New world of cyber threats – the dark side of light

07 August 2017


Leading the research function in PwC’s Threat and Vulnerability Management team in the UK is an interesting role. In my work I look to identify new cyber threats to organisations, one example of this is by developing proof-of-concept malware which can be controlled, and exfiltrate data, through the ambient light sensors in laptops, monitors and phones.

Imagine you work for an organisation that deals with sensitive, protectively-marked information. It could be a commercial organisation or a government agency. Some of this information is so sensitive that it's stored on an isolated, air-gapped network. That is, there is a physical distance between those machines and untrusted networks. No internet connection, no WiFi adapters, two-factor authentication, the works. Air-gapped systems are designed to provide an additional layer of physical security to prevent compromise and exfiltration. They are often deployed in secure environments in order to protect sensitive data.

One day, you get home, switch on the TV, and see documents from your secure network splashed all over the evening news.

You race back into work and start checking through the IT logs. You see nothing suspicious. Nothing at all. No trace of any unauthorised USB devices being inserted. No trace of any burnt DVDs or CDs. No strange network activity.

So you do a memory dump of all the machines, and see that the documents in question have indeed been accessed recently. But how did they get off the system?

And then you find a suspicious file.

It's tiny - only a few kilobytes. And it's been there a while. How it got on to the system is a mystery. But you pass it to your malware analysts - and they report back: This is malware. And it can be controlled by light.

How could this happen? It sounds far-fetched, but it's absolutely possible. It’s something I’ve replicated in research in our cyber lab at PwC.

Many modern laptops and monitors - as well as smartphones, tablets, and smartwatches - come with embedded ambient light sensors (ALS). These are small devices which measure the amount of light in "lux", a unit of illuminance.

They're mostly used for adaptive screen brightness - a display setting which automatically adjusts the brightness of the screen relative to the amount of ambient light. So in a dark room, the screen dims, and on a sunny day, the screen brightens. The idea is to conserve battery and reduce eyestrain.

Through targeting the light sensor it's possible to control a workstation and exfiltrate data, without touching the machine at all, and without initiating any kind of network activity. This is the latest in a long line of methods designed to dispel the myth of air-gap security.

If your organisation uses laptops, monitors or devices which have ambient light sensors, you should be aware that they could present a route in for a cyber attacker. Even disabling adaptive brightness does not turn off the sensor - they would have to be physically removed, disabled, or taped over to eliminate the potential risk.

You should also bear in mind that screen brightness can be used to exfiltrate data. One way you could try to frustrate this is by using privacy filters on screens; they do a good job of 'muting' brightness changes (as well as preventing others from reading your screen, of course).

Ultimately, the key message is that you are never 100% safe from a malicious insider, no matter how isolated your machines are and, however, many monitoring solutions you employ. The mere fact that computers emanate heat, noise, radiation and light as a by-product of their intended operations is enough for an attacker, if those by-products can be influenced.

For further technical detail please visit our research page or contact Matt Wixey for more information about how this could affect your organisation.