Slashdot Mirror

← Back to Stories (view on slashdot.org)

Malware Uses Router LEDs To Steal Data From Secure Networks (bleepingcomputer.com)

Posted by BeauHD on from the see-the-light dept.

An anonymous reader writes: Researchers from the Ben-Gurion University of the Negev in Israel have developed malware that when installed on a router or a switch can take control over the device's LEDs and use them to transmit data in a binary format to a nearby attacker, who can capture it using simple video recording equipment. The attack is similar to the LED-it-GO attack developed by the same team, which uses a hard drive's blinking LED to steal data from air-gapped computers. Because routers and switches have many more LEDs than a hard drive, this attack scenario is much more efficient, as it can transmit data at about the same speed, but multiplied by the number of ports/LEDs. Researchers say they were able to steal data by 1000 bits/ per LED, making this the most efficient attack known to date. The attack worked best when coupled with optical sensors, which are capable of sampling LED signals at high rates, enabling data reception at a higher bandwidth than other typical video recording equipment. A video of the attack is available here.

12 of 105 comments (clear)

  1. security of routers by Anonymous Coward · · Score: 5, Insightful

    If your routers are insecure enough that someone can sneak in, reprogram them to flash their LEDs and install sensors to pick up the flashing LEDs you have bigger issues.

    1. Re:security of routers by hawguy · · Score: 5, Interesting

      If your routers are insecure enough that someone can sneak in, reprogram them to flash their LEDs and install sensors to pick up the flashing LEDs you have bigger issues.

      Lots of companies colocate in "secure" datacenters where their equipment cages are walled off by nothing more than chain link fences with equipment stacked in bare racks, plainly visible to anyone walking by.

      If you can find a software vulnerability and hack into one of their switches/routers, you can use this technique to extract data from their network without tripping any IDS sensors -- all you need to do is rent a neighboring cage and point a camera at the switches.

      The company across the courtyard from us has a bit stack of network switches facing the window. Same problem - get someone to infect their network from within (through, say, a compromised USB key) and you can send data all day long over the lights without anyone noticing any unusual outbound traffic.

  2. Re:good grief by Anonymous Coward · · Score: 2, Interesting

    There's a piece of electrical tape over my router LEDs so I can sleep...

  3. 1000 bits/ per LED? by michael.karl.coleman · · Score: 2

    Is that like making the Kessel Run in 12 parsecs?

  4. Almost old school by fuzzyfuzzyfungus · · Score: 5, Informative

    This looks like a contemporary attempt to revive a classic.

    Back in the Before Times; you could get serial modems that did DES(maybe 3DES? my memory grows fuzzy) in hardware, to allow systems without built in line security measures to be run over phone lines(ATMs, that sort of thing). It was cleartext on the RS-232 link between the device and the modem; but that was supposed to be physically secured inside the chassis; then encrypted between the modems on each end of the line; and decrypted at the far end, presumably in a secure location.

    Some designs, whether out of lack of imagination, incompetence, or sneaky malice, had LEDs that were more or less directly tied to the cleartext serial input; and the LEDs and drive circuitry were quite capable of blinking at the rates of at least the slower serial links; so you could read the unencrypted serial traffic right off the fancy 'secure' modem's blinkenlights(at a fair distance, with magnification).

    This study tested ethernet gear as well; but found that(if unmodified) it was of relatively limited use: data rates were far too high for LEDs to be driven directly by high/low values in the data stream; and instead blinked in ways only indirectly associated with traffic activity, mostly for diagnostic convenience.

    This new one requires that the system be maliciously modified, so it lacks the charm of the original; but takes advantage of the fact that indicator LEDs can still blink pretty fast(and some are GPIO controlled) so they can still be shoved into transmitting information; but now you have to handle that yourself, rather than having the vendor do it for you.

  5. IrDA by Dan+East · · Score: 4, Informative

    What do you think IrDA is (was)? Same thing using infrared LEDs is all. It supported up to 115.2 kbit/s, and that's just on one "channel" (LED). Back in 2004 I bitbanged IrDA with a micro-controller in a homebrew PS1 controller adapter that allowed me to use the controller with a Pocket PC. It was one-way communication, because the controller just needed to communicate button presses to the Pocket PC. It worked quite well. Anyway, assuming there is a relatively low-level access for toggling the LEDs on or off on a [insert device name here], such a method of transmitting data is patently obvious...
    The "scary" thing is that communications of this sort are far beyond the refresh rate of the human eye, and so the end result is that the LED simply looks about half the normal brightness and does not appear to pulsate or anything.

    --
    Better known as 318230.
  6. So if I get physical access... by StevenMaurer · · Score: 4, Insightful

    ...to be able to install my own firmware on a router that is on a secure network, then I can access the data on the secure network it is attached to?

    I would imagine if you could do all of that that, and be nearby at the time as well, then you could access the secure network by other means.

    And all that assumes that data going across the secure network isn't all encrypted, which it typically is.

  7. Deja vu by ShaunC · · Score: 5, Informative

    LED Lights: Friend or Foe? was posted here more than 15 years ago. Everything old is new again (except me, I guess).

    --
    Thanks to the War on Drugs, it's easier to buy meth than it is to buy cold medicine!
  8. Tom Cruise by Frosty+Piss · · Score: 4, Funny

    The only realistic application of this "hack" is in a bad Tom Cruise movie.

    --
    If you want news from today, you have to come back tomorrow.
  9. Not an "attack" by Anonymous Coward · · Score: 2, Insightful

    It's not an attack. It's a sidechannel communication mechanism, and the optical sensors needed to pick it up are going to be pretty damn obvious sitting on the floor if a datacenter.

  10. Nice movie plot but.... by pcjunky · · Score: 2

    While this might be used as a plot device on Mr. Robot, I don't expect much to come of this.

  11. Re:good grief by unixcorn · · Score: 2

    Yep, just like the check engine light in the dashboard of my car. Problem solved!