Malware-infected router leaks sensitive data through LEDs, experiment shows

Researchers from the Cyber Security Research Center at the Ben-Gurion University of the Negev in Israel tested a new data exfiltration scenario based on router LEDs, as part of their long history of research into hacking techniques on air-gapped systems.

Strictly for experimental purposes, they created a new type of malicious code named xLED that, once installed on network equipment such as a router or LAN switch, uses the LED lights to withdraw data and send it in binary form to a hacker.

The researchers tested attacks at the firmware and software levels. For the first attack, they installed malware directly in the firmware, whereas, at the software level, the LEDs were controlled from an infected computer inside the network.

“Our experiment shows that sensitive data can be covertly leaked via the status LEDs of switches and routers at a bit rates of 10 bit/sec to more than 1Kbit/sec per LED,” reads the paper.

The hacker then uses remote video recording devices like optical sensors, CCTV or smartphone cameras to collect the information. Because optical sensors can be used at faster rates than average cameras, they delivered the best results, extracting data at 1000 bit/sec per LED.

The data that cybercriminals could leak through the corruption of air-gapped networks includes encryption keys, passwords and files.

However, this scenario may not be effective and will remain at the theoretical level as more-accessible hacking methods are available on the market. It is difficult to infect a device not connected to the internet. Also, for the data to be exfiltrated, the malware needs to be installed directly on the device that holds the information, through a remote code execution vulnerability or corrupted update.

More details about the xLED attack in the video and their research paper.


  • By gary - Reply

    So, wait, let me get this straight, they (the hackers) gain access and are able to get access to where they can place a camera in the room to monitor the blinking lights on a router, and the worst your afraid of is of the hackers stealing the data via binary? Something smells. IF they have that much access… Seems monitoring a led light on a router would be the least of the worries.

    • By Dub - Reply

      I was this king maybe they only had access for a small amount of time. Maybe a break in before the cops arrive. If they already have an idea of the systems they are going for they just drop the camera and dump the software. Then ha e access not only to current data in the system but also new data entered as well. Useful for more longterm monitoring of the system rather than just grab data and leave. This considering the malicious code and camera are not detected by IT or security.

      • By Dub - Reply

        This king should have been thinking. Fat fingers and autocorrect don’t always work well together.

    • By Ann - Reply

      I was a supervisor in a backup tape storage library at IBM. I saw all sorts of devices HOLDING data. The employees were minimum-wage, temp workers. The thing is that the devices that can read the data are designed to display that data to clients overseas or remotely. However, if some random temp worker could be hired to place a camera somewhere on the floor at the facility in the US, and the malware was dropped into the code on or near the client end, say in Germany or Brazil, it would end up in the backup system and then could cause the reader itself to malfunction in this silent way.

    • By Mark - Reply

      Lol. I thought the same thing. This is what happens when academics try to do something. They rarely have real world applications

    • By mike - Reply

      think of a router/switch at a CoLo

    • By Jesse - Reply

      no gary. they would tap into the security camera feed and do it from there. Most server rooms have video surveillance.

  • By J B - Reply

    A data center security camera that just happens to be pointing at the lights on the equipment rather than monitoring walkways and workstations? The whole thing seems highly improbable, and if someone was able to gain access and actually set up an optical sensor to read the hacked output they could just as easily walk in off the street and directly plug in a long ass cable thats running back to their hacker’s lair lol

  • Add Comment

    Your email address will not be published. Required fields are marked *