Malware Steal Data from Secure Networks Using Router LEDs

Specially-designed malware that are installed on a switch or a router can gain control over LEDs of device; and then can use them for transferring of data in binary format to the nearby attacker, who may capture it with the help of simple equipment for video recording.

The scenario of this attack is creation of brilliant researcher's team of the Cyber Security Research Center in Ben-Gurion University of Negev, Israel, who researched before about other kinds of data exfiltration scenarios depending on headphones, hard drive LEDs, coil whine, and others.

Researchers of Ben-Gurion University, Negev, Israel, revealed how the functionality of light-emitting diodes could be overridden silently by their developed malware infecting firmware in device.

Once xLED malware infected the network device, then it gains complete control of LEDs flashing to show status. Indianexpress.com posted on June 6th, 2017, stating that network devices like routers and LAN switches normally include activity as well as status LEDs used for monitoring the traffic activity, alerts and deliver status.

An attacker having access to local or a remote camera, or having a light sensor concealed in a room, can record activity of LED and then decode those signals. This covert channel is presently not monitored unlike the network traffic, which is heavily controlled and monitored by Firewalls.

Here the problem is once the attacker gained access of a switch or router, then there are several more effective ways of stealing data of a company, especially after you have hacked one of their routers.

The speed of exfiltration could be increased numerous times, in case multiple LEDs were used for the data exfiltration because switches and routers contain over one LED. xLED malware is capable of programming LEDs to flash in very high speed - over 1,000 flashes in one second for every LED. The rate of transmission could be multiplied considerably to almost thousands of bits per second because a normal router or the network switch included 6 or more status LEDs. Consequently, a considerable amount of highly critical information could be encoded as well leaked over fast LED signals that could be received as well as recorded by light sensor or remote camera.

» SPAMfighter News - 6/12/2017