Researchers from the University of Negvu have developed a way in which hackers can extract data from a victim’s computer using the LED lights displayed on their router.
They can do so using a malware named xLED, as reported by JPost.
How does it work?
The Cyber Security Research Center at the Ben-Gurion University of the Negvu which is located in Israel have come up with a way to hack into a user’s computer and steal vital data in the form of LED lights that are displayed on a router.
Essentially, the operation would require a specially crafted malware named xLED which will need to be installed on a router in order to hack a victim.
That is, the router needs to have a security flaw so as to allow the hacker to install the malware in the first place.
It can also be possible if a flawed firmware has been installed in the router, thus making it easier for the attacker to break through the device.
Once the malware is installed, the data can be exfiltrated in the binary form represented by the blinking of lights. Hence, when the light is off, it will represent a zero while when it is on, it will represent a one.
A video recording device can be used to capture the blinking pattern and utilized to steal vital information that is being transmitted through the router.
The device can be anything from a recording drone to a CCTV camera.
As long as the camera captures the blinking lights, the data being transmitted can be easily stolen.
The range of exfiltration can be considerably high
The researchers indicated that since the rate of exfiltration of data depends upon the number of LEDs being present on a router, it goes without saying that the more number of LEDs on a router, the more amount of data can be exfiltrated at any one time.
Furthermore, the researchers tested various video-recording setups to see which is the most efficient and found out that the method involving Optical Sensors was the best.
This is because it received data at a higher rate and was able to sample the LED lights more quickly than any other methods.
Primarily, a data exfiltration rate of 1000 bit/sec per LED was achieved using Optical Sensors.
The inherent flaw in the technique
Although the researchers indicated that the method is the most effective one to steal a large amount of data, they, however, stated that since the method involves installing malware on a router, a number of other techniques can be used to extract data anyway.
This is because once the malware is already on the router, there are other ways in which attackers can directly intercept the data being transmitted without the need of any video recording devices.
The more router LEDs, the higher the exfiltration speed
During their tests, researchers say they’ve tested various configurations for the video recording setup, such as optical sensors, security/CCTV cameras, extreme cameras, smartphone cameras, wearable/hidden cameras, and others.
The research team says it achieved the best results with optical sensors because they are capable of sampling LED signals at high rates, enabling data reception at a higher bandwidth than other typical video recording equipment.
Researchers say that by using optical sensors, they were able to exfiltrate data at a rate of more than 1000 bit/sec per LED. Since routers and switches have more than one LED, the exfiltration speed can be increased many times over if multiple LEDs are used for data exfiltration. Basically, the more ports the router and switch has, the more data the malware can steal from the device.
The upside and downside of xLED attacks
Below is a table comparing speeds for other non-standard data exfiltration techniques. Taking into account that multiple LEDs can be used, stealing data using the xLED method is by far the most efficient and speedier of all.
Just like most of the data exfiltration scenarios from the table above, most only exist at the theoretical level and have various downsides.
The problem with xLED is that the malware needs to run on the router or switch we need to steal data from.
For this, an attacker would need to find a security weakness in the device that would allow him to install the malware, either via a remote code execution flaw or a tainted firmware update.
The problem here is that once an attacker has gained access to a router or switch, there’s no reason to play around with blinking LEDs, as there are many other more efficient methods of stealing a company’s data, especially after you’ve hacked one of its routers.
Albeit somewhat impractical, this research is part of a larger effort from the same research team that has spent the past few years exploring various methods of stealing data from air-gapped systems. Previously, the Ben-Gurion team has come up with various wacky hacking techniques, such as:
SPEAKE(a)R – use headphones to record audio and spy on nearby users
9-1-1 DDoS – launch DDoS attacks that can cripple a US state’s 911 emergency systems
USBee – make a USB connector’s data bus give out electromagnetic emissions that can be used to exfiltrate data
AirHopper – use the local GPU card to emit electromagnetic signals to a nearby mobile phone, also used to steal data
Fansmitter – steal data from air-gapped PCs using sounds emanated by a computer’s GPU fan
DiskFiltration – use controlled read/write HDD operations to steal data via sound waves
BitWhisper – exfiltrate data from non-networked computers using heat emanations
Unnamed attack – uses flatbed scanners to relay commands to malware infested PCs or to exfiltrate data from compromised systems
If you want to read more about the research team’s work, the paper is entitled xLED: Covert Data Exfiltration from Air – Gapped Networks via Router LEDs.
