Stealing Data via Blinking LEDs

Wednesday, June 7, 2017 @ 12:06 PM gHale

A simple blinking status LED on networking equipment such as a router or switch can end up hacked to steal data from air-gapped systems, researchers said.

Data can transfer from an air-gapped computer by modulating it using the blinking of a router’s LEDs, according to a paper released by the Cyber Security Research Center at the Ben-Gurion University of the Negev in Israel.

Light Sources can Hijack Scanner
Speeding Up Testing of Networking Protocols
Game Theory to Predict Voting Cyberattacks
Aging Faces Heighten Security Risks

“Although it is known that some network equipment emanates optical signals correlated with the information being processed by the device (‘side-channel’), intentionally controlling the status LEDs to carry any type of data (‘covert-channel’) has never been studied before,’ said researchers Mordechai Guri, Boris Zadov, Andrey Daidakulov and Yuval Elovici in their paper. “A malicious code is executed on the LAN switch or router, allowing full control of the status LEDs. Sensitive data can be encoded and modulated over the blinking of the LEDs. The generated signals can then be recorded by various types of remote cameras and optical sensors.”

The attack can be carried out either by planting malicious firmware on the targeted router or remotely using a software exploit. The firmware attack may be more difficult to carry out as the router needs to be infected either via the supply chain or social engineering, but the software attack could be easier to conduct, the researchers said.

Once an attacker compromises a router or switch, he or she can take control of how the LEDs blink. Then, using various data modulation methods, each LED or a combination of LEDs can end up used to transmit data to a receiver, which can be a camera or a light sensor.

For example, a “0” bit is transmitted if an LED is off for a specified duration, and a “1” bit is sent if the LED is on for a specified duration. Logical “0” or “1” bits can also be modulated through changes in frequency. In the case of devices that have multiple LEDs, the attacker can use the blinking lights to represent a series of bits, which results in a higher transfer rate.

The method can end up used to exfiltrate data at a rate of up to 1,000 bits per second per LED, which is more than enough for stealing passwords and encryption keys, the researchers said. On a networking device with seven LEDs, researchers managed to obtain a transfer rate of 10,000 bits per second, or roughly 1 kilobyte per second.

However, the transfer rate also depends on the receiver. For example, if an entry-level DSLR camera is used to capture video of the blinking LEDs, the maximum bit rate that can be achieved at 60 frames per second is 15 bits per second for each LED. The attacker could also use a smartphone camera and obtain a transfer rate of up to 60 bits per second.

The most efficient camera is a GoPro Hero5, which can record at up to 240 frames per second, resulting in a maximum bit rate of up to 120 bits per second for each LED. On the other hand, the best transfer rate can be achieved using a light sensor as the receiver.

Leave a Reply

You must be logged in to post a comment.