Xerox Day Vulnerability

Abstract

In the area of espionage between countries, an infiltration covert channel used to trigger a silent malware installed on a network of a critical organization (such as 911 services and missile launching facility) from the outside world is extremely dangerous to the target country's security. In order to prevent attackers from establishing such a channel, these organizations take various steps to secure their networks, to make the establishment of this type of covert channel very challenging and almost impractical to achieve; the current state of the art methods are very limited and ineffective. In this paper, we show that even a strong isolation technique, such as air-gapping the network, can be circumvented by using an organizational multifunction printer (MFP) to establish an infiltration covert channel in order to communicate with a malware installed on an isolated organization from the outside. We show how an attacker can leverage the light sensitivity of an MFP and use different light sources to infiltrate commands to the malware in the organization. We analyze the influence of light intensity, distance, transmission rate, ambient light, and wavelength on the covert channel. In addition we demonstrate the attack on a real organization using: 1) a laser attached to a tripod stand; 2) a laser carried by a drone; and 3) a hijacked smart bulb that is not even connected to the organization's network and is accessed and controlled by an attacker in a passing car. We prove that locating the scanner in an inner room inside an organization does not prevent an attacker from establishing the covert channel. We show how our covert channel can be established from a greater distance (900 m) and at a higher transmission rate of 200 bits/s than other methods used to infiltrate data to an organization, even using invisible light (covertly).