Home / Networking / You're not safe offline: Router LED lights can steal your data

You're not safe offline: Router LED lights can steal your data


File Photo

A system which is air-gapped is generally considered safe from intrusion as there are few network tunnels or avenues for hackers to exploit. After all, if you can’t connect, you can’t steal or tamper with air-gapped devices.

However, this idea has once again been smashed by researchers from Israel’s Ben Gurion University, who have demonstrated a method to steal information using the LED lights found on routers and switches used in isolated, secure networks.

A paper explaining the findings, titled “xLED: Covert Data Exfiltration from Air-Gapped Networks via Router LEDs” (.PDF), was authored by Ben Gurion researchers Mordechai Guri, Boris Zadov, Andrey Daidakulov, and Yuval Elovici, who explained how a device running malware called xLED could be used as a pathway to air-gapped systems.

As noted by ThreatPost, the malware is able to use flashing LED lights to extract binary data — alongside encryption keys, passwords, and files — over the hardware.

In this attack, router firmware or switches have to be infected with the custom xLED malware. The researchers say the infection can take place through supply chain attacks, social engineering, or the use of hardware which already contains pre-installed malware.

The malicious code has the capability of controlling LED lighting systems and encoding data over them. Once the malware has identified specific information passing through, it is broken down into binary 1’s and 0’s, which are converted into LED flashes.

Data can be leaked at a rate of 10 bit/sec to 1000 bit/sec per LED, depending on the hardware infected by the malware. If a router with eight LED lights has been compromised, for example, information can be transmitted at 8000 bits per second.

By focusing on LED lights when data is passing through the router — rather than attempting to steal information through networked traffic — firewalls and other security measures including physically separating the air-gapped devices are circumvented.