pith. sign in

arxiv: 1907.05851 · v1 · pith:A2QIVGZCnew · submitted 2019-07-10 · 💻 cs.CR · eess.SP

CTRL-ALT-LED: Leaking Data from Air-Gapped Computers via Keyboard LEDs

Mordechai Guri , Boris Zadov , Dima Bykhovsky , Yuval Elovici This is my paper

Pith reviewed 2026-05-24 23:31 UTC · model grok-4.3

classification 💻 cs.CR eess.SP
keywords air-gapped computersdata exfiltrationoptical covert channelkeyboard LEDsside-channel attackAPTcyber attack
0
0 comments X

The pith

Malware can exfiltrate data from air-gapped computers by blinking keyboard LEDs at up to 3000 bits per second.

A machine-rendered reading of the paper's core claim, the machinery that carries it, and where it could break.

The paper demonstrates that software running on an air-gapped computer can control the Caps Lock, Num Lock, and Scroll Lock LEDs on a standard USB keyboard to encode and send secret data as optical signals. These signals can be captured by a nearby light sensor or even a smartphone camera without any changes to the keyboard hardware or firmware. The channel operates outside the monitoring of existing data leakage prevention systems. A sympathetic reader would care because air-gapped machines are treated as isolated, yet this shows a practical way data can still leave through everyday visible indicators.

Core claim

An advanced persistent threat can use the keyboard LEDs to encode and transmit information optically from air-gapped computers. The attack involves malware modulating the LED states to represent data bits, which are captured by optical receivers like light sensors or cameras. Experiments show maximum rates of 3000 bit/sec per LED with dedicated sensors and over 120 bit/sec with smartphones, without requiring keyboard modifications.

What carries the argument

Modulation of the three keyboard LED states (Caps-Lock, Num-Lock, Scroll-Lock) via software USB HID control to form an optical covert channel for data encoding and transmission.

Load-bearing premise

The attacker must be able to run code on the air-gapped machine to control the LED states via software, and the receiver must have line-of-sight to the keyboard.

What would settle it

A controlled test in which malware attempts LED modulation but no corresponding data is recovered by the described light sensors or smartphone cameras at the claimed distances and rates.

Figures

Figures reproduced from arXiv: 1907.05851 by Boris Zadov, Dima Bykhovsky, Mordechai Guri, Yuval Elovici.

Figure 3
Figure 3. Figure 3: The implementation of two common keyboard LED [PITH_FULL_IMAGE:figures/full_fig_p003_3.png] view at source ↗
Figure 2
Figure 2. Figure 2: An ’evil maid’ attack. The binary data is transmitted [PITH_FULL_IMAGE:figures/full_fig_p003_2.png] view at source ↗
Figure 5
Figure 5. Figure 5: Illustration of the Lambertian lighting model [PITH_FULL_IMAGE:figures/full_fig_p004_5.png] view at source ↗
Figure 4
Figure 4. Figure 4: LEDs are typically installed together with a diffuse [PITH_FULL_IMAGE:figures/full_fig_p004_4.png] view at source ↗
Figure 6
Figure 6. Figure 6: Signal acquired by imaging receiver. The second parameter is related to the camera magnification. The maximum distance relation for a one pixel imaged object is calculated by [27] t p = h f , (5) where f is the focal distance of the camera, p is a pixel size of a camera array, and t is the size of the transmitting LED. Multiple LEDs can be used to increase the communication bit rate [28]. The principle of … view at source ↗
Figure 7
Figure 7. Figure 7: Signal acquired by imaging receiver. We analyzed the effective distances for a set of basic optical parameters listed in Table I. The minimum detectable power level, Pthr, depends on particular detector parameters and a communication signal frequency [29]. For the parameters applied, the possible communication distance is more than 50 meters. Note, significant axial misalignment may significantly reduce th… view at source ↗
Figure 8
Figure 8. Figure 8: Malware components The malware components are illustrated in [PITH_FULL_IMAGE:figures/full_fig_p005_8.png] view at source ↗
Figure 9
Figure 9. Figure 9: Status LEDs control HID request B. LED Control To set the state of the status LEDs (on/off), the module sends a SetReport request to the device with a one-byte data stage [PITH_FULL_IMAGE:figures/full_fig_p005_9.png] view at source ↗
Figure 10
Figure 10. Figure 10: The measurement setup with the Thorlabs PDA100A [PITH_FULL_IMAGE:figures/full_fig_p007_10.png] view at source ↗
Figure 11
Figure 11. Figure 11: Maximum speed of the basic signal for: (a) Dell 1 [PITH_FULL_IMAGE:figures/full_fig_p008_11.png] view at source ↗
Figure 13
Figure 13. Figure 13: ASK data transmission (a) Dell 3 LEDs (b) Lenovo 3 [PITH_FULL_IMAGE:figures/full_fig_p009_13.png] view at source ↗
Figure 12
Figure 12. Figure 12: ASK modulation (a) Dell 3 LEDs, (b) Lenovo 3 LEDs, [PITH_FULL_IMAGE:figures/full_fig_p009_12.png] view at source ↗
read the original abstract

Using the keyboard LEDs to send data optically was proposed in 2002 by Loughry and Umphress [1] (Appendix A). In this paper we extensively explore this threat in the context of a modern cyber-attack with current hardware and optical equipment. In this type of attack, an advanced persistent threat (APT) uses the keyboard LEDs (Caps-Lock, Num-Lock and Scroll-Lock) to encode information and exfiltrate data from airgapped computers optically. Notably, this exfiltration channel is not monitored by existing data leakage prevention (DLP) systems. We examine this attack and its boundaries for today's keyboards with USB controllers and sensitive optical sensors. We also introduce smartphone and smartwatch cameras as components of malicious insider and 'evil maid' attacks. We provide the necessary scientific background on optical communication and the characteristics of modern USB keyboards at the hardware and software level, and present a transmission protocol and modulation schemes. We implement the exfiltration malware, discuss its design and implementation issues, and evaluate it with different types of keyboards. We also test various receivers, including light sensors, remote cameras, 'extreme' cameras, security cameras, and smartphone cameras. Our experiment shows that data can be leaked from air-gapped computers via the keyboard LEDs at a maximum bit rate of 3000 bit/sec per LED given a light sensor as a receiver, and more than 120 bit/sec if smartphones are used. The attack doesn't require any modification of the keyboard at hardware or firmware levels.

Editorial analysis

A structured set of objections, weighed in public.

Desk editor's note, referee report, simulated authors' rebuttal, and a circularity audit. Tearing a paper down is the easy half of reading it; the pith above is the substance, this is the friction.

Referee Report

0 major / 3 minor

Summary. The manuscript demonstrates an optical exfiltration attack from air-gapped computers that modulates the states of the Caps-Lock, Num-Lock, and Scroll-Lock LEDs on USB keyboards to encode and transmit data. It provides hardware/software background on modern keyboards, defines a transmission protocol and modulation schemes, implements the malware, and evaluates performance across multiple keyboards and receivers (light sensors, remote cameras, security cameras, smartphone cameras). Reported rates reach 3000 bit/sec per LED with a light sensor and >120 bit/sec with smartphones; no keyboard hardware or firmware modification is required.

Significance. If the results hold, the work supplies a concrete, reproducible demonstration of a covert optical channel that bypasses conventional DLP monitoring. The empirical scope (multiple keyboards, diverse receivers, explicit protocol design) and the explicit scoping to standard APT/evil-maid assumptions (code execution on target + line-of-sight) make the contribution measurable and falsifiable. The absence of invented parameters or circular derivations further supports the reliability of the reported bit rates.

minor comments (3)
  1. [§4] §4 (protocol description): the modulation scheme and error-correction details are referenced but a compact pseudocode or state diagram would improve reproducibility for readers implementing the transmitter.
  2. [Table 2] Table 2 (receiver comparison): the reported bit rates for smartphone cameras would benefit from an explicit column listing the distance and ambient-light conditions under which the >120 bit/sec figure was measured.
  3. [References] The abstract cites Loughry and Umphress (2002) but the reference list entry should include the full conference name and page numbers for completeness.

Simulated Author's Rebuttal

0 responses · 0 unresolved

We thank the referee for the detailed and accurate summary of the manuscript, the recognition of its significance as a concrete and reproducible demonstration of an optical covert channel, and the recommendation to accept. No major comments were raised that require addressing.

Circularity Check

0 steps flagged

No significant circularity; empirical measurement paper

full rationale

The paper reports an experimental implementation of an optical exfiltration channel via keyboard LEDs, including protocol design, malware implementation, and bit-rate measurements across multiple keyboards and receivers. No derivation chain, fitted parameters, equations, or self-referential predictions exist. The sole citation to prior work is to an external 2002 paper by Loughry and Umphress; all performance claims rest on direct hardware tests rather than any reduction to inputs by construction. The work is self-contained against external benchmarks.

Axiom & Free-Parameter Ledger

0 free parameters · 0 axioms · 0 invented entities

No free parameters, axioms, or invented entities; the work is an experimental demonstration of an optical side-channel using existing keyboard hardware and standard optical principles.

pith-pipeline@v0.9.0 · 5816 in / 1092 out tokens · 28079 ms · 2026-05-24T23:31:05.968278+00:00 · methodology

discussion (0)

Sign in with ORCID, Apple, or X to comment. Anyone can read and Pith papers without signing in.

Reference graph

Works this paper leans on

36 extracted references · 36 canonical work pages · 3 internal anchors

  1. [1]

    Information leakage from optical emanations,

    J. Loughry and D. A. Umphress, “Information leakage from optical emanations,” ACM Transactions on Information and System Security (TISSEC), vol. 5, no. 3, pp. 262–289, 2002

    work page 2002

  2. [2]

    The cyber menace,

    R. Grant, “The cyber menace,” Air Force Magazine, vol. 92, no. 3, 2009

    work page 2009

  3. [3]

    Fansmitter: Acoustic Data Exfiltration from (Speakerless) Air-Gapped Computers

    M. Guri, Y . Solewicz, A. Daidakulov, and Y . Elovici, “Fansmitter: Acoustic data exfiltration from (speakerless) air-gapped computers,”arXiv preprint arXiv:1606.05915, 2016

    work page internal anchor Pith review Pith/arXiv arXiv 2016

  4. [4]

    Airhopper: Bridging the air-gap between isolated networks and mobile phones using radio frequencies,

    M. Guri, G. Kedma, A. Kachlon, and Y . Elovici, “Airhopper: Bridging the air-gap between isolated networks and mobile phones using radio frequencies,” in 9th International Conference on Malicious and Unwanted Software: The Americas (MALWARE) . IEEE, 2014, pp. 58–67

    work page 2014

  5. [5]

    Bridgeware: The air-gap malware,

    M. Guri and Y . Elovici, “Bridgeware: The air-gap malware,” Commun. ACM, vol. 61, no. 4, pp. 74–82, Mar. 2018. [Online]. Available: http://doi.acm.org/10.1145/3177230

    work page doi:10.1145/3177230 2018

  6. [6]

    Lcd tempest air-gap attack reloaded,

    M. Guri and M. Monitz, “Lcd tempest air-gap attack reloaded,” in 2018 IEEE International Conference on the Science of Electrical Engineering in Israel (ICSEE) . IEEE, 2018, pp. 1–5

    work page 2018

  7. [7]

    Bridging the air gap between isolated networks and mobile phones in a practical cyber-attack,

    M. Guri, M. Monitz, and Y . Elovici, “Bridging the air gap between isolated networks and mobile phones in a practical cyber-attack,” ACM Transactions on Intelligent Systems and Technology (TIST) , vol. 8, no. 4, p. 50, 2017

    work page 2017

  8. [8]

    Gsmem: Data exfiltration from air-gapped computers over gsm frequen- cies

    M. Guri, A. Kachlon, O. Hasson, G. Kedma, Y . Mirsky, and Y . Elovici, “Gsmem: Data exfiltration from air-gapped computers over gsm frequen- cies.” in USENIX Security Symposium , 2015, pp. 849–864

    work page 2015

  9. [9]

    USBee: Air-gap covert-channel via electromagnetic emission from USB,

    M. Guri, M. Monitz, and Y . Elovici, “USBee: Air-gap covert-channel via electromagnetic emission from USB,” in 14th Annual Conference on Privacy, Security and Trust (PST) . IEEE, 2016, pp. 264–268

    work page 2016

  10. [10]

    Odini : Escaping sensitive data from faraday-caged, air-gapped computers via magnetic fields,

    M. Guri, B. Zadov, A. Daidakulov, and Y . Elovici, “Odini : Escaping sensitive data from faraday-caged, air-gapped computers via magnetic fields,” 2018

    work page 2018

  11. [11]

    MAGNETO: Covert Channel between Air-Gapped Systems and Nearby Smartphones via CPU-Generated Magnetic Fields

    M. Guri, A. Daidakulov, and Y . Elovici, “Magneto: Covert channel between air-gapped systems and nearby smartphones via cpu-generated magnetic fields,” arXiv preprint arXiv:1802.02317 , 2018

    work page internal anchor Pith review Pith/arXiv arXiv 2018

  12. [12]

    PowerHammer: Exfiltrating Data from Air-Gapped Computers through Power Lines,

    M. Guri, B. Zadov, D. Bykhovsky, and Y . Elovici, “PowerHammer: Exfiltrating Data from Air-Gapped Computers through Power Lines,” ArXiv e-prints, Apr. 2018

    work page 2018

  13. [13]

    On Covert Acoustical Mesh Networks in Air

    M. Hanspach and M. Goetz, “On covert acoustical mesh networks in air,” arXiv preprint arXiv:1406.1213 , 2014

    work page internal anchor Pith review Pith/arXiv arXiv 2014

  14. [14]

    Acoustic data exfiltration from speakerless air-gapped computers via covert hard-drive noise (diskfiltration),

    M. Guri, Y . Solewicz, A. Daidakulov, and Y . Elovici, “Acoustic data exfiltration from speakerless air-gapped computers via covert hard-drive noise (diskfiltration),” in European Symposium on Research in Computer Security. Springer, 2017, pp. 98–115

    work page 2017

  15. [15]

    Mosquito: Covert ultrasonic transmissions between two air-gapped computers using speaker-to-speaker communication,

    M. Guri, Y . Solewicz, and Y . Elovici, “Mosquito: Covert ultrasonic transmissions between two air-gapped computers using speaker-to-speaker communication,” in 2018 IEEE Conference on Dependable and Secure Computing (DSC). IEEE, 2018, pp. 1–8

    work page 2018

  16. [16]

    Bitwhisper: Covert signaling channel between air-gapped computers using thermal manipu- lations,

    M. Guri, M. Monitz, Y . Mirski, and Y . Elovici, “Bitwhisper: Covert signaling channel between air-gapped computers using thermal manipu- lations,” in 28th IEEE Computer Security Foundations Symposium (CSF) . IEEE, 2015, pp. 276–289

    work page 2015

  17. [17]

    M. Guri, B. Zadov, and Y . Elovici, LED-it-GO: Leaking (A Lot of) Data from Air-Gapped Computers via the (Small) Hard Drive LED . Cham: Springer International Publishing, 2017, pp. 161–184. [Online]. Available: https://doi.org/10.1007/978-3-319-60876-1 8

    work page doi:10.1007/978-3-319-60876-1 2017

  18. [18]

    xLED: Covert data exfiltration from air-gapped networks via switch and router LEDs,

    M. Gur, B. Zadov, A. Daidakulov, and Y . Elovici, “xLED: Covert data exfiltration from air-gapped networks via switch and router LEDs,” in 2018 16th Annual Conference on Privacy, Security and Trust (PST) . IEEE, 2018, pp. 1–12

    work page 2018

  19. [19]

    air-jumper: Covert air-gap exfiltra- tion/infiltration via security cameras & infrared (ir),

    M. Guri and D. Bykhovsky, “air-jumper: Covert air-gap exfiltra- tion/infiltration via security cameras & infrared (ir),” Computers & Security, vol. 82, pp. 15–29, 2019

    work page 2019

  20. [20]

    An optical covert- channel to leak data through an air-gap,

    M. Guri, O. Hasson, G. Kedma, and Y . Elovici, “An optical covert- channel to leak data through an air-gap,” in 14th Annual Conference on Privacy, Security and Trust (PST) . IEEE, 2016, pp. 642–649

    work page 2016

  21. [21]

    Optical air-gap exfiltration attack via invisible images,

    M. Guri, “Optical air-gap exfiltration attack via invisible images,” Journal of Information Security and Applications , vol. 46, pp. 222–230, 2019

    work page 2019

  22. [22]

    Evil maid goes after truecrypt,

    J. Rutkowska and A. Tereshkin, “Evil maid goes after truecrypt,” The Invisible Things Lab , 2009

    work page 2009

  23. [23]

    Device class definition for human interface devices (hid),

    U. I. F. Inc., “Device class definition for human interface devices (hid),” http://www.usb.org/developers/hidpage/HID1 11.pdf, (Accessed on 08/11/2018)

    work page 2018

  24. [24]

    Demonstrating the set report request with a PS/2 to USB keyboard translator example,

    Microchip, “Demonstrating the set report request with a PS/2 to USB keyboard translator example,” http://ww1.microchip.com/downloads/cn /AppNotes/cn 91056C.pdf, (Accessed on 08/11/2018)

    work page 2018

  25. [25]

    Flashing keyboard leds,

    “Flashing keyboard leds,” https://linux.die.net/lkmpg/x1194.html, (Accessed on 08/11/2018)

    work page 2018

  26. [26]

    USB HID keyboard - - sending output report for LED control fails,

    NXP, “USB HID keyboard - - sending output report for LED control fails,” https://community.nxp.com/thread/382242, (Accessed on 08/11/2018)

    work page 2018

  27. [27]

    Hecht, Optics, 5th ed

    E. Hecht, Optics, 5th ed. Pearson, 2016

    work page 2016

  28. [28]

    Image sensor based visible light com- munication,

    S. Haruyama and T. Yamazato, “Image sensor based visible light com- munication,” in Visible Light Communication, S. Arnon, Ed. Cambridge University Press, 2015, ch. 9, pp. 181–205

    work page 2015

  29. [29]

    NEP – noise equivalent power,

    V . Mackowiak, J. Peupelmann, Y . Ma, and A. Gorges, “NEP – noise equivalent power,” Thorlabs Inc., 56 Sparta Avenue, Newton, NJ 07860, USA, Tech. Rep. [Online]. Available: https://www.thorlabs.com/images/ TabImages/Noise Equivalent Power White Paper.pdf

    work page

  30. [30]

    Fundamental analysis for visible- light communication system using LED lights,

    T. Komine and M. Nakagawa, “Fundamental analysis for visible- light communication system using LED lights,” IEEE transactions on Consumer Electronics, vol. 50, no. 1, pp. 100–107, 2004

    work page 2004

  31. [31]

    Opencv library,

    O. Foundation, “Opencv library,” https://opencv.org/, (Accessed on 08/12/2018)

    work page 2018

  32. [32]

    513 mbit/s visible light communications link based on dmt-modulation of a white led,

    J. Vu ˇci´c, C. Kottke, S. Nerreter, K.-D. Langer, and J. W. Walewski, “513 mbit/s visible light communications link based on dmt-modulation of a white led,” Journal of lightwave technology , vol. 28, no. 24, pp. 3512–3518, 2010

    work page 2010

  33. [33]

    Thorlabs Inc

    Thorlabs. Thorlabs Inc. 56 Sparta Avenue, Newton, NJ 07860, USA. (Accessed on 08/12/2018). [Online]. Available: https://www.thorlabs.c om/thorproduct.cfm?partnumber=PDA100A

    work page 2018

  34. [34]

    Instruments

    N. Instruments. National Instruments. (Accessed on 08/12/2018). [Online]. Available: http://www.ni.com/en-us/shop/compactdaq.html

    work page 2018

  35. [35]

    National Instruments

    ——. National Instruments. (Accessed on 08/12/2018). [Online]. Available: https://www.ni.com/pdf/manuals/373784f.pdf

    work page 2018

  36. [36]

    Making USB great again with USBFILTER,

    D. J. Tian, N. Scaife, A. Bates, K. Butler, and P. Traynor, “Making USB great again with USBFILTER,” in USENIX Security Symposium , 2016

    work page 2016