Researchers have uncovered a new data extraction hole inside air-gapped networks that takes advantage of the blinking LED lights on top of routers to steal data.
In a report published last week, researchers at Ben-Gurion University in Israel demonstrated how a router or switch running malware called xLed could use the flashing LED lights as a way to extract binary data carried over the hardware. Using a router with eight LED lights, researchers said, they were able to extract 8000 bits per second of data.
“We show that the bandwidth can be increased further when multiple LEDs are used. This rate allows the exfiltration of files, keylogging data, and encryption keys relatively quickly,” wrote researchers Mordechai Guri, Boris Zadov, Andrey Daidakulov and Yuval Elovici, coauthors of the report (PDF) and researchers at Ben-Gurion University.
Unlike network traffic that is heavily monitored, they wrote, binary extraction of data via a router’s blinking lights is capable of stealthily sidestepping firewalls and other air-gap security measures.
Prerequisites for an attack include the xLed malware installed on the router and a clear line of sight to the router with a video camera. Next, the malware (xLed) is able to identify and intercept specific data passing through the router and break it down into a binary format. The binary code is represented by LED “on cycles” as 1’s and LED “off cycles” as 0’s, said researchers.
Now, “An attacker with a remote camera or optical sensor with a line of sight with the transmitting equipment can receive the data and decode it back to a binary information,” researchers wrote. Types of cameras used to collect LED data ranged from entry-level Nikon D7100, GoPro Hero5 to an average webcam capturing 30 frames-per-second.
“We used a router with a standard DD-WRT firmware that has a telnet server. After connecting to the router from a computer in the network, we execute a script which controls the LEDs and modulates the data. The basic LED control commands used by our script,” wrote researchers.
Once installed, the xLed malware is designed to manipulate the LED controls. “The kernel space driver can directly access the appropriate GPIO pins in order to turn the LEDs on and off,” wrote the researchers.