A team of security researchers working at Ben-Gurion University of the Negev in Israel have developed a new piece of Malware called xLED, which can control a broadband router and turn the device’s front-panel LED (Light Emitting Diode) lights into a transmission method for hackers or spies.
In this approach a malicious code is executed on the LAN switch or router, allowing full control of the status LEDs. Sensitive data can then be encoded and modulated over the blinking of the LEDs, which can occur so quickly that your eyes might not even notice it happening. The generated signals can then be recorded by various types of remote cameras and optical sensors.
The idea of hijacking a device’s LED lights for data extraction is not new, although it’s not been done like this before and is perhaps more interesting from a technological standpoint than as a serious security exploit (at least in terms of domestic connections). Indeed it’s been argued that anybody with enough access to do this could arguably far worse Malware (malicious software) on the router.
Advertisement
However the story may be different if you happen to run a highly secure or air-gapped network (computers not connected to the internet), where the goal of an attacker (e.g. industrial espionage or state sponsored spies) may be to covertly extract your data (e.g. encryption keys, passwords and files) over a long period of time without detection.
A paper published by the team shows that sensitive data could be covertly leaked via the status LEDs of switches and routers at bit rates of between 10bps (bits per second) and over 1Kbps (Kilobits per second) per LED, which occurs simply by switching the lights on and off at a very rapid pace (faster speeds are achieved by using more of the lights at the same time). Check out the video below.
The team suggests that router or network switch firmware could be infected with the malware via supply chain attacks, social engineering techniques, or the use of hardware with preinstalled malware. Back in 2014 some network devices were infected by a backdoor before they were delivered to the customer and in other cases an exploit might exist that allows the kit to be infected remotely over the Internet.
Interestingly the team didn’t even have to infect the router itself with malicious firmware and instead they controlled it remotely (e.g. from a compromised computer within the network) via standard remote management channels such as SSH and Telnet or by exploiting certain vulnerabilities in the router itself. The transmitting code is then uploaded to the router in the form of a shellcode or a shell script (this type of malware is not persistent and would not survive a router reset).
Advertisement
In the above video the team used a TP-Link router with a standard open-source DD-WRT firmware (their method also works with OpenWRT) that has a telnet server. After connecting to the router from a computer in the network, they executed a script which controls the LEDs and modulates the data. The basic LED control commands used by their script are shown below.
Example Router Shell Script for LED Control
// Method #1
// turn the LED on
1: echo 0 > /sys/class/leds/led_name/brightness
// turn the LED off
2: echo 255 > /sys/class/leds/led_name/brightness
// Method #2
3: echo 1 > /proc/gpio/X_out // turn the LED on
4: echo 0 > /proc/gpio/X_out // turn LED off
Obviously this kind of vulnerability is also one that can be countered, such as by banning cameras from the network room (although ironically these are often needed for security / theft monitoring), covering the LED lights, shielding windows from prying eyes, monitoring LED activity, forensic extraction / monitoring of the firmware or other malicious traffic detection methods.
In other words there are plenty of solutions for defeating such an exploit, although the team warns that “unlike network traffic that is heavily monitored and controlled by firewalls, this covert channel is currently not monitored. As a result, it enables attackers to leak data while evading firewalls, air gaps and other data-leakage prevention methods.”
Comments are closed