Researchers have recently published a paper which describes how a piece of malware planted in an air-gapped network can be controlled remotely using an office scanner and a light source, such as a laser or a smart bulb.
The method of using scanners to jump the air gap was first summarised back in 2014 at the Black Hat Europe conference by Adi Shamir, professor of Applied Mathematics at the Weizmann Institute of Science and one of the inventors of RSA algorithm. Shamir along with Ben Nassi and Yuval Elovici have now published a detailed research paper on the attack method.
Many experiments conducted by these experts show that attacker can send a bunch of commands to a piece of malware present on an isolated machine just by pointing a light source at a connected flatbed scanner which has its lid open from outside the building which is housing the device.
This malware can be programmed to start scans at a specified date and time when attacker starts sending these commands. The researchers have pointed out that only the first scan date should be set as the subsequent dates can be supplied with each attack.
These commands are transmitted in the form of pulses from a laser or any other different light source because a 0 bit is sent when it’s off and 1 bit is transmitted when the light source is on. The light source can be an invisible infrared laser or a visible laser, this makes the attack stealthier.
The laser attack works if there is a clear line of sight from the outside of the building to the scanner. If the view is blocked by a curtain or a wall, the attacker can remotely hijack a smart bulb located in the same room as the targeted scanner and use it to send the signals.