The pandemic period has seen a significant increase in attacks on cyber-physical systems, largely due to the growth in connectivity for many devices in the modern world. A common approach to try and stymie these attacks is a simple one: disconnect devices from the internet.

The rationale behind the approach, which is known as “air gapping,” is simple. If a device isn’t connected to the web, it can’t be attacked by hackers. The approach has gained backing from the likes of the CIA, who recommend it as part of an organization’s ransomware defenses.

A time-honored tactic

The approach is not really a new one and has been a fundamental part of business continuity programs for many years, and certainly long before the latest wave of ransomware attacks made securing cyber-physical systems so important. For instance, organizations would commonly try to protect primary sources of software or data from destruction (whether malicious or otherwise) by creating a backup copy stored offline.

It’s a practice that has grown in recent years, not least due to the high-profile hacks on companies like Sony and Saudi Aramco, where highly sensitive data was deleted. However, despite the tremendous boom in ransomware attacks, air gapping remains a somewhat niche activity.

For instance, the recent digital threats report from Microsoft highlighted the security holes created by poorly patched systems, and keeping software up to date is much harder when the system is air-gapped. Indeed, it can be tempting to assume that taking systems offline is all the security one needs to do and that IT teams get too relaxed. Of course, the system will eventually need to be updated, and the longer the lag between updates, the more vulnerable the system will be when it “comes up for air.”

Air-gapping is also vulnerable to human errors. For instance, successful air-gapping requires precise replicas of live systems to be maintained at all times, which can be a labor-intensive process. If staff get lazy, it can be tempting to connect the air-gapped system to the net to expedite the process, thus breaking the air gap and giving attackers an easy way in.

Research from the Karlsruhe Institute of Technology (KIT) recently highlighted how even when systems are air-gapped, they should not be regarded as immune from attack. They demonstrated that data can still be transmitted to the LEDs in regular office devices using a laser. This then allows attackers to communicate with the devices over a distance of a few meters.

Breaking in

The idea that hackers might use lasers to attack a target might sound like something out of a James Bond movie, but the researchers show that it is a very real possibility. They demonstrated the so-called LaserShark attack at the 37th Annual Computer Security Applications Conference (ACSAC).

It was the culmination of an extensive project that focused on hidden communication via a range of optical channels. The project highlights various previous attempts to break into air-gapped systems using acoustic or electromagnetic channels. While these were found to be effective, they required the attacker to be extremely close to the target. They also cite previous work into the use of optical channels, but these were only found to work with small distances and with low data rates. These methods also typically only allow for the receipt of data rather than inserting data.

The researchers, who worked with colleagues from TU Braunschweig and TU Berlin, instead use a directed laser beam to introduce data into an air-gapped system as well as receive data. What’s more, the approach doesn’t require any additional hardware attached to the device being attacked.

“This hidden optical communication uses light-emitting diodes already built into office devices, for instance, to display status messages on printers or telephones,” the researchers explain.

The approach works by aiming the laser at LEDs already installed on the device and then measuring the response. Through this method, the researchers were able to establish a secret communication channel that worked at distances of up to 25 meters. What’s more, the channel worked with sending and receiving data at around 18 kilobits per second inwards and 100 kilobits per second outwards. All of this was achieved using commonly available office devices that are installed in offices everywhere.

“The LaserShark project demonstrates how important it is to additionally protect critical IT systems optically next to conventional information and communication technology security measures,” the researchers explain.