Malware Uses Router LEDs to Steal Data From Secure Networks

[CrAKeN]

 

Specially-designed malware installed on a router or a switch can take control over the device’s LEDs and use them to transmit data in a binary format to a nearby attacker, who can capture it using simple video recording equipment.

 

This attack scenario is the creation of a talented team of researchers from the Cyber Security Research Center at the Ben-Gurion University of the Negev in Israel, who previously researched other types of data exfiltration scenarios relying on hard drive LEDs, coil whine, headphones, and others.

 

Attackers need to install malware on routers, switches

 

The entire operation is centered around a piece of malware the researchers created and named xLED.

 

This malware will intercept specific data passing through the router, break it down into its binary format, and use a router LED to signal the data to a nearby attacker, with the LED turned on standing for a binary one and the LED turned off representing a binary zero.

 

An attacker with a clear line of sight to the equipment can record the blinking operation. This “attacker” can be a security camera, a company insider, recording equipment mounted on a drone, and various other setups where a video recording device has a clear sight of the router or switch’s blinking LEDs.

 

The more router LEDs, the higher the exfiltration speed

 

During their tests, researchers say they’ve tested various configurations for the video recording setup, such as optical sensors, security/CCTV cameras, extreme cameras, smartphone cameras, wearable/hidden cameras, and others.

 

The research team says it achieved the best results with optical sensors because they are capable of sampling LED signals at high rates, enabling data reception at a higher bandwidth than other typical video recording equipment.

 

Researchers say that by using optical sensors, they were able to exfiltrate data at a rate of more than 1000 bit/sec per LED. Since routers and switches have more than one LED, the exfiltration speed can be increased many times over if multiple LEDs are used for data exfiltration. Basically, the more ports the router and switch has, the more data the malware can steal from the device.

 

The upside and downside of xLED attacks

 

Below is a table comparing speeds for other non-standard data exfiltration techniques. Taking into account that multiple LEDs can be used, stealing data using the xLED method is by far the most efficient and speedier of all.

 

 

Just like most of the data exfiltration scenarios from the table above, most only exist at the theoretical level and have various downsides. The problem with xLED is that the malware needs to run on the router or switch we need to steal data from.

 

For this, an attacker would need to find a security weakness in the device that would allow him to install the malware, either via a remote code execution flaw or a tainted firmware update.

 

The problem here is that once an attacker has gained access to a router or switch, there’s no reason to play around with blinking LEDs, as there are many other more efficient methods of stealing a company’s data, especially after you've hacked one of its routers.

 

Albeit somewhat impractical, this research is part of a larger effort from the same research team that has spent the past few years exploring various methods of stealing data from air-gapped systems. Previously, the Ben-Gurion team has come up with various wacky hacking techniques, such as:

 

Quote

LED-it-Go - exfiltrate data from air-gapped systems via an HDD's activity LED
SPEAKE(a)R - use headphones to record audio and spy on nearby users
9-1-1 DDoS - launch DDoS attacks that can cripple a US state's 911 emergency systems
USBee - make a USB connector's data bus give out electromagnetic emissions that can be used to exfiltrate data
AirHopper - use the local GPU card to emit electromagnetic signals to a nearby mobile phone, also used to steal data
Fansmitter - steal data from air-gapped PCs using sounds emanated by a computer's GPU fan
DiskFiltration - use controlled read/write HDD operations to steal data via sound waves
BitWhisper - exfiltrate data from non-networked computers using heat emanations
Unnamed attack - uses flatbed scanners to relay commands to malware infested PCs or to exfiltrate data from compromised systems

 

If you want to read more about the research team’s work, the paper is entitled xLED: Covert Data Exfiltration from Air - Gapped  Networks via Router LEDs. Below is a video of an xLED attack in progress.

 

 

Source

[straycat19]

Amazing the things they can come up with in a lab that have no practical real world use.  Not only doesn't it have any real use the chance of a hacker being able to do it to an organization of any size is infinitesimal.  It is much easier to steal data by using a cable laid next to an active ethernet cable and just recording the data that is picked up from magnetic emanations.  Though that only works with copper cables and not fiber optic cables.  But again, the major problem is gaining access though this doesn't require access to a networking closet and can be placed  in a ceiling or anywhere you can gain access to the particular cable you want to leech data from.  This stuff is always interesting to read about but imagine how much better our equipment and operating systems would be if these people put their talents to work in creating more secure equipment and software.