Home
 » ISP News » 
Sponsored

Researchers Use Malware to Turn WiFi Router LED Lights into Data Signal

Thursday, June 8th, 2017 (8:37 am) - Score 1,817
router led lights

A team of security researchers working at Ben-Gurion University of the Negev in Israel have developed a new piece of Malware called xLED, which can control a broadband router and turn the device’s front-panel LED (Light Emitting Diode) lights into a transmission method for hackers or spies.

In this approach a malicious code is executed on the LAN switch or router, allowing full control of the status LEDs. Sensitive data can then be encoded and modulated over the blinking of the LEDs, which can occur so quickly that your eyes might not even notice it happening. The generated signals can then be recorded by various types of remote cameras and optical sensors.

The idea of hijacking a device’s LED lights for data extraction is not new, although it’s not been done like this before and is perhaps more interesting from a technological standpoint than as a serious security exploit (at least in terms of domestic connections). Indeed it’s been argued that anybody with enough access to do this could arguably far worse Malware (malicious software) on the router.

However the story may be different if you happen to run a highly secure or air-gapped network (computers not connected to the internet), where the goal of an attacker (e.g. industrial espionage or state sponsored spies) may be to covertly extract your data (e.g. encryption keys, passwords and files) over a long period of time without detection.

A paper published by the team shows that sensitive data could be covertly leaked via the status LEDs of switches and routers at bit rates of between 10bps (bits per second) and over 1Kbps (Kilobits per second) per LED, which occurs simply by switching the lights on and off at a very rapid pace (faster speeds are achieved by using more of the lights at the same time). Check out the video below.

The team suggests that router or network switch firmware could be infected with the malware via supply chain attacks, social engineering techniques, or the use of hardware with preinstalled malware. Back in 2014 some network devices were infected by a backdoor before they were delivered to the customer and in other cases an exploit might exist that allows the kit to be infected remotely over the Internet.

Interestingly the team didn’t even have to infect the router itself with malicious firmware and instead they controlled it remotely (e.g. from a compromised computer within the network) via standard remote management channels such as SSH and Telnet or by exploiting certain vulnerabilities in the router itself. The transmitting code is then uploaded to the router in the form of a shellcode or a shell script (this type of malware is not persistent and would not survive a router reset).

In the above video the team used a TP-Link router with a standardĀ open-source DD-WRT firmware (their method also works with OpenWRT) that has a telnet server. After connecting to the router from a computer in the network, they executed a script which controls the LEDs and modulates the data. The basic LED control commands used by their script are shown below.

Example Router Shell Script for LED Control

// Method #1
// turn the LED on
1: echo 0 > /sys/class/leds/led_name/brightness
// turn the LED off
2: echo 255 > /sys/class/leds/led_name/brightness
// Method #2
3: echo 1 > /proc/gpio/X_out // turn the LED on
4: echo 0 > /proc/gpio/X_out // turn LED off

Obviously this kind of vulnerability is also one that can be countered, such as by banning cameras from the network room (although ironically these are often needed for security / theft monitoring), covering the LED lights, shielding windows from prying eyes, monitoring LED activity, forensic extraction / monitoring of the firmware or other malicious traffic detection methods.

In other words there are plenty of solutions for defeating such an exploit, although the team warns that “unlike network traffic that is heavily monitored and controlled by firewalls, this covert channel is currently not monitored. As a result, it enables attackers to leak data while evading firewalls, air gaps and other data-leakage prevention methods.”

Leave a Comment
1 Response
  1. Avatar Bob2002

    And if it wasn’t for line of sight I would have succeeded!!!

Comments RSS Feed

Javascript must be enabled to post (most browsers do this automatically)

Privacy Notice: Please note that news comments are anonymous, which means that we do NOT require you to enter any real personal details to post a message. By clicking to submit a post you agree to storing your comment content, display name, IP, email and / or website details in our database, for as long as the post remains live.

Only the submitted name and comment will be displayed in public, while the rest will be kept private (we will never share this outside of ISPreview, regardless of whether the data is real or fake). This comment system uses submitted IP, email and website address data to spot abuse and spammers. All data is transferred via an encrypted (https secure) session.

NOTE 1: Sometimes your comment might not appear immediately due to site cache (this is cleared every few hours) or it may be caught by automated moderation / anti-spam.

NOTE 2: Comments that break our rules, spam, troll or post via known fake IP/proxy servers may be blocked or removed.
Cheapest Superfast ISPs
  • Hyperoptic £16.80 (*22.00)
    Avg. Speed 50Mbps, Unlimited
    Gift: None
  • Post Office £20.90 (*37.00)
    Avg. Speed 38Mbps, Unlimited
    Gift: None
  • TalkTalk £21.95 (*36.00)
    Avg. Speed 38Mbps, Unlimited
    Gift: None
  • SSE £22.00
    Avg. Speed 35Mbps, Unlimited (FUP)
    Gift: None
  • xln telecom £22.74 (*47.94)
    Avg. Speed 66Mbps, Unlimited (FUP)
    Gift: None
Prices inc. Line Rental | View All
The Top 20 Category Tags
  1. BT (2587)
  2. FTTP (2362)
  3. FTTC (1700)
  4. Building Digital UK (1645)
  5. Politics (1490)
  6. Openreach (1468)
  7. Business (1288)
  8. FTTH (1168)
  9. Statistics (1130)
  10. Mobile Broadband (1087)
  11. Fibre Optic (994)
  12. Ofcom Regulation (949)
  13. Wireless Internet (946)
  14. 4G (942)
  15. Virgin Media (892)
  16. EE (617)
  17. Sky Broadband (616)
  18. TalkTalk (596)
  19. Vodafone (557)
  20. 3G (424)
New Forum Topics
»
Latency with IDNet
Author: BigAlbert
»
Zen latency
Author: BigAlbert
»
Online gaming / ping
Author: BigAlbert
»
»
Promotion
Helpful ISP Guides and Tips
»
»
»
»
»
»
»
»
»
»
»
»
»
»
»
»
»
»
»
»
»
»
»
»
»
»
»
»
»
Sponsored

Copyright © 1999 to Present - ISPreview.co.uk - All Rights Reserved - Terms , Privacy and Cookie Policy , Links , Website Rules , Contact