Specially-designed malware installed on a router or a switch can take control over the device’s LEDs and use them to transmit data in a binary format to a nearby attacker, who can capture it using simple video recording equipment.

This attack scenario is the creation of a talented team of researchers from the Cyber Security Research Center at the Ben-Gurion University of the Negev in Israel, who previously researched other types of data exfiltration scenarios relying on hard drive LEDs, coil whine, headphones, and others.

Attackers need to install malware on routers, switches

The entire operation is centered around a piece of malware the researchers created and named xLED.

This malware will intercept specific data passing through the router, break it down into its binary format, and use a router LED to signal the data to a nearby attacker, with the LED turned on standing for a binary one and the LED turned off representing a binary zero.

An attacker with a clear line of sight to the equipment can record the blinking operation. This “attacker” can be a security camera, a company insider, recording equipment mounted on a drone, and various other setups where a video recording device has a clear sight of the router or switch’s blinking LEDs.

The more router LEDs, the higher the exfiltration speed

During their tests, researchers say they’ve tested various configurations for the video recording setup, such as optical sensors, security/CCTV cameras, extreme cameras, smartphone cameras, wearable/hidden cameras, and others.

The research team says it achieved the best results with optical sensors because they are capable of sampling LED signals at high rates, enabling data reception at a higher bandwidth than other typical video recording equipment.

Researchers say that by using optical sensors, they were able to exfiltrate data at a rate of more than 1000 bit/sec per LED. Since routers and switches have more than one LED, the exfiltration speed can be increased many times over if multiple LEDs are used for data exfiltration. Basically, the more ports the router and switch has, the more data the malware can steal from the device.

The upside and downside of xLED attacks

Below is a table comparing speeds for other non-standard data exfiltration techniques. Taking into account that multiple LEDs can be used, stealing data using the xLED method is by far the most efficient and speedier of all.

Just like most of the data exfiltration scenarios from the table above, most only exist at the theoretical level and have various downsides. The problem with xLED is that the malware needs to run on the router or switch we need to steal data from.

For this, an attacker would need to find a security weakness in the device that would allow him to install the malware, either via a remote code execution flaw or a tainted firmware update.

The problem here is that once an attacker has gained access to a router or switch, there’s no reason to play around with blinking LEDs, as there are many other more efficient methods of stealing a company’s data, especially after you've hacked one of its routers.

Albeit somewhat impractical, this research is part of a larger effort from the same research team that has spent the past few years exploring various methods of stealing data from air-gapped systems. Previously, the Ben-Gurion team has come up with various wacky hacking techniques, such as:



- use headphones to record audio and spy on nearby users

- launch DDoS attacks that can cripple a US state's 911 emergency systems

- make a USB connector's data bus give out electromagnetic emissions that can be used to exfiltrate data

- use the local GPU card to emit electromagnetic signals to a nearby mobile phone, also used to steal data

- steal data from air-gapped PCs using sounds emanated by a computer's GPU fan

- use controlled read/write HDD operations to steal data via sound waves

- exfiltrate data from non-networked computers using heat emanations LED-it-Go - exfiltrate data from air-gapped systems via an HDD's activity LED SPEAKE(a)R - use headphones to record audio and spy on nearby users 9-1-1 DDoS - launch DDoS attacks that can cripple a US state's 911 emergency systems USBee - make a USB connector's data bus give out electromagnetic emissions that can be used to exfiltrate data AirHopper - use the local GPU card to emit electromagnetic signals to a nearby mobile phone, also used to steal data Fansmitter - steal data from air-gapped PCs using sounds emanated by a computer's GPU fan DiskFiltration - use controlled read/write HDD operations to steal data via sound waves BitWhisper - exfiltrate data from non-networked computers using heat emanations

- uses flatbed scanners to relay commands to malware infested PCs or to exfiltrate data from compromised systems Unnamed attack - uses flatbed scanners to relay commands to malware infested PCs or to exfiltrate data from compromised systems

If you want to read more about the research team’s work, the paper is entitled xLED: Covert Data Exfiltration from Air - Gapped Networks via Router LEDs. Below is a video of an xLED attack in progress.