Slashdot Mirror
Malware Uses Router LEDs To Steal Data From Secure Networks (bleepingcomputer.com)
An anonymous reader writes: Researchers from the Ben-Gurion University of the Negev in Israel have developed malware that when installed on a router or a switch can take control over the device's LEDs and use them to transmit data in a binary format to a nearby attacker, who can capture it using simple video recording equipment. The attack is similar to the LED-it-GO attack developed by the same team, which uses a hard drive's blinking LED to steal data from air-gapped computers. Because routers and switches have many more LEDs than a hard drive, this attack scenario is much more efficient, as it can transmit data at about the same speed, but multiplied by the number of ports/LEDs. Researchers say they were able to steal data by 1000 bits/ per LED, making this the most efficient attack known to date. The attack worked best when coupled with optical sensors, which are capable of sampling LED signals at high rates, enabling data reception at a higher bandwidth than other typical video recording equipment. A video of the attack is available here.
If your routers are insecure enough that someone can sneak in, reprogram them to flash their LEDs and install sensors to pick up the flashing LEDs you have bigger issues.
There's a piece of electrical tape over my router LEDs so I can sleep...
Is that like making the Kessel Run in 12 parsecs?
Come on editors.
Assuming video recording at 30/frames a second, each bit requiring at least 2 frames I'm guessing it's around 1000 bits/minute.
Or some duct tape.
It little behooves the best of us to comment on the rest of us.
entire room wrapped in tape
your thin skin doesn't make me a troll
Wireless by definition makes the network insecure...
This looks like a contemporary attempt to revive a classic.
Back in the Before Times; you could get serial modems that did DES(maybe 3DES? my memory grows fuzzy) in hardware, to allow systems without built in line security measures to be run over phone lines(ATMs, that sort of thing). It was cleartext on the RS-232 link between the device and the modem; but that was supposed to be physically secured inside the chassis; then encrypted between the modems on each end of the line; and decrypted at the far end, presumably in a secure location.
Some designs, whether out of lack of imagination, incompetence, or sneaky malice, had LEDs that were more or less directly tied to the cleartext serial input; and the LEDs and drive circuitry were quite capable of blinking at the rates of at least the slower serial links; so you could read the unencrypted serial traffic right off the fancy 'secure' modem's blinkenlights(at a fair distance, with magnification).
This study tested ethernet gear as well; but found that(if unmodified) it was of relatively limited use: data rates were far too high for LEDs to be driven directly by high/low values in the data stream; and instead blinked in ways only indirectly associated with traffic activity, mostly for diagnostic convenience.
This new one requires that the system be maliciously modified, so it lacks the charm of the original; but takes advantage of the fact that indicator LEDs can still blink pretty fast(and some are GPIO controlled) so they can still be shoved into transmitting information; but now you have to handle that yourself, rather than having the vendor do it for you.
I think "bits per LEDsecond " is the funniest unit I've seen in a long damned time. "This exploit grabs data at 1000 bits/LED*s"
What do you think IrDA is (was)? Same thing using infrared LEDs is all. It supported up to 115.2 kbit/s, and that's just on one "channel" (LED). Back in 2004 I bitbanged IrDA with a micro-controller in a homebrew PS1 controller adapter that allowed me to use the controller with a Pocket PC. It was one-way communication, because the controller just needed to communicate button presses to the Pocket PC. It worked quite well. Anyway, assuming there is a relatively low-level access for toggling the LEDs on or off on a [insert device name here], such a method of transmitting data is patently obvious...
The "scary" thing is that communications of this sort are far beyond the refresh rate of the human eye, and so the end result is that the LED simply looks about half the normal brightness and does not appear to pulsate or anything.
Better known as 318230.
...to be able to install my own firmware on a router that is on a secure network, then I can access the data on the secure network it is attached to?
I would imagine if you could do all of that that, and be nearby at the time as well, then you could access the secure network by other means.
And all that assumes that data going across the secure network isn't all encrypted, which it typically is.
Upgrade your router...install systemd. It'll fuck it up so bad nothing will work.
* INFO: Running install_ubuntu_check_services() /com/ubuntu/upstart: Connection refused
* INFO: Running install_ubuntu_restart_daemons()
Job for salt-minion.service failed because a configured resource limit was exceeded. See "systemctl status salt-minion.service" and "journalctl -xe" for details.
start: Unable to connect to Upstart: Failed to connect to socket
* ERROR: No init.d support for salt-minion was found
* ERROR: Failed to run install_ubuntu_restart_daemons()!!!
root@r1:/etc/salt#
Jun 07 02:50:07 r1 systemd[1]: salt-minion.service: Failed to run 'start' task: No such file or directory
Jun 07 02:50:07 r1 systemd[1]: Failed to start The Salt Minion daemon.
Jun 07 02:50:07 r1 systemd[1]: salt-minion.service: Failed with result 'resources'.
Jun 07 02:50:51 r1 systemd[1]: [/lib/systemd/system/salt-minion.service:11] Failed to parse service restart specifier, ignoring: $RESTART
Jun 07 02:50:54 r1 systemd[1]: [/lib/systemd/system/salt-minion.service:11] Failed to parse service restart specifier, ignoring: $RESTART
Jun 07 02:50:54 r1 systemd[1]: Stopped The Salt Minion daemon.
Jun 07 02:50:54 r1 systemd[1]: salt-minion.service: Failed to load environment files: No such file or directory
Jun 07 02:50:54 r1 systemd[1]: salt-minion.service: Failed to run 'start' task: No such file or directory
Jun 07 02:50:54 r1 systemd[1]: Failed to start The Salt Minion daemon.
Jun 07 02:50:54 r1 systemd[1]: salt-minion.service: Failed with result 'resources'.
root@r1:/etc/salt#
LED Lights: Friend or Foe? was posted here more than 15 years ago. Everything old is new again (except me, I guess).
Thanks to the War on Drugs, it's easier to buy meth than it is to buy cold medicine!
The only realistic application of this "hack" is in a bad Tom Cruise movie.
If you want news from today, you have to come back tomorrow.
Impractical but creative, I can dig it.
It's not an attack. It's a sidechannel communication mechanism, and the optical sensors needed to pick it up are going to be pretty damn obvious sitting on the floor if a datacenter.
While this might be used as a plot device on Mr. Robot, I don't expect much to come of this.
So, you own a router enough to send data via its lights to some other dude who can interpret your signals. Why the fuck don't u just tap it at that point? This is an overly complicated exfiltration method that has zero chance of ever mattering. I'm glad some money somewhere got spent for this idiocy
Because the owner of the data is watching for unusual network activity, but not for unusual blinky lights.
in that case you would just lose some transmit speed. ..this is fucking stupid. it's a custom firmware for a router that sends stuff out over the LED. it's fucking stupid and COULD HAVE BEEN FUCKING MADE 17 YEARS AGO.
like, it doesn't prove anything. it just proves that you could do something that you already knew that could be done.
world was created 5 seconds before this post as it is.
If you are in a position where you can even see the enclosures let alone the Router LED's I have more fucking problems than this attack vector. seriously is their any real Datacentre that would have any exposure to this ANYWHERE?
I don't see how using Perl helps here?
Ezekiel 23:20
If you have rooted the router and is close enough for optical transfer (aka irDA), would it then not be easier to just plug in network cable?
hardware randomize the time the LEDs stay on... Either a LFSR or a noise source hooked up to a comparator. That'll slow things down tremendously.
Or we could just stop using LEDs for every damn indicator on devices like this.
This is why I own electrical tape.
What about a capacitor? Wouldn't that slow down the LED response time enough to make high frequency flashes impossible? I'm not an electrical engineer, could be totally wrong.
Depends on the frequency of the signal and size of the capacitor and probably needs a resistor too but it would also add size and cost. You'd still be able to do some data exchange, you'd just have to tune it to the speed of the RC network.
Custom electronics and digital signage for your business: www.evcircuits.com
Same thought, what kind of rate is that?
Yep, just like the check engine light in the dashboard of my car. Problem solved!
Yeah, you need to add a resistor and a capacitor to the data line, and you'd only decrease, not prevent the flickering which carries the signal. So, small benefit. Personally, I'd put the black boxes into an opaque cabinet. Problem eliminated. If the network stops responding ... then that's when you call the IT department, who have the keys to the cabinet. Which would solve some other issues too. For example, you want to write some data to a USB drive? Fine! The USB port for your floor is in the cabinet, call IT. Want to play your favourite CD? Sure! The CD drive for your floor is in the cabinet, call IT.
Birds are not dinosaur descendants;birds are dinosaurs, for all useful meanings of "birds", "are" and "dinosaurs"
The downside being that it can't be done by the manufacturer unless they use low-spec parts so there is significant variation in response time between individual devices.
Soldering components into everything with an LED is not something I'd want to do, but if manufacturers put in caps with wide variations in capacitance - instead of buying parts that deviate from the expected values by .001%, they vary by 10% - then the frequency of the flicker would be too unpredictable to be exploited.
Then send 1 bit per second. Across the entire router, this could still be easily 10-20bits/s and even 1 bit/s is plenty to extract information like encryption keys. As long as I can modulate the behavior of the LED's, I can send data. The reason I can modulate the LED's in the first place is so the system doesn't need the extra circuitry to detect packets moving on the network, just wire it directly to the CPU and let it handle the blinking.
You can avoid these attacks by directly attaching the LED via a circuit to the data line and make it blink based on packets moving across the network, but that costs a few extra resistors, capacitors and perhaps even a chip (or not having LED's at all but there is a reason for them)
Custom electronics and digital signage for your business: www.evcircuits.com
My point is that an attacker wouldn't know that the response time of the LED has been changed. They told it to blink 10 times in one second, but instead it just stayed on the entire time. They tell it to flash once, and it's not enough to actually light the LED. They'd have to carefully and manually analyse the response to their commands to work out how to get around the delay. If, of course, they figure out that's where their problem is instead of thinking the hack failed, and they don't spend so much time on it that they get caught.