Blinking Router LEDs Leak Data From Air-Gapped Networks

Researchers say sensitive data can be extracted from air-gapped networks via a wireless router’s blinking LEDs.

Researchers have uncovered a new data extraction hole inside air-gapped networks that takes advantage of the blinking LED lights on top of routers to steal data.

In a report published last week, researchers at Ben-Gurion University in Israel demonstrated how a router or switch running malware called xLed could use the flashing LED lights as a way to extract binary data carried over the hardware. Using a router with eight LED lights, researchers said, they were able to extract 8000 bits per second of data.

“We show that the bandwidth can be increased further when multiple LEDs are used. This rate allows the exfiltration of files, keylogging data, and encryption keys relatively quickly,” wrote researchers Mordechai Guri, Boris Zadov, Andrey Daidakulov and Yuval Elovici, coauthors of the report (PDF) and researchers at Ben-Gurion University.

Unlike network traffic that is heavily monitored, they wrote, binary extraction of data via a router’s blinking lights is capable of stealthily sidestepping firewalls and other air-gap security measures.

Prerequisites for an attack include the xLed malware installed on the router and a clear line of sight to the router with a video camera. Next, the malware (xLed) is able to identify and intercept specific data passing through the router and break it down into a binary format. The binary code is represented by LED “on cycles” as 1’s and LED “off cycles” as 0’s, said researchers.

Now, “An attacker with a remote camera or optical sensor with a line of sight with the transmitting equipment can receive the data and decode it back to a binary information,” researchers wrote. Types of cameras used to collect LED data ranged from entry-level Nikon D7100, GoPro Hero5 to an average webcam capturing 30 frames-per-second.

“We used a router with a standard DD-WRT firmware that has a telnet server. After connecting to the router from a computer in the network, we execute a script which controls the LEDs and modulates the data. The basic LED control commands used by our script,” wrote researchers.

Once installed, the xLed malware is designed to manipulate the LED controls. “The kernel space driver can directly access the appropriate GPIO pins in order to turn the LEDs on and off,” wrote the researchers.

“After receiving the recorded video, the attacker has to process the video in order to detect the location of each transmitting LED. The video is processed frame by frame to identify the LED status (on or off) of each frame. Finally, the binary data is decoded based on the encoding scheme.

Countermeasures to protect against such type attacks are obvious. One, restrict access of networking equipment and covering LEDs with “black tape.”

Researchers acknowledge the attack scenario is theoretical. Clearly, if an adversary had physical access to the target’s router or was able to install malware on it, then extracting data via blinking LED lights no longer seems necessary.

The researchers have made a name for themselves then it comes to offbeat hacking techniques for stealing data from air-gapped systems and IoT devices.

Earlier this year the researchers unveiled LED-it-Go, an attack that uses a computer’s HDD’s LED activity to steal data. Last fall they demonstrated SPEAKE(a)R, an attack that can turn headphones connected to a PC into a microphone. In 2014, the researchers described a malicious program they developed, AirHopper, that lifts data from air-gapped machines using FM radio. Researchers used the program to demonstrate how receivers built into many mobile devices can be used to decode a radio signal sent from a computer’s video card.

Suggested articles


  • Anonymous on

    openwrt's kmod-ledtrig-morse module can do the same using morse code. It was created ~10 years ago
  • Andrew Wolfe on

    Agreed "air-gapping" is not impenetrable. However, the physical security of air gapping is associated with multiple additional levels of physical security that will seriously obstruct setting up cameras and RF and thermal receivers and such.
    • Anonymous on

      Assuming, of course, the target's own security cam network hasn't also been compromised. Aim them things away, or tape the lights.
  • MD Butler on

    How much data at 10Mb, 100b, 1Gb can it buffer and transfer before exceeding available memory?
  • Andrew on

    You keep using that word. I do not think it means what you think it means. A network is not air-gapped if there is a wireless router on the network. *roll eyes* This is like for Level 3 or Google internal routers or something.
    • Az on

      "router or switch"
      • Tom Spring on

        Hi Az, according to the report they have been able to run their malware on either routers or switches. They list all specific models in the report. Thanks for asking.

Subscribe to our newsletter, Threatpost Today!

Get the latest breaking news delivered daily to your inbox.