical in certain scenarios," he says. "In the finance sector, for example, exfiltrating cryptocurrencies' private keys — which is equal to own[ing] the wallet — from a secure, isolated computer that signs the transactions" is one possible scenario.

Attacks against highly secure systems not connected to a network — known as air-gapped systems — have been a topic of both study and practical attacks for more than two decades. Attacks using information gleaned from electromagnetic emanations, often referred to as TEMPEST attacks, date back the 1990s and even, by some accounts, to even precomputer times.

Monitor screens, hard-drive activity LEDs, network-activity LEDs, and keyboard clicks have all been used to steal information, and in some cases, create a covert communications channel. In 2016, for example, researchers from Tel Aviv University were able to extract the decryption key from a laptop using its emanations. Other attackers have used heat from one system to communicate with another.

In the latest project, the BGU researchers found that, by adjusting the red component of a set of pixels by 3%, they could achieve bit rates of between 5 and 10 bits per second, depending on the distance the camera was from the monitor. In addition, two cameras — a security camera and a webcam — had similar performance, but a smartphone camera could only extract an average of 1 bit per second, according to the report.

Theoretically, the techniques could extract tens of bits per second, Guri says.

"The maximal bit-rate may reach 30 bits/sec [or] more, if more advanced modulation methods are used," he says. For example, an attacker could "use more than 2 brightness levels and more than 1 color."

Are the changes truly invisible to the human eye? The researchers conducted the experiment in a controlled level of ambient lighting and waited until the subjects adapted to the light level. In addition, the frequency at which a blinking image appears to be a steady-state image — a threshold known as the critical fusion frequency (CFF) — varies depending on the ambient lighting, the researchers said.

"The sensitivity of the visual system gradually adapts as one moves from a darker or brighter environment," they researchers wrote, adding that "particularly with low levels of illumination, increasing the duration can increase the likelihood that the stimulus [blinking image] will be detected."

The prerequisite that an air-gapped computer be already compromised is not that rare, Tal Zamir, founder and chief technology officer of Hysolate, a maker of endpoint-security solutions, said in a statement.

"This is not uncommon, as one of the challenges with physically air-gapped solutions is the inability for the user to be productive, and many times, they look for workarounds in order to get their tasks completed — and there lies the introduction of risk into the environment," he said. "Security and productivity have always been seen as a constant balancing act, where the traditional mindset believes that in order for one to thrive the other must suffer.”

Moreover, while the attack is mainly a worry for super-secure facilities that have sensitive or top-secret data on air-gapped systems, the attack could also be used to avoid communicating data over, for example, a heavily monitored network.

Yet, for most companies, hiding covert data in network packets is a far more likely way to secretly communicate, Guri says.

"The traditional network-based covert channels are the issue to watch today," he says. "Finding hidden information within Internet protocols, SSL, HTTPS, emails, and so on, is a challenge by itself."

Related Content

Check out The Edge, Dark Reading's new section for features, threat data, and in-depth perspectives. Today's top story: "C-Level & Studying for the CISSP."

Veteran technology journalist of more than 20 years. Former research engineer. Written for more than two dozen publications, including CNET News.com, Dark Reading, MIT's Technology Review, Popular Science, and Wired News. Five awards for journalism, including Best Deadline ... View Full Bio

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
How Attackers Could Use Azure Apps to Sneak into Microsoft 365
Kelly Sheridan, Staff Editor, Dark Reading,  3/24/2020
Malicious USB Drive Hides Behind Gift Card Lure
Dark Reading Staff 3/27/2020
Register for Dark Reading Newsletters
White Papers
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: This comment is waiting for review by our moderators.
Current Issue
6 Emerging Cyber Threats That Enterprises Face in 2020
This Tech Digest gives an in-depth look at six emerging cyber threats that enterprises could face in 2020. Download your copy today!
Flash Poll
State of Cybersecurity Incident Response
State of Cybersecurity Incident Response
Data breaches and regulations have forced organizations to pay closer attention to the security incident response function. However, security leaders may be overestimating their ability to detect and respond to security incidents. Read this report to find out more.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2020-03-27
Local Privilege Escalation can occur in PHOENIX CONTACT PORTICO SERVER through 3.0.7 when installed to run as a service.
PUBLISHED: 2020-03-27
Insecure, default path permissions in PHOENIX CONTACT PC WORX SRT through 1.14 allow for local privilege escalation.
PUBLISHED: 2020-03-27
An exploitable denial of service vulnerability exists in the GstRTSPAuth functionality of GStreamer/gst-rtsp-server 1.14.5. A specially crafted RTSP setup request can cause a null pointer deference resulting in denial-of-service. An attacker can send a malicious packet to trigger this vulnerability.
PUBLISHED: 2020-03-27
The custom-searchable-data-entry-system (aka Custom Searchable Data Entry System) plugin through 1.7.1 for WordPress allows SQL Injection. NOTE: this product is discontinued.
PUBLISHED: 2020-03-27
GitLab EE/CE 8.11 through 12.9.1 allows blocked users to pull/push docker images.