Malware-infected router leaks sensitive data through LEDs, experiment shows
Researchers from the Cyber Security Research Center at the Ben-Gurion University of the Negev in Israel tested a new data exfiltration scenario based on router LEDs, as part of their long history of research into hacking techniques on air-gapped systems.
Strictly for experimental purposes, they created a new type of malicious code named xLED that, once installed on network equipment such as a router or LAN switch, uses the LED lights to withdraw data and send it in binary form to a hacker.
The researchers tested attacks at the firmware and software levels. For the first attack, they installed malware directly in the firmware, whereas, at the software level, the LEDs were controlled from an infected computer inside the network.
“Our experiment shows that sensitive data can be covertly leaked via the status LEDs of switches and routers at a bit rates of 10 bit/sec to more than 1Kbit/sec per LED,” reads the paper.
The hacker then uses remote video recording devices like optical sensors, CCTV or smartphone cameras to collect the information. Because optical sensors can be used at faster rates than average cameras, they delivered the best results, extracting data at 1000 bit/sec per LED.
The data that cybercriminals could leak through the corruption of air-gapped networks includes encryption keys, passwords and files.
However, this scenario may not be effective and will remain at the theoretical level as more-accessible hacking methods are available on the market. It is difficult to infect a device not connected to the internet. Also, for the data to be exfiltrated, the malware needs to be installed directly on the device that holds the information, through a remote code execution vulnerability or corrupted update.
More details about the xLED attack in the video and their research paper.data breach LAN switch LED malware router