In a groundbreaking discovery, IT researchers have successfully transmitted data through the LEDs of a computer located 25 meters away using laser pulses. This breakthrough means that even systems without wired or wireless connections to the outside world can be attacked. Critical infrastructures, such as those in the energy and transportation sectors, are typically isolated from the internet and internal networks to prevent network-based hacker attacks. This is known as “Air-Gapping.” However, scientists from the Technical University of Braunschweig, the Karlsruhe Institute of Technology (KIT), and the TU Berlin have demonstrated that even computers protected by Air-Gapping can be attacked.
According to a study presented at the 37th Annual Computer Security Applications Conference (ACSAC), optical signals can be used to send commands or steal data from isolated systems. All that is required is a strong laser and a device with LEDs that are switched in a specific way. “The hidden optical communication uses LEDs that are already installed in devices, such as printers or phones, to display status messages,” explains co-author Christian Wressnegger. Although these LEDs are not intended for receiving light, they can react to voltage changes when exposed to high laser irradiation.
The researchers found that nearly half (48%) of the hardware they tested, including WLAN routers, phones, and computers, could be attacked using optical signals. If the firmware is manipulated through a supply chain hack, attackers could remotely control the entire system using laser pulses. In a practical test, the researchers were able to steal data from vulnerable devices located 25 meters away using a powerful laser typically used for engraving. The manipulated systems transmitted the data back through the blinking of their LEDs, with a short blink representing a digital zero and a long blink representing a digital one.
This discovery highlights the importance of not only protecting critical IT systems from an information and communication technology perspective but also from an optical perspective. “Our LaserShark project demonstrates how important it is to protect security-critical IT systems optically as well,” concludes Wressnegger. With this new method of attack, even Air-Gap systems are at risk, and it is crucial to take measures to protect them.
