A system which is air-gapped is generally considered safe from intrusion as there are few network tunnels or avenues for hackers to exploit. After all, if you can’t connect, you can’t steal or tamper with air-gapped devices.
However, this idea has once again been smashed by researchers from Israel’s Ben Gurion University, who have demonstrated a method to steal information using the LED lights found on routers and switches used in isolated, secure networks.
A paper explaining the findings, titled “xLED: Covert Data Exfiltration from Air-Gapped Networks via Router LEDs” (.PDF), was authored by Ben Gurion researchers Mordechai Guri, Boris Zadov, Andrey Daidakulov, and Yuval Elovici, who explained how a device running malware called xLED could be used as a pathway to air-gapped systems.
As noted by ThreatPost, the malware is able to use flashing LED lights to extract binary data — alongside encryption keys, passwords, and files — over the hardware.
In this attack, router firmware or switches have to be infected with the custom xLED malware. The researchers say the infection can take place through supply chain attacks, social engineering, or the use of hardware which already contains pre-installed malware.
The malicious code has the capability of controlling LED lighting systems and encoding data over them. Once the malware has identified specific information passing through, it is broken down into binary 1’s and 0’s, which are converted into LED flashes.
Data can be leaked at a rate of 10 bit/sec to 1000 bit/sec per LED, depending on the hardware infected by the malware. If a router with eight LED lights has been compromised, for example, information can be transmitted at 8000 bits per second.
By focusing on LED lights when data is passing through the router — rather than attempting to steal information through networked traffic — firewalls and other security measures including physically separating the air-gapped devices are circumvented.
“Sensitive data can be encoded and modulated over the blinking of the LEDs,” the researchers say. “The generated signals can then be recorded by various types of remote cameras and optical sensors.”
This information can then be decoded and restructured by attackers that have captured the LED footage through methods such as the use of hidden cameras or camcorders.
The new research follows on from previous experiments from Ben Gurion, in which a camera was used to capture signals from an HDD drive’s LED lights semi-remotely in order to steal encryption keys and binary files from an air-gapped PC.
This kind of attack may appear to be a theoretical long shot, but with determined cyberattackers and companies holding valuable data, anything is possible in today’s security space. The solution is far more simple than the attack — merely by restricting access to networking equipment and the judicious use of tape, LED-based communication can be avoided.