Hackers may be able to siphon sensitive files, passwords and other private data through the flickering LED signal lights of common Wi-Fi routers, Ben-Gurion University researchers have found.
In a recently completed study, Dr. Mordechai Guri and his team demonstrated how a type of malware they developed – dubbed “xLED” – can silently override LED functionality by infecting firmware within the device. Once xLED infects the network device, it is able to gain full control of the flashing lights, which are typically used to monitor traffic activity, generate alerts and provide status updates.
“Sensitive data can be encoded and sent via the LED light pulses in various ways,” said Guri, who is head of research and development at the university’s Cyber Security Research Center. “An attacker with access to a remote or local camera, or with a light sensor hidden in the room, can record the LED’s activity and decode the signals.”
The xLED malware can program LED lights to flash at very fast speeds, the study showed. Because a typical router or network switch contains at least six such LEDs, the transmission rate can be multiplied significantly, enabling the leakage of a significant amount of sensitive information that can be recorded by a remote camera or light sensor, according to the research.
“Unlike network traffic that is heavily monitored and controlled by firewalls, this covert channel is currently not monitored,” Guri said. “As a result, it enables attackers to leak data while evading firewalls, air gaps [computers not hooked up to the Internet] and other data-leakage prevention methods.”
Guri’s findings are just the latest in a series of studies at BGU’s Cyber Security Research Center dedicated to uncovering and demonstrating vulnerabilities of electronic devices. In the past two years, researchers have successfully demonstrated how malware can siphon data from computer speakers, headphone jacks, hard drives, computer fans, 3D printers, smartphones, LED bulbs and other connected devices.
In March, Guri and his team showed how information can similarly be stolen from an isolated “air-gapped” computer’s hard drive by reading the pulses of light on the LED drive even when these computers are isolated from public networks.
While Guri’s lab-tested xLED is able to steal information from routers, he acknowledged that no such malware is known to be out there circulating in the world just yet. In the future, however, hackers might use similar methods to threaten big institutions such as banks, he told The Jerusalem Post on Monday.
A computer might be very well guarded, but the router connected to the machine might be much less secure, according to Guri. After infecting the router with the malware, hackers would just need a visible “line of sight” – even from outside a window – to monitor the LEDs, he added.
“The access to the router can be much easier for hackers,” Guri said. “It gives some kind of access point, attack vector.”
The hacker could access any files, movies, texts or images on a computer connected to that router, he explained.
“The malware just has to choose what it wants to leak,” Guri said.
Accompanying a paper they wrote about their findings, Guri and his team also uploaded a video to YouTube on Monday demonstrating xLED’s power to covertly exfiltrate data using the LEDs of a typical TP-LINK router. The malware exfiltrates the data via seven LEDs at a rate of 10,000 bits per second, with each LED blinking more than 1,000 times per second. Slowing down the transmission 166 times, the video challenges viewers to figure out what exactly xLED is exfiltrating.
When asked by the Post what the answer to that challenge might be, Guri encouraged readers to try decoding the puzzle for themselves.
“It’s a famous book,” he said.
Relevant to your professional network? Please share on Linkedin