Security Experts:

Connect with us

Hi, what are you looking for?


Malware & Threats

Infrared Cameras Allow Hackers to Jump Air Gaps

A team of researchers from Israel has developed a piece of malware that demonstrates how hackers can abuse security cameras with infrared (IR) capabilities to send and receive data to and from an air-gapped network.

A team of researchers from Israel has developed a piece of malware that demonstrates how hackers can abuse security cameras with infrared (IR) capabilities to send and receive data to and from an air-gapped network.

The research was conducted by the Ben-Gurion University of Negev and the Shamoon College of Engineering in Israel. Its goal was to show that a piece of malware installed in an air-gapped network can not only exfiltrate sensitive data, such as passwords, PINs and encryption keys, but also receive commands from the outside world via infrared light, which is invisible to the human eye.

Security cameras are typically equipped with IR LEDs that provide night vision capabilities. If an attacker can plant a piece of malware on the network connected to these cameras, the malware can take control of the IR LEDs and use them to transmit bits of data.

The malware described by experts, dubbed “aIR-Jumper,” can encode the stolen data using various methods. For example, if on-off keying (OOK) encoding is used, the absence of an IR signal for a certain duration encodes a zero (“0”) bit, while the presence of a signal for the same duration encodes a one (“1”) bit.

Encoding one character of a password, PIN or encryption key requires 8 bits (1 byte). However, for data transmission purposes, the researchers suggested also adding preamble bits for calibrating certain parameters (e.g. LED location and IR levels) and synchronization with the beginning of the transmission, and some bits for error detection.

Another encoding method suggested by the researchers involves frequency changes. For example, a “1” is encoded if the LED is on for a certain duration at a certain frequency, and a zero is encoded if it’s on at a different frequency. Similarly, intensity level changes, or amplitude shift keying (ASK), can be used.

Data transmission rates depend on the security camera and the camera used to capture the data (e.g. GoPro, smartphone camera). Experiments conducted by the researchers showed that data can be exfiltrated at a rate of 20 bits/sec over a distance of tens of meters, and it can be infiltrated over a distance of hundreds of meters and even kilometers at a rate of 100 bits/sec.

Data transmission rates can be increased significantly if more than one security camera is used by the attacker. Videos have been published to show how the infiltration and exfiltration attacks work:

Ben-Gurion researchers have dedicated a lot of their time to finding ways to exfiltrate and infiltrate data on air-gapped networks. Their previous work involved using router LEDsscannersHDD activity LEDs, USB devices, the noise emitted by hard drives and fans, and heat emissions.

Written By

Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join this webinar to learn best practices that organizations can use to improve both their resilience to new threats and their response times to incidents.


Join this live webinar as we explore the potential security threats that can arise when third parties are granted access to a sensitive data or systems.


Expert Insights

Related Content

Application Security

Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.


Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...


The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.


No one combatting cybercrime knows everything, but everyone in the battle has some intelligence to contribute to the larger knowledge base.


A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...


Apple has released updates for macOS, iOS and Safari and they all include a WebKit patch for a zero-day vulnerability tracked as CVE-2023-23529.

Application Security

Drupal released updates that resolve four vulnerabilities in Drupal core and three plugins.