HIPAA – the US standard for electronic health care documentation – spends a lot of verbiage and bureaucratese on the security of electronic records, making a clear distinction between the use of records by health care worker and the disclosure of records by health care workers. Likewise, the Federal Information Security Management Act of 2002 makes the same distinction; records that should never be disclosed or transmitted should be used on systems that are disconnected from networks.

This distinction between use and disclosure or transmission is of course a farce; if you can display something on a screen, it can be transmitted. [Ian Latter] just gave a talk at Kiwicon that provides the tools to do just that. He calls it ThruGlassXfer (TGXf), and it does exactly what it says on the tin: anything that can be displayed on a screen can be transmitted. All you need are the right tools.

How is [Ian] doing this? With QR codes, strangely enough. [Ian] has designed a protocol and application that allows people to download files through a screen. By using TGXf, anyone can load a file stored locally on a computer, have the binary data displayed through QR codes, and record that data with a smartphone or tiny video camera. This video is then analyzed, the data is recovered, and the file is transmitted, defeating all security measures a sysadmin has in mind.

Displaying binary data as a QR code presents another problem. How do you put an application that will convert raw data to QR codes on a locked-down system? That’s another trick up [Ian]’s sleeve called ThruKeyboardXfer (TKXf). This requires a hardware device to emulate a USB HID keyboard, pushing data up to a computer simply by emulating a keyboard.

TKXf encodes binary data that are sent out the serial port of one computer (or smartphone) and enters them via the keyboard of another. Either a single file (i.e. an app that encodes data as a QR code) or a continuous stream of data can be sent into a computer through the a USB HID keyboard interface.

For a demonstration of his system, [Ian] put up a video of a smartphone downloading a PDF from YouTube through a laptop screen. The only requirement for this file transfer are pointing the phone directly at the screen; no WiFi or cellular network is necessary to send data from a computer to a smartphone.

If this sounds like something torn from the pages of a yet-to-be-written [Cory Doctorow] YA novel, you’re probably not far off: nearly all official recommendations for security and privacy controls, including publications published by NIST, place a distinction between use of a file, and distribution or disclosure of a file. There is a marked difference between displaying information on a screen and sending it over a network. By transmitting binary data through a display, [Ian] has kicked that door down, turning every monitor and every employee into a security risk.

Thanks [Roman] for sending this in.