Threat Watch

New LaserShark Exploit Establishes Bi-directional Fast Connections with Air-Gapped Systems

A group of researchers in Germany recently released a newly developed exploit they dubbed “LaserShark” which uses a laser beam to create a 100kbps outbound and 18.2kbps inbound connection to otherwise physically isolated systems targeting built-in LED. The LED in question must be mounted on the General Purpose Input/Output (GPIO) interface of the CPU embedded in the target system. So called “air gapped” systems typically have no external wired or wireless connections and are used to secure critical internal applications. However, a number of supply chain and physical attacks, such as leaving a USB drive as bait, have historically been successfully utilized in order to overcome these defenses and compromise systems. In modern cyberespionage or cyber disruption applications, however, it can be useful to maintain contact with malicious code loaded into air gapped systems for command and control (C2) or data exfiltration purposes. Currently, the LaserShark relies on a prior compromise using a physical or supply chain attack vector in order to establish the two-way connection via LED.

ANALYST NOTES

This research establishes a new Proof of Concept (PoC) that highlights that even air-gapped systems can be subjected to physical and supply chain attacks that can result in bi-directional connections. The new LaserShark research establishes that this attack can be done with lasers and LED with appropriate motherboard connections. This emphasizes the idea that due to the complexity of modern computing systems, zero-day vulnerabilities, such as the recent log4j vulnerability, will always exist. A thorough post-exploitation detection framework, such as Binary Defense’s MDR and threat hunting offerings, is always necessary, even on the most secure air-gapped systems, in order to mitigate risks. We can expect that state sponsored threat groups ,as well as espionage groups, have access to more sophisticated methods than those provided in the public domain by university researchers.

https://intellisec.de/pubs/2021-acsac.pdf