In a paper titled “aIR-Jumper: Covert Air-Gap Exfiltration/Infiltration via Security Cameras & Infrared (IR)”, the researchers said that the technique can be used on professional and home security cameras, and even LED doorbells, which can detect infrared light (IR), not visible to the human eye. CCTV cameras are equipped with IR LEDs, used for night vision, and are perfect for the aIR-Jumper technique to exploit. “In this paper, we show how attackers can use surveillance cameras and infrared light to establish bi-directional covert communication between the internal networks of organizations and remote attackers. We present two scenarios: exfiltration (leaking data out of the network) and infiltration (sending data into the network),” the researchers wrote. The cyber team led by Dr. Mordechai Guri, head of research and development for BGU’s Cyber Security Research Center (CSRC), demonstrated how IR can be used to create a secret communication channel between malware installed on an internal computer network and an attacker located at a distance of hundreds of metres to kilometres away with direct line of sight. The researchers were able to leak internal data at a bit rate of 20bit/s per camera and were able to deliver commands to the network at bit rate of more than 100bit/s from one camera. The aIR-Jumper method can be used to transfer hidden signals to surveillance cameras, including PIN codes, passwords, and encryption keys, which are modulated, encoded, and then transferred to attackers. “Security cameras are unique in that they have ‘one leg’ inside the organization, connected to the internal networks for security purposes, and ‘the other leg’ outside the organization, aimed specifically at a nearby public space, providing very convenient optical access from various directions and angles,” Mordechai Guri said in the release. The researchers uploaded two videos on YouTube, wherein the first video shows an attacker sending infrared signals to the security camera, while the second one shows the camera (which is already infected with malware) exfiltrating data from the affected network.
“In an infiltration scenario, an attacker standing in a public area (e.g., in the street) uses IR LEDs to transmit hidden signals to the surveillance camera(s),” the paper reads. “Binary data such as command and control (C&C) and beacon messages are encoded on top of the IR signals.”