Infosec gear supplier Hak5 has revealed a new* side-channel exfiltration technique, named Keystroke Reflection, which uses keyboard LEDs and requires minimal access, no drivers or binaries and works on air-gapped machines.
Keystroke Reflection takes advantage of the way computers handle multiple keyboards: when one of the CapsLock, NumLock or ScrollLock keys are pressed on one keyboard, the corresponding LED is illuminated on all keyboards attached to the machine. By modulating these button-presses fast enough, a user can create a data stream using these LEDs – or virtual analogues of them.
The technique is similar to Keystroke Injection, also developed by Hak5, and uses the same device: Hak5’s USB Rubber Ducky, which externally looks like a flash drive, but appears as a keyboard to any machine it’s plugged into. Keystroke Reflection also uses some Keystroke Injection techniques – but with a twist.
“The Keystroke Reflection attack consists of two phases. In the first phase — performed as part of a keystroke injection attack — the data of interest, or “loot”, is gathered from the target and encoded as lock keystrokes for reflection,” said Hak5 in a paper explaining the technique.
“In the second phase, the USB Rubber Ducky enters Exfil Mode where it will act as a control code listener on the HID [Human Interface Device] OUT endpoint. Then, the target reflects the encoded lock keystrokes. The binary values of the reflected, or ‘bit banged’, lock keys are stored as 1’s and 0’s in the loot.bin file on the USB Rubber Ducky.”
According to Hak5, any file on the target machine can be encoded and exfiltrated this way, using nothing but built-in commands, and no external drivers, binaries or files. In a demonstration, the Hak5 team extracted an image of the Rubber Ducky device using the technique.
* While the Keystroke Reflection implementation of this technique (using a virtual HID to store exfiltrated data) is novel, some have noted the general approach is decades-old, having allegedly been used to steal data optically via modem LEDs, and via keyboard LEDs as well. A 2019 paper by Mordechai Guri et al noted data exfiltration via lock-key LEDs was proposed in 2002.
“Our experiment shows that data can be leaked from air-gapped computers via the keyboard LEDs at a maximum bit rate of 3000 bit/sec per LED given a light sensor as a receiver, and more than 120 bit/sec if smartphones are used. The attack doesn't require any modification of the keyboard at hardware or firmware levels,” noted the researchers in their paper.