Duplicated new side channel attack PIXHEL can be abused to target air-gapped computers, breaking the “sound gap” and stealing sensitive information by taking advantage of the noise created by the pixels on the screen.
“Malware in airgap and audiogap computers creates engineered pixel patterns that produce noise in the 0-22kHz frequency range,” Dr. Mordechai Gurihead of the Offensive Cyber Research Laboratory at the Department of Software Development and Information Systems at Ben-Gurion University of the Negev in Israel, said in a newly published newspaper.
“The malicious code uses the sound created by the coils and capacitors to control the frequencies coming from the screen. Acoustic signals can encode and transmit sensitive information.’
The attack is unique in that it does not require special audio equipment, a loudspeaker, or an internal speaker on the compromised computer, instead using an LCD screen to generate audio signals.
An air gap is a critical security measure designed to protect critical environments from potential security threats by physically and logically isolating them from external networks (such as the Internet). This is usually achieved by disconnecting network cables, disabling wireless interfaces, and disconnecting USB connections.
However, such protection can be bypassed using fake insiders or hacking the hardware or software supply chain. Another scenario could involve an unsuspecting employee plugging in an infected USB drive to deploy malware capable of launching a hidden data theft channel.
“Phishing, malicious insiders, or other social engineering techniques may be used to trick people who have access to an air-gapped system into taking actions that compromise security, such as clicking on malicious links or downloading infected files,” — Dr. Guri said.
“Attackers can also use attacks in the software supply chain, targeting software application dependencies or third-party libraries. By compromising these dependencies, they can introduce vulnerabilities or malicious code that may go undetected during development and testing.”
As recently demonstrated Rambo’s attackPIXHELL uses malware deployed on a compromised host to create an audio channel to leak information from audio-gapped systems.
This is made possible by the fact that LCD screens contain inductors and capacitors as part of their internal components and power supply, causing them to vibrate at an audible frequency that creates a shrill noise when electricity passes through the coils, a phenomenon called the coil whines.
In particular, changes in power consumption can cause mechanical vibrations or piezoelectric effects in capacitors, creating audible noise. An important aspect that affects the structure of consumption is the number of illuminated pixels and their distribution on the screen, since white pixels require more energy to display than dark ones.
“Furthermore, when alternating current (AC) passes through the screen capacitors, they vibrate at certain frequencies,” said Dr. Guri. “Acoustic radiation is created by the internal electrical part of the LCD screen. Its characteristics are affected by the actual bitmap, pattern and intensity of the pixels projected onto the screen.”
“By carefully controlling the pixel patterns displayed on our screen, our technique generates specific sound waves at specific frequencies from LCD screens.”
Therefore, an attacker can use this technique to steal data in the form of audio signals, which are then modulated and transmitted to a nearby Windows or Android device, which can then demodulate the packets and extract the information.
Having said that, it should be noted that the power and quality of the emitted acoustic signal depends on the specific structure of the screen, its internal power source, as well as the location of the coil and capacitor, among other factors.
Another important thing to emphasize is that the PIXHELL attack is by default visible to users looking at an LCD screen, given that it involves reflection bitmap pattern consisting of alternating black and white rows.
“To stay hidden, attackers can use a transmission strategy while the user is away,” said Dr. Guri. “For example, a so-called ‘night attack’ on covert channels is carried out during non-working hours, which reduces the risk of being discovered and exposed.”
The attack, however, could be made stealthy at runtime by reducing the pixel colors to very low values before transmission – ie, using the RGB levels (1,1,1), (3,3,3) , (7, 7,7) and (15,15,15) — thus creating the user the impression that the screen is black.
But this has the side effect of “significantly” reducing the level of sound production. Nor is this approach foolproof, as the user can still see anomalous patterns if they look “carefully” at the screen.
This is not the first time audio gap limitations were overcome in an experimental setup. Previous studies by Dr. Guri have used sounds produced by computer fans (Fansmitter), hard drives (Diskfiltration), CD/DVD drives (CD-LEAK), power supplies (POWER-SUPPLaY) and inkjet printers (Inkfiltration ). .
As countermeasures, it is recommended to use an acoustic barrier to neutralize the transmission, monitor the audio spectrum for unusual or unusual signals, limit physical access to authorized personnel, prohibit the use of smartphones, and use an external camera to detect unusual modulated images on the screen.
