Researchers have uncovered a new data extraction hole inside air-gapped networks that takes advantage of the blinking LED lights on top of routers to steal data.

In a report published last week, researchers at Ben-Gurion University in Israel demonstrated how a router or switch running malware called xLed could use the flashing LED lights as a way to extract binary data carried over the hardware. Using a router with eight LED lights, researchers said, they were able to extract 8000 bits per second of data.

“We show that the bandwidth can be increased further when multiple LEDs are used. This rate allows the exfiltration of files, keylogging data, and encryption keys relatively quickly,” wrote researchers Mordechai Guri, Boris Zadov, Andrey Daidakulov and Yuval Elovici, coauthors of the report (PDF) and researchers at Ben-Gurion University.

Unlike network traffic that is heavily monitored, they wrote, binary extraction of data via a router’s blinking lights is capable of stealthily sidestepping firewalls and other air-gap security measures.

Prerequisites for an attack include the xLed malware installed on the router and a clear line of sight to the router with a video camera. Next, the malware (xLed) is able to identify and intercept specific data passing through the router and break it down into a binary format. The binary code is represented by LED “on cycles” as 1’s and LED “off cycles” as 0’s, said researchers.

Now, “An attacker with a remote camera or optical sensor with a line of sight with the transmitting equipment can receive the data and decode it back to a binary information,” researchers wrote. Types of cameras used to collect LED data ranged from entry-level Nikon D7100, GoPro Hero5 to an average webcam capturing 30 frames-per-second.

“We used a router with a standard DD-WRT firmware that has a telnet server. After connecting to the router from a computer in the network, we execute a script which controls the LEDs and modulates the data. The basic LED control commands used by our script,” wrote researchers.

Once installed, the xLed malware is designed to manipulate the LED controls. “The kernel space driver can directly access the appropriate GPIO pins in order to turn the LEDs on and off,” wrote the researchers.

“After receiving the recorded video, the attacker has to process the video in order to detect the location of each transmitting LED. The video is processed frame by frame to identify the LED status (on or off) of each frame. Finally, the binary data is decoded based on the encoding scheme.

Countermeasures to protect against such type attacks are obvious. One, restrict access of networking equipment and covering LEDs with “black tape.”

Researchers acknowledge the attack scenario is theoretical. Clearly, if an adversary had physical access to the target’s router or was able to install malware on it, then extracting data via blinking LED lights no longer seems necessary.

The researchers have made a name for themselves then it comes to offbeat hacking techniques for stealing data from air-gapped systems and IoT devices.

Earlier this year the researchers unveiled LED-it-Go, an attack that uses a computer’s HDD’s LED activity to steal data. Last fall they demonstrated SPEAKE(a)R, an attack that can turn headphones connected to a PC into a microphone. In 2014, the researchers described a malicious program they developed, AirHopper, that lifts data from air-gapped machines using FM radio. Researchers used the program to demonstrate how receivers built into many mobile devices can be used to decode a radio signal sent from a computer’s video card.

Categories: Hacks, Malware, Vulnerabilities

Comments (7)

  1. Anonymous

    openwrt’s kmod-ledtrig-morse module can do the same using morse code. It was created ~10 years ago

  2. Andrew Wolfe

    Agreed “air-gapping” is not impenetrable. However, the physical security of air gapping is associated with multiple additional levels of physical security that will seriously obstruct setting up cameras and RF and thermal receivers and such.

    • Anonymous

      Assuming, of course, the target’s own security cam network hasn’t also been compromised. Aim them things away, or tape the lights.

  3. MD Butler

    How much data at 10Mb, 100b, 1Gb can it buffer and transfer before exceeding available memory?

  4. Andrew

    You keep using that word. I do not think it means what you think it means.

    A network is not air-gapped if there is a wireless router on the network. *roll eyes*

    This is like for Level 3 or Google internal routers or something.


Leave A Comment

Your email address will not be published. Required fields are marked *

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>