Have you ever attempted to exfiltrate binary data using just your phone's camera?


1. Context and challenge

We have been tasked with exfiltrating data from a workstation without any external connections. The only possible method is by taking a picture of the workstation screen.

This challenge would be straightforward if the document were small and comprised of human-readable ASCII characters. However, we need to exfiltrate 7MB of binary data.

Two main challenges need to be addressed:

2. First Attempt

In our first attempt, we opted for the most straightforward solution as depicted in the picture below:

This basic solution involves converting the binary data into hexadecimal format, taking a picture of the hexadecimal data, and then using OCR engines to convert the picture back into the original hexadecimal string.

Among several OCR engines, we chose Tesseract for its efficiency and ease of use. Originally developed at Hewlett-Packard between 1985 and 1994, Tesseract was open-sourced in 2005 and further developed by Google from 2006 until November 2018.

Analysis of the output

Analyzing the results, we noted that despite that the success rate was 99% but several characters from the initial image wasn’t recognized

We noticed as well that according to its position, a character could be interpreted differently:

This latest observation has prompted us to try a new method of exfiltration by introducing whitespace around each character.

3. Second Attempt

Compared to the previous methods, the major modification concerns the encoding step, where we added a space around each character.
Inserting whitespace around each character results in quadrupling the size of the original document.

Analysis of the output

The result of this second attempt was much worse than the first one and the success rate was less than 25%.
The whitespace Seems that the space is totally disturbing the recognition.

The last remaining chance for us is to try a new method of exfiltration, character by character.
Although it is evident that this approach will require substantial resources, we must attempt it.

4. Third Attempt

For this third attempt, we decided slightly to modify the first attempt by splitting the picture into small pieces. Each piece of the picture contains only one character and then process

Analysis of the output

This new method slightly improved the recognition success rate compared to the first attempt, but it still didn't achieve complete success.

TAlthough this method is very slow, the slight improvement in the success rate suggests that training the OCR engine could potentially address the gaps.

TAfter spending several hours training the OCR engine, we realized that this is an endless process and we decide to give-up.

The three failed attempts revealed the following:

The second point allowed to go out form the deception and try new method with less character set in the picture.

5. Fourth Attempt

Applying the lesson learned at this stage, we decided to choose an encoding that will convert the binary data into a format with the smallest data-set possible.
The best candidate encoding is the binary string despite it will increase the original document size 8 times.

Applying this method on binary data representing small encrypted archive allowed to exfiltrate the full data.

6. Achieving the goal

After successfully exfiltrating the 2KB binary, we quickly recognized the limitations of our previous solution when attempting to exfiltrate larger files. When encoded, these larger files couldn't fit on the screen, making it impossible to take pictures.

To address this challenge, we split the encoded file into smaller segments that fit on the screen and opened them one by one using a script. Instead of taking pictures, we recorded a video of the files.

Once the video was recorded, we split it into several images and converted each image back into the original text.

7. Conclusion

This article highlights the potential risks associated with using electronic devices to exfiltrate data, but it also underscores several significant limitations:

In summary, while the method described could technically be used for data exfiltration, its practical application is severely limited by the time, effort, and conditions required.

Get In Touch with us!