Hackers have tried all kinds of methods to steal sensitive data, but this one feels like a whole new level of science fiction: Using a drone outside of an office window to steal data from a computer’s LED.
There are some major hurdles an attacker would need to clear for this to be possible. First, it requires someone on the inside loading malware onto the computer undetected. This malware is programmed to transmit data using blinking patterns on the LED on the computer’s button. A camera-equipped drone then records the blinks to decrypt the information.
Thus the information is stolen, entirely without the device being Internet-connected.
The experiment, conducted by Ben-Gurion University, is shown on the video below:
Scared of this attack? Well, let’s think a little about it.
First of all, to conduct this off-line attack, you need someone who can install malware undetected on a machine. And that malware has to remain undetected on a computer that is kept offline for security reasons.
That leads to a question: Why didn’t the inside agent just steal the data to begin with? Or the computer itself?
Also, as more than a few snarky Internet commenters have suggested, curtains or keeping sensitive computers in a windowless room could thwart this attack pretty easily.
Physical security first
Perhaps the most important lesson from this proof of concept is that physical security is important. It’s crucial that offline and Internet-connected systems are secured and accessed only by trusted employees who need to use them.
And make sure users always keep an eye on their mobile devices. It doesn’t take much for malware to be installed on them or the devices to be taken. And if the device is out of sight, it’s as good as compromised already.