Exfiltrating data from Air-Gapped Networks via Router LEDs

Pierluigi Paganini June 07, 2017

A team of Israeli researchers has devised a new technique to exfiltrate data from a machine by using a malware that controls router LEDs.

A few months ago a group of researchers from Israeli Ben-Gurion University devised a new technique to exfiltrate data from a machine by using a malware that controls hard drive LEDs, now researchers applied the technique to routers.

The attack is very insidious because hacking a router it is possible to gain control over the entire network, for this reason, the researchers focused their efforts in stealing admin credentials of the device.

The team of experts led by the expert Mordechai Guri developed a specific firmware dubbed xLED that allowed them to control the LED while the router is working.

Alternatively, the group demonstrated how to force the router executing a malicious script to control the LED.

“In this paper, we show how attackers can covertly leak data (e.g., encryption keys, passwords and files) from highly secure or air-gapped networks via the row of status LEDs that exists in networking equipment such as LAN switches and routers. Although it is known that some network equipment emanates optical signals correlated with the information being processed by the device (‘side-channel’), intentionally controlling the status LEDs to carry any type of data (‘covert-channel’) has never studied before.” reads the paper published by the experts. “A malicious code is executed on the LAN switch or router, allowing full control of the status LEDs. Sensitive data can be encoded and modulated over the blinking of the LEDs. The generated signals can then be recorded by various types of remote cameras and optical sensors.”

The experts demonstrated that using a normal camera (managing LED blinks at 120 bits/second) it is possible to exfiltrate data at a rate that is limited to less than 1 Kbps, but using a GoPro Hero5 it is possible to increase the efficiency of the technique managing LED blinks at 960 bits/second.

If the attacker has physical access to the target’s facility, they can use an optical sensor (Guri’s group used a Thorlabs PDA100A) that can reach more than 1 Kbps and as high as 3.5 Kbps.

Exfiltrating data router leds

Below a portion of code used for the modulation of the signal sent through the status LEDs that can be captured by the attackers with a remote camera of an optical sensor:

Algorithm 1 ModulateOOK
1: procedure ModulateOOK(nLED, data, T)
2: openLED(nLED); //opens the LED file for writing
3: while(data[i] !=0)
4: if(data[i] == ‘0’) //modulate 0 by turning the LED off
5: setLEDOff(nLED);
6: if(data[i] == ‘1’) //modulate 1 by turning the LED on
7: setLEDOn(nLED);
8: i++;
9: sleep(T); // sleep for time period of T
10: closeLED(nLED); // closes the LED file descriptor

below the shellscript released by the experts:

// Method #1
// turn the LED on
1: echo 0 > /sys/class/leds/led_name/brightness
// turn the LED off
2: echo 255 > /sys/class/leds/led_name/brightness
// Method #2
3: echo 1 > /proc/gpio/X_out // turn the LED on
4: echo 0 > /proc/gpio/X_out // turn LED off

The researchers also shared a proof-of-concept video of the attack:

To prevent this kind of attack the best option for the user it to put a tape over the LEDs, and to check the firmware running his/her router.

[adrotate banner=”9″]

Pierluigi Paganini

(Security Affairs – router leds, data exfiltration)

[adrotate banner=”13″]

you might also like

leave a comment