Blinking Router LEDs Leak Data From Air-Gapped Networks

Researchers say sensitive data can be extracted from air-gapped networks via a wireless router’s blinking LEDs.

Researchers have uncovered a new data extraction hole inside air-gapped networks that takes advantage of the blinking LED lights on top of routers to steal data.

In a report published last week, researchers at Ben-Gurion University in Israel demonstrated how a router or switch running malware called xLed could use the flashing LED lights as a way to extract binary data carried over the hardware. Using a router with eight LED lights, researchers said, they were able to extract 8000 bits per second of data.

“We show that the bandwidth can be increased further when multiple LEDs are used. This rate allows the exfiltration of files, keylogging data, and encryption keys relatively quickly,” wrote researchers Mordechai Guri, Boris Zadov, Andrey Daidakulov and Yuval Elovici, coauthors of the report (PDF) and researchers at Ben-Gurion University.

Unlike network traffic that is heavily monitored, they wrote, binary extraction of data via a router’s blinking lights is capable of stealthily sidestepping firewalls and other air-gap security measures.

Prerequisites for an attack include the xLed malware installed on the router and a clear line of sight to the router with a video camera. Next, the malware (xLed) is able to identify and intercept specific data passing through the router and break it down into a binary format. The binary code is represented by LED “on cycles” as 1’s and LED “off cycles” as 0’s, said researchers.

Now, “An attacker with a remote camera or optical sensor with a line of sight with the transmitting equipment can receive the data and decode it back to a binary information,” researchers wrote. Types of cameras used to collect LED data ranged from entry-level Nikon D7100, GoPro Hero5 to an average webcam capturing 30 frames-per-second.

“We used a router with a standard DD-WRT firmware that has a telnet server. After connecting to the router from a computer in the network, we execute a script which controls the LEDs and modulates the data. The basic LED control commands used by our script,” wrote researchers.

Once installed, the xLed malware is designed to manipulate the LED controls. “The kernel space driver can directly access the appropriate GPIO pins in order to turn the LEDs on and off,” wrote the researchers.

“After receiving the recorded video, the attacker has to process the video in order to detect the location of each transmitting LED. The video is processed frame by frame to identify the LED status (on or off) of each frame. Finally, the binary data is decoded based on the encoding scheme.

Countermeasures to protect against such type attacks are obvious. One, restrict access of networking equipment and covering LEDs with “black tape.”

Researchers acknowledge the attack scenario is theoretical. Clearly, if an adversary had physical access to the target’s router or was able to install malware on it, then extracting data via blinking LED lights no longer seems necessary.

The researchers have made a name for themselves then it comes to offbeat hacking techniques for stealing data from air-gapped systems and IoT devices.

Earlier this year the researchers unveiled LED-it-Go, an attack¬†that uses a computer’s HDD’s LED activity to steal data. Last fall they demonstrated SPEAKE(a)R, an attack that can turn headphones connected to a PC into a microphone. In 2014, the researchers described a malicious program they developed,¬†AirHopper, that lifts data from air-gapped machines using FM radio. Researchers used the program to demonstrate how receivers built into many mobile devices can be used to decode a radio signal sent from a computer’s video card.

Suggested articles