ETHERLED and GAIROSCOPE Attacks Allow Data Exfiltration from Air-gapped PC

In two research papers published by Israeli researcher Mordechai Guri, exclusive details of novel methods for exfiltrating data from air-gapped systems and MEMS gyroscopes have been revealed. The methods are dubbed ETHERLED and Gairoscope.

How does ETHERLED Works?

For your information, air-gapped PCs refer to computers installed in critical infrastructures, weapon control units, and other sensitive locations. These computers stay isolated from the public networks to ensure optimum data security. Hence, the system uses air-gapped networks in which a network card remains an integral component.

According to Guri’s research , this card is prone to infection if an attacker can lace it with specially designed malware and replace the driver with a different version. This new version can modify the LED color and blinking mechanism to transmit encoded data waves.

The attacker captures signals with a camera directly connecting to the air-gapped system computer card’s LED lights. These signals are converted into binary to exfiltrate data. The information is sent to a nearby smartphone without requiring a microphone to pick up sound waves.

It takes the conventional techniques of acoustic, optical, electromagnetic, and thermal approaches a notch above. However, it is more covert than other methods.

ETHERLED method is effective on any other hardware in which LEDs are used as status or operational indicators. These include printers, routers, scanners, network-attached storage devices, and other connected devices.

1. Stealing data from air-gapped PC by turning RAM into Wi-Fi Card
2. Hackers Can Now Steal Data from Air-Gapped PCs via SATA Cables
3. Hackers can steal data from air-gapped PC using screen brightness
4. Malware can extract data from air-gapped PC through power supply
5. Hackers can steal data from Air-Gapped PCs with microphones, speakers

How does GAIROSCOPE Work?

Gairoscope attack on an air-gapped system relies on generating resonance frequencies on the targeted device/system. These frequencies are captured by the gyroscope sensor of a smartphone from a distance of up to 6 meters.

This attack starts by infecting the smartphones of a targeted organization’s employees with a rogue app through numerous attack vectors, including social engineering, infected websites, or malicious ads. Then the attacker abuses the access to obtain sensitive data like credentials or encryption keys and encodes and transmits the information by covertly sending out acoustic sound waves through the device’s loudspeaker.

An infected smartphone in close proximity detects the data transmission and listens through the device’s built-in gyroscope sensor. The data is then demodulated, decoded, and sent to the attacker through Wi-Fi due to ultrasonic corruption. This phenomenon impacts MEMS gyroscopes at resonance frequencies.

“Our malware generates ultrasonic tones in the resonance frequencies of the MEMS gyroscope. These inaudible frequencies produce tiny mechanical oscillations within the smartphone’s gyroscope, which can be demodulated into binary information.”

Dr. Mordechai Guri

Inaudible sound, when played near the gyroscope, generates an internal disruption to the signal output, and this error can be exploited to encode/decode data. Reportedly, the data is transferred with bit rates of 1-8 bit/sec at 0-600 cm distance, and the transmitted reaches a distance of 800 cm in narrow areas.