Sharks with Lasers?

It may not be quite what Dr. Evil of Austin Powers: International Man of Mystery had in mind when he requested sharks with laser beams attached to their heads, but LaserShark is nevertheless a tool that any spy (Man of Mystery or otherwise) would love to have in their tool kit. This recently published exploit takes advantage of the little known fact that standard LEDs, of the sort found in all manner of electronic devices, not only emit light, but can also receive it.

A team led by researchers at Technische Universität Berlin have built a proof of concept device that can establish bidirectional communications, even with air-gapped devices, by aiming lasers at the LEDs already built into electronics devices such as computers. The technique has been shown to work at long distances, in excess of 82 feet. Transfer speeds are reasonably snappy at 18.2 kilobytes per second (kbps) in and 100 kbps out.

The fact that this exploit enables bidirectional communication is of particular concern. This enables an attacker to establish a command and control channel, update the malicious functionality, or retrieve sensitive information from the compromised system. By contrast, most exploits of air-gapped systems only allow communication in one direction.

In order for LaserShark to work, a device’s LED must be attached to the CPU’s general purpose input/output (GPIO) interface. By focusing a laser on such an LED, measurable current fluctuations on the GPIO pins can be detected by firmware running on the host. Data can be encoded into this stream by sending specific patterns of laser light, which the firmware can then decode. To receive light from the target device, it flickers the LED at a high frequency, which is imperceptible to the naked eye, but can be detected and decoded by a purpose-built device that has a view of the LED.

Before going into full panic mode, it is important to understand the assumptions and limitations associated with the LaserShark exploit. First, it assumes that the supply chain has been compromised, and malicious firmware has been pre-installed on devices to be targeted. This is already a high bar to clear, but beyond that, it also requires that the attacker has a line-of-sight view of the high-security system, which in many cases does not sound particularly plausible. Further, communication requires visible light to be shined on the target device, which could be noticed; however, the pulses of data could be as short as a few hundred milliseconds, which may render them nonobvious. Not to mention, even if all of these prerequisites have been met, the exploit could still be defeated by simply putting a tiny piece of electrical tape over the top of any exposed LEDs.

Limitations aside, LaserShark takes advantage of little known properties of LEDs to show that nothing is as secure as we believe it to be. That is a valuable reminder that we would all do well to take to heart.