An AIO with the scanner lid open – the lasers would reflect off the lid into the machine
Researchers hack printers and computers through lasers shone at the printer’s scanner.
PC World reported on the hack, discovered by researchers at Ben-Gurion University in Israel, which works by “flashing visible or infrared light at the [open] scanner lid” of AIO machines, thereby infecting the printer and by extension the computer attached to it.
The experiment came about after cryptographer Adi Shamir, alongside researchers Yuval Elovici and Moti Guri, aimed to find “methods of controlling malware running on air-gapped systems”. Air-gapping isolates computers from the internet, and is “considered one of the best ways to defend critical systems and their sensitive data from cyberattacks”, but this can be “undermined” using the printer hack method.
The three wanted to “subvert the goal of preventing internet-based attacks”, as if a virus is installed on a computer disconnected from the internet through a USB drive, the hackers would “have a hard time controlling” it or stealing information because “there is no internet connection”. However, if an AIO is connected to a computer with malware, attackers could “issue commands to a malicious programme […] by flashing visible or infrared light at the scanner lid when open”.
Shamir presented the ‘Scangate’ hack at the Black Hat Europe security conference in Amsterdam, with the research finding that “if a source of light is pointed repeatedly at the white coating on the inside of the scanner’s lid” during scanning, the image will “have a series of white lines on darker background[s]”, which match the light hitting the lid.
Using Morse code to send the message in light, and then interpreting the Morse code into binary data, the hacker could then access data on the computer through the malware already on it, as the malware would “interpret the commands” as instructions. Shamir added that “several hundred bits of data” could be sent in one scan, which PC World states is “enough to send small commands that can activate various functionality” in the malware infection.
Additionally, the researchers “successfully” tested such an attack from 200, 900 and 1,200 metres away, using a laser to “flash visible light at the window of the office where the scanner was located”, lighting the room and sending the message. A more powerful laser could “produce reliable results from up to five kilometres away”, with infrared light more likely in this case to work “because it’s invisible to the naked eye”.
Also, instead of waiting for the malware to “initiate a scan”, hackers could wait until the scanner is used, and “then run their attack”, with the lines appearing on the sides of the scanned document. The three researchers again revealed that they “found a way for the malware to send data back to the attackers”, using the light from the scanner to send information back judging by the “amount of time the scanner’s light is on and reflects the open lid”.
Data that could be stolen this way could include encryption keys, though detecting scanner light from a distance “would require very sensitive equipment”, and on a higher floor hackers would “have a hard time getting good visibility”, though a drone could be used “to get closer and observ[e] the scanner from a better angle”.