Researchers have devised malware that can jump airgaps by using the infrared capabilities of an infected network's surveillance cameras to transmit data to and from attackers.

The malware prototype could be a crucial ingredient for attacks that target some of the world's most sensitive networks. Militaries, energy producers, and other critical infrastructure providers frequently disconnect such networks from the Internet as a precaution. In the event malware is installed, there is no way for it to make contact with attacker-controlled servers that receive stolen data or issue new commands. Such airgaps are one of the most basic measures for securing highly sensitive information and networks.

The proof-of-concept malware uses connected surveillance cameras to bridge such airgaps. Instead of trying to use the Internet to reach attacker-controlled servers, the malware weaves passwords, cryptographic keys, and other types of data into infrared signals and uses a camera's built-in infrared lights to transmit them. A nearby attacker then records the signals with a video camera and later decodes embedded secrets. The same nearby attackers can embed data into infrared signals and beam them to an infected camera, where they're intercepted and decoded by the network malware. The covert channel works best when attackers have a direct line of sight to the video camera, but non-line-of-sight communication is also possible in some cases.

Researchers at Israel's Ben-Gurion University of the Negev and Shamoon College of Engineering said the malware establishes a two-way channel that attackers can use to communicate with compromised networks even when they're air-gapped. The covert channel can transmit data from a video camera to an attacker at 20 bits per second and from an attacker transmitter to a video camera at 100 bits per second. When more than a camera is used in the attacks the bit-rate may be increased further.