Security researchers from Ben Gurion University in Israel have discovered a way to exfiltrate data via the blinking LEDs on a common network router.
In a research paper published by the scientists, Mordechai Guri and his team developed malware called “xLED” that can take control of lights by infecting firmware. These lights are normally used to show network traffic activity and status.
According to Dr Mordechai Guri, head of research and development at the BGU CSRC, who led this study, "Sensitive data can be encoded and sent via the LED light pulses in various ways. An attacker with access to a remote or local camera, or with a light sensor hidden in the room, can record the LED's activity and decode the signals."
"Unlike network traffic that is heavily monitored and controlled by firewalls, this covert channel is currently not monitored. As a result, it enables attackers to leak data while evading firewalls, air-gaps (computers not hooked up to the internet) and other data-leakage prevention methods," said Dr Guri.
The malware can program the LEDs to flash at very fast speeds – more than 1,000 flickers per second for each LED. Since a typical router or network switch includes six or more status LEDs, the transmission rate can be multiplied significantly to as much as thousands of bits per second. As a result, a significant amount of highly sensitive information can be encoded and leaked over the fast LED signals, which can be received and recorded by a remote camera or light sensor.
While xLED can steal data, the scientists acknowledged that no known malware exists out in the wild to do such a thing.
The researchers have also posted a YouTube video showing how xLED can be used to steal data using the LEDs of a typical TP-LINK router.
Over the past two years, the scientists have successfully demonstrated how malware can siphon data from computer speakers, headphone jacks, hard drives, and computer fans, as well as 3D printers, smartphones, LED bulbs, and other IoT devices.
The research paper said that among the countermeasures that could be used to stop such malware from stealing data would be policies aimed to restrict the accessibility of network equipment by placing it in classified rooms where only authorised staff may access it.
“Typically, all types of cameras are banned from such secured rooms,” the research paper said.
Technological countermeasures may include the detection of the presence of malware that triggers the router status LED. Researchers added that detecting an already compromised firmware installed within an embedded device such as a switch or router is “still a challenging task”.