Abstract
BrightWall is an optical covert channel that uses controlled modulation of a system's display backlight to exfiltrate small, high-value data from air-gapped hosts. The method encodes information in time-varying brightness patterns and relies on remote optical capture, directly or via reflections, to recover the transmitted signal.
BrightWall requires no hardware modification, operates at intentionally low throughput to preserve stealth, and combines a compact sender primitive with robust receiver processing. This paper presents a single, self-contained account covering the threat model, signal design and algorithms, timing model, and a theoretical framework for capacity and error analysis.
Threat Model
The threat model assumes an adversary with the capability to execute a userland process on a target host that can read and set display brightness via standard operating system interfaces. The adversary also has access to an optical sensor capable of recording the display or its indirect reflections.
No firmware or hardware implant is required. No privileged modifications are assumed. The defender is not assumed to monitor fine-grained brightness telemetry in real time, which is consistent with how almost every real environment is actually configured.
Key property: the sender process runs entirely in userland. On Linux it accesses backlight interfaces via /sys/class/backlight. No root required, no kernel modules, no hardware modification. That is what makes this interesting.
Signal Design
The BrightWall signaling primitive is intentionally simple: a time-domain pulse scheme where information is carried by the durations of bright intervals ("on" periods) separated by low brightness ("off" periods). The encoding is inspired by Morse code.
Let the base time unit be t_dot. The remaining symbol durations derive from it:
The sender toggles the display backlight between two defined levels: a near-off baseline and a near-maximum level. An "on" interval of duration t_dot transmits a dot. An "on" interval of duration t_dash transmits a dash. Short off gaps separate symbols within a letter; longer gaps separate letters and words.
Hardware latency matters here. Many LCD and LED backlight drivers have non-negligible rise and fall times in the tens of milliseconds range. The sender pre-measures the device step response and adds a timing offset so that the effective illumination duration at the sensor matches the intended symbol durations.
Receiver Processing
The receiver requires an optical recording of the scene containing either the display directly or a reflection. A diffuse reflection on a nearby wall is sufficient. The recorded video is processed frame-by-frame at its native frame rate to construct a brightness timeline.
- Define a region of interest where the reflected or direct display signal is strongest.
- Convert each frame in the ROI to grayscale and compute the mean luminance to get a brightness sequence B.
- Apply median filtering and low-order smoothing to reduce frame-level noise.
- Use a percentile-based threshold (e.g. 60th percentile of B) to binarize the timeline into high/low states.
- Collapse consecutive frames with identical binary state into runs. Convert run lengths to durations using the frame rate.
- Classify durations: on-runs shorter than the midpoint between t_dot and t_dash are dots; longer are dashes.
- Accumulate symbols into Morse letters and map back to ASCII.
Optical Propagation
The display to surface to camera path behaves as a linear time-invariant filter that blurs the transmitted waveform. The received luminance is approximately the convolution of the transmitted PWM waveform with an effective point spread function in time, accounting for backlight settling, surface reflection characteristics, and the camera's exposure integration.
Diffuse reflections (matte walls) tend to low-pass filter the signal, reducing high-frequency content and increasing symbol smearing. Specular reflections (glossy surfaces, mirrors) preserve higher temporal fidelity but require tighter geometric alignment. Ambient illumination, sensor gain, automatic exposure, and video compression all affect SNR and need to be controlled or compensated.
Capacity and Error Analysis
After preprocessing and binarization the channel reduces to a timing channel where information is encoded in the durations of on/off runs. Let the effective modulation bandwidth be approximately 1/t_min, where t_min is the minimum reliably distinguishable symbol duration.
BrightWall operates deliberately at low B and low SNR to remain covert. Errors arise primarily from timing jitter and imperfect thresholding. If symbol duration estimates are corrupted by additive, zero-mean Gaussian noise with standard deviation sigma_d, the probability of misclassifying a symbol is:
For a sequence of k symbols with independent per-symbol error probabilities p_i, the message error probability is the complement of the product of per-symbol success rates. Adding redundancy through repetition, parity checks, or block codes reduces this at the cost of throughput.
Detection and Stealth
Distinguishing a modulated signal from natural brightness variation is a hypothesis-testing problem. Under the null hypothesis, observed luminance variations are attributable to typical ambient and application-level changes. Under the alternative hypothesis, they contain the structured timing pattern induced by BrightWall.
BrightWall's operational regime intentionally lies close to the noise floor to minimize detection probability. The tradeoff is capacity. Throughput of one to three characters per second is low, but for exfiltrating a password, an encryption key fragment, or a short authentication token, it is sufficient.
Practical robustness measures: adaptive thresholding for slowly varying ambient illumination, median filtering to reject frame-level spikes, duration clustering to account for small timing offsets, and ensemble voting across multiple video captures all improve decoding reliability without requiring changes to the sender.
Conclusion
BrightWall demonstrates that conventional display hardware can be repurposed as a covert optical transmitter capable of leaking compact, high-value information from air-gapped systems. The technique deliberately trades throughput for stealth and relies on careful timing design, simple but robust receiver processing, and an understanding of optical propagation effects.
Defenders should treat physical isolation as one layer among many and consider monitoring device behavior and reducing optical exposure of sensitive systems. The full paper provides a self-contained technical description and theoretical framework for assessing risks and designing mitigations.