Exfiltration experts from Ben-Gurion University of the Negev’s Cyber Security Research Center have added to previous techniques like fan modulation, GSM transmissions, or listening to the RF from USB2 transmissions, have now created malware to control hard drive LEDs.
The team led by veteran exfiltrator Mordechai Guri flashes the LED at atound 5,800 on/off cycles per second as a data channel, good enough for 4 Kbps of transmission.
That performance also depends on what you use as the receiver: it might be a Digital SLR or high-end security camera (15 bps), a GoPro-level camera (up to 120 bps), a Webcam or Google Glass Explorer (also 15 bps), or a smartphone camera (up to 60 bps).
If you can lay hands on a good photodiode sensor – they’re not expensive, the Thorlabs PDA100A they used can be had on eBay for less than US$100 – you’ll get around 4 Kbps.
Since PCs lack any generic API to control the hard disk LED, the malware from Guri’s team takes the direct approach: a small chunk of code to perform reads and writes to the disk, along with a protocol to tell the receiver what it’s looking for.
Here’s the prize – the algorithm that flashes the HDD lamp.
1: procedure transmitBits(bits, T0, ReadSize)
2: sync(); //drop cache
3: hddDev = open(/dev/sda)
4: offset = 0
5: offsetIncrement = BLOCK_SIZE;
6: seek(hddDev, offset);
7: for(b in bits)
8: if (b='0') then
9: sleep (T0);
10: if (b='1') then
11: seek(hddDev, offset);
12: read(hddDev, ReadSize);
13: offset += offsetIncrement
14: end for