Considerations about invisible binary data transfer out of DLP systems.

Author: Pentesting Online - Soenke Freitag, Date: Apr.2017

1. Abstract

Modern companies often use DLP (Data Leakage Prevention) systems to prevent data to be stolen at the employee's desk.

2. Preface

DLP Systems prevent the usage of foreign USB sticks, SD-cards, ancient floppy disks, smartphones, fire wire, lightning ports etc. This short idea-paper illustrates future techniques in data export.

3. The Methods

Without any change in hardware configuration and some simple DOS script you can transfer smaller amounts of binary data by "blinking" to your cellphone over the visual monitor interface.

All you need is a simple script and a way to code the binary "1" and binary "0" as a visual signal.
For example in the dos command shell this can be done with "color 0f" and "color f0" on the desired input file.

The Bits of the input you get for example with " set /a 1/(8-(str^&8^)^) || color f0 " ... and so on

This could also be done in Excel or Word macros where you can change cell's background or document Background color to represent binary "1" and "0".

All you need then is an app that records and decrypts your data at your cellphone.

There is a lot of room for improvement to this method (e.g. error correction, synchronization etc.) but this paper is only to show the point and not to provide you with a working solution.

If you are able to introduce some more software to the system or have some reporting software at hand or have limited (read) web access you can also use the generation of QR codes to the screen and export data much faster than with the above mentioned method.

Further than this very slow and visually conspicuous method would be the possibility to directly grab data from the HDMI / DVI / RGB cable with the corresponding pass-through dongle.
For example HDMI 1.2/DVI is capable of 3,96 Gbit/s - and for 1080p at 60HZ you only need a fraction of this. HDMI 2.0 is even capable of 14,4 GBit.

In addition, the audio channel mostly unused in office environments brings some possibilities (remember good old morse code) but the data rate would be much slower then everything discussed before. All methods have in common that you are able to introduce some software to the system you want to compromise and some kind of interpreter or command line.

4. Conclusion

The considerations before show that the needed program would be less than two pages to type in so the user would not need to use USB sticks or something else.

It is almost impossible to prevent ASCII data from being stolen through the desktop computer (for example by just photographing and OCR'ing the screen).

To prevent users from transferring BINARY data it is imminent to avoid the introduction of any code or software by the user AND to disable any command interpreter (like scripting host, command shell, office macros etc.)