1. Context and challenge
We have been tasked with exfiltrating data from a workstation without any external connections. The only possible method is by taking a picture of the workstation screen.
This challenge would be straightforward if the document were small and comprised of human-readable ASCII characters. However, we need to exfiltrate 7MB of binary data.
Two main challenges need to be addressed:
- Convert the binary data into a human-readable format (e.g., base64, hex, custom)
- Ensure that the conversion from picture to text is 100% accurate (even a 1-bit error would compromise the entire document)
2. First Attempt
In our first attempt, we opted for the most straightforward solution as depicted in the picture below:
This basic solution involves converting the binary data into hexadecimal format, taking a picture of the hexadecimal data, and then using OCR engines to convert the picture back into the original hexadecimal string.
Among several OCR engines, we chose Tesseract for its efficiency and ease of use. Originally developed at Hewlett-Packard between 1985 and 1994, Tesseract was open-sourced in 2005 and further developed by Google from 2006 until November 2018.
Analysis of the output
Analyzing the results, we noted that despite that the success rate was 99% but several characters from the initial image wasn’t recognized
We noticed as well that according to its position, a character could be interpreted differently:
- 0 => @
- 0 => Q
- 6 => G
- 2 => Z
This latest observation has prompted us to try a new method of exfiltration by introducing whitespace around each character.
3. Second Attempt
Compared to the previous methods, the major modification concerns the encoding step, where we added a space around each character.
Inserting whitespace around each character results in quadrupling the size of the original document.
Analysis of the output
The result of this second attempt was much worse than the first one and the success rate was less than 25%.
The whitespace Seems that the space is totally disturbing the recognition.
The last remaining chance for us is to try a new method of exfiltration, character by character.
Although it is evident that this approach will require substantial resources, we must attempt it.
4. Third Attempt
For this third attempt, we decided slightly to modify the first attempt by splitting the picture into small pieces. Each piece of the picture contains only one character and then process
Analysis of the output
This new method slightly improved the recognition success rate compared to the first attempt, but it still didn't achieve complete success.
TAlthough this method is very slow, the slight improvement in the success rate suggests that training the OCR engine could potentially address the gaps.
TAfter spending several hours training the OCR engine, we realized that this is an endless process and we decide to give-up.
The three failed attempts revealed the following:
- Character recognition depends on their position in the word.
- The more different characters there are in the picture, the worse the recognition becomes.
The second point allowed to go out form the deception and try new method with less character set in the picture.
5. Fourth Attempt
Applying the lesson learned at this stage, we decided to choose an encoding that will convert the binary data into a format with the smallest data-set possible.
The best candidate encoding is the binary string despite it will increase the original document size 8 times.
Applying this method on binary data representing small encrypted archive allowed to exfiltrate the full data.
6. Achieving the goal
After successfully exfiltrating the 2KB binary, we quickly recognized the limitations of our previous solution when attempting to exfiltrate larger files. When encoded, these larger files couldn't fit on the screen, making it impossible to take pictures.
To address this challenge, we split the encoded file into smaller segments that fit on the screen and opened them one by one using a script. Instead of taking pictures, we recorded a video of the files.
Once the video was recorded, we split it into several images and converted each image back into the original text.
7. Conclusion
This article highlights the potential risks associated with using electronic devices to exfiltrate data, but it also underscores several significant limitations:
- Time-Consuming Process: Encoding and recording 1MB of binary data taking almost 4 hours is highly inefficient. This long duration makes it less practical for attackers who may need to exfiltrate large amounts of data quickly.
- Manual Effort: Writing 200 lines of PowerShell script manually, taking about 1 hour, adds a significant overhead for the attacker. This manual effort is not only time-consuming but also increases the risk of detection during the process.
- Slow Process: The overall slowness of the process further reduces its practicality. Attackers typically seek methods that are both quick and stealthy to avoid detection.
- Dependency on Network Speed: If the recording quality depends on the network speed, especially if the operation is being conducted remotely, it introduces another variable that can impact the success of the exfiltration. Slow or unstable network connections can degrade the quality and increase the time required.