Gopher Menu

       CTRL-ALT-LED keyboard LED attack on airgapped systems
       July 11th, 2019
(HTML) So I saw an interesting article on zdnet earlier about keyboard LEDs
       potentially being used to exfiltrate data on extremely high security
       air gapped systems (essentially systems have no network access).
(HTML) Here's a short synopsis of the article
       > The attack, which they named CTRL-ALT-LED, is nothing that regular
       > users should worry about but is a danger for highly secure environments
       > such as government networks that store top-secret documents or enter-
       > prise networks dedicated to storing non-public proprietary information.
       > The attack requires some pre-requisites, such as the malicious actor
       > finding a way to infect an air-gapped system with malware beforehand.
       > CTRL-ALT-LED is only an exfiltration method. But once these prerequi-
       > sites are met, the malware running on a system can make the LEDs of an
       > USB-connected keyboard blink at rapid speeds, using a custom transmis-
       > sion protocol and modulation scheme to encode the transmitted data. A
       > nearby attacker can record these tiny light flickers, which they can
       > decode at a later point, using the same modulation scheme used to
       > encode it.
(HTML) Given previous hypotheticals against airgapped systems using hard disk
       drive LEDs, I think it's entirely reasonable that folks using systems
       requiring this much security should make a few changes to prevent
       exfiltration of information via LEDs... For starters I would remove the
       keyboard LEDs with an X-ACTO knife, it's a realitively simple operation
       to do.  If users absolutely need a keyboard indication of whether num/
       caps/scroll lock is on, a keyboard manufacturer could easily make old-
       style keyboards with mechanical latches for those keys (you gently press
       your finger on the lock key to see if it's actually locked or not).
       Furthermore the HDD LED should be removed for the same reason, and while
       we are at it, the power LED should be removed too.  Before you say that
       I am mad for advocating power LED removal, hear me out; an external power
       LED can be made by handy engineers with ease: an induction coil attached
       to the incoming mains of the PSU can be wired into an LED (be sure to use
       a filtering capacitor) to determine if the system is powered or not.
       Don't take a chance on taping off LEDs, tape can fall off, and some users
       compulsively pick at things. Ugh.
       As for me, I'm taking the easy way out: if the data is so important that
       it requires an airgapped system, I'm not going to put it on any of my
       computers to begin with. :)
 (DIR) Back to phlog index
 (DIR) gopher root
       This phlog entry has been read 539 times.
       Future direct comment submission has been disabled for this phlog entry.
       Comments are still accepted by email, please send to
       Be sure to include the post title in the subject line! Thanks!
       Comments have been left on this post:
       everyone should have an airgap machine for making key pairs.
       Posted Sat Jul 20 02:12:46 UTC 2019 by
       I have an airgap machine for making private keys.
       Posted Sat Aug 17 01:21:24 UTC 2019 by