430,000 FortiGate Devices Exposed in FortiBleed Ransomware Link|Adobe fixed multiple maximum-severity flaws in ColdFusion and Campaign Classic|Alleged Scattered Spider Hacker Extradited to U.S. to Face Cybercrime Charges|Oracle E-Business Suite Flaw Under Active Attack, 950 Systems Exposed|Azure CLI Targeted in LSHIY Password Spray Campaign Across 64 Orgs|CISA Warns BlueHammer Flaw Is Now Exploited in Ransomware Attacks|RustDuck: The Botnet That’s Still Small but Engineering Like It Plans to Grow|GuardFall Flaw Hits 10 of 11 Popular Open-Source AI Agents|XSS.is, The Forum That Ran the Ransomware Supply Chain Is Down. The Market Isn’t|U.S. CISA adds SimpleHelp flaw to its Known Exploited Vulnerabilities catalog|Hackers Steal Data of 4.38 Million Aflac Japan Customers|Apple Fixes WebKit Flaws in iOS and macOS, With Help From AI Tools|430,000 FortiGate Devices Exposed in FortiBleed Ransomware Link|Adobe fixed multiple maximum-severity flaws in ColdFusion and Campaign Classic|Alleged Scattered Spider Hacker Extradited to U.S. to Face Cybercrime Charges|Oracle E-Business Suite Flaw Under Active Attack, 950 Systems Exposed|Azure CLI Targeted in LSHIY Password Spray Campaign Across 64 Orgs|CISA Warns BlueHammer Flaw Is Now Exploited in Ransomware Attacks|RustDuck: The Botnet That’s Still Small but Engineering Like It Plans to Grow|GuardFall Flaw Hits 10 of 11 Popular Open-Source AI Agents|XSS.is, The Forum That Ran the Ransomware Supply Chain Is Down. The Market Isn’t|U.S. CISA adds SimpleHelp flaw to its Known Exploited Vulnerabilities catalog|Hackers Steal Data of 4.38 Million Aflac Japan Customers|Apple Fixes WebKit Flaws in iOS and macOS, With Help From AI Tools|
Advertisement

Ad Placeholder

Full Width × 90

Breaking News

Exfiltrating data from Air-Gapped Networks via Router LEDs

A team of Israeli researchers has devised a new technique to exfiltrate data from a machine by using a malware that controls router LEDs. A few months ago a group of researchers from Israeli Ben-Gurion University devised a new technique to exfiltrate data from a machine by using a malware that controls hard drive LEDs, now […]

Exfiltrating data from Air-Gapped Networks via Router LEDs

A team of Israeli researchers has devised a new technique to exfiltrate data from a machine by using a malware that controls router LEDs.

A few months ago a group of researchers from Israeli Ben-Gurion University devised a new technique to exfiltrate data from a machine by using a malware that controls hard drive LEDs, now researchers applied the technique to routers.

The attack is very insidious because hacking a router it is possible to gain control over the entire network, for this reason, the researchers focused their efforts in stealing admin credentials of the device.

The team of experts led by the expert Mordechai Guri developed a specific firmware dubbed xLED that allowed them to control the LED while the router is working.

Alternatively, the group demonstrated how to force the router executing a malicious script to control the LED.

“In this paper, we show how attackers can covertly leak data (e.g., encryption keys, passwords and files) from highly secure or air-gapped networks via the row of status LEDs that exists in networking equipment such as LAN switches and routers. Although it is known that some network equipment emanates optical signals correlated with the information being processed by the device (‘side-channel’), intentionally controlling the status LEDs to carry any type of data (‘covert-channel’) has never studied before.” reads the paper published by the experts. “A malicious code is executed on the LAN switch or router, allowing full control of the status LEDs. Sensitive data can be encoded and modulated over the blinking of the LEDs. The generated signals can then be recorded by various types of remote cameras and optical sensors.”

The experts demonstrated that using a normal camera (managing LED blinks at 120 bits/second) it is possible to exfiltrate data at a rate that is limited to less than 1 Kbps, but using a GoPro Hero5 it is possible to increase the efficiency of the technique managing LED blinks at 960 bits/second.

If the attacker has physical access to the target’s facility, they can use an optical sensor (Guri’s group used a Thorlabs PDA100A) that can reach more than 1 Kbps and as high as 3.5 Kbps.

Exfiltrating data router leds

Below a portion of code used for the modulation of the signal sent through the status LEDs that can be captured by the attackers with a remote camera of an optical sensor:

Algorithm 1 ModulateOOK
1: procedure ModulateOOK(nLED, data, T)
2: openLED(nLED); //opens the LED file for writing
3: while(data[i] !=0)
4: if(data[i] == ‘0’) //modulate 0 by turning the LED off
5: setLEDOff(nLED);
6: if(data[i] == ‘1’) //modulate 1 by turning the LED on
7: setLEDOn(nLED);
8: i++;
9: sleep(T); // sleep for time period of T
10: closeLED(nLED); // closes the LED file descriptor

below the shellscript released by the experts:

// Method #1
// turn the LED on
1: echo 0 > /sys/class/leds/led_name/brightness
// turn the LED off
2: echo 255 > /sys/class/leds/led_name/brightness
// Method #2
3: echo 1 > /proc/gpio/X_out // turn the LED on
4: echo 0 > /proc/gpio/X_out // turn LED off

The researchers also shared a proof-of-concept video of the attack:

To prevent this kind of attack the best option for the user it to put a tape over the LEDs, and to check the firmware running his/her router.

[adrotate banner=”9″]

Pierluigi Paganini

(Security Affairs – router leds, data exfiltration)

[adrotate banner=”13″]