Data transmission from a printer can be captured from 1200 metres away, according to the results of an experiment.
In the opening keynote at this year’s Black Hat Europe in Amsterdam, cryptographer Adi Shamir detailed an instance where it was possible to scan a printer from a distance of 1200 metres.
Shamir said: “Previously, secrets were kept in file cabinets in buildings so you needed a human spy. Today, all secrets kept in cabinets need cyber attack to get at them.”
In the attack example, Shamir and his team targeted the EMC/RSA building in Beersheba in Israel, placed a book on a printer with an open lid and set a torch to a repeated flash function and was able to get a reflected print that gave black and white lines.
Then, using an infra-red light, they were able to get a better light reflection and an image of data transfer. He said: “A remote control issued a colourful image and a stronger infrared showed data transmission.” They then switched to a laser that could be used from distance, and moving the laser further and further away, they were still able to capture data being scanned by the printer and photocopier due to the fact that the lid was open to 30 degrees and the book did not sit flat on the glass.
Shamir said: “We developed a new technique called Scangate and we are solving the holy grail of cyber attacks to get malware into an airgapped system. It is protected and if you want to send data and in and out, we showed that a printer can be the most dangerous of airgapped components. If you have one, throw it away!”
Asked what would happen if the lid was closed, Shamir said that the results are “less spectacular”, but often people do not close the lid. “You only need to do it several times in order to do an infiltration attack,” he said. “You don’t have to hit a particular area of the open lid. You can attack unless you protect the entire office from any incoming light.”
In the experiment, Bruce Schneier’s Applied Cryptography was used as it was not possible to close the lid whilst it was on the glass. Asked if this could be a way to implement malware, Shamir said it could be if the transmission was short enough and if it could be placed in the correct location, but he was not sure how to interpret if there was no malware inside the system.
