xLED: Covert Data Exfiltration from Air-Gapped Networks via Router LEDs

TL;DR

This paper demonstrates a novel method for covert data exfiltration from air-gapped networks by controlling router LEDs to transmit encoded information detectable by remote cameras and sensors.

Contribution

It introduces the first study of using router status LEDs as covert channels for data exfiltration, including implementation, modulation schemes, and evaluation.

Findings

Data can be leaked at rates up to 1Kbit/sec per LED.

Remote cameras and sensors can detect the LED signals effectively.

Countermeasures can be implemented to prevent such covert channels.

Abstract

In this paper we show how attackers can covertly leak data (e.g., encryption keys, passwords and files) from highly secure or air-gapped networks via the row of status LEDs that exists in networking equipment such as LAN switches and routers. Although it is known that some network equipment emanates optical signals correlated with the information being processed by the device ('side-channel'), intentionally controlling the status LEDs to carry any type of data ('covert-channel') has never studied before. A malicious code is executed on the LAN switch or router, allowing full control of the status LEDs. Sensitive data can be encoded and modulated over the blinking of the LEDs. The generated signals can then be recorded by various types of remote cameras and optical sensors. We provide the technical background on the internal architecture of switches and routers (at both the hardware and software level) which enables this type of attack. We also present amplitude and frequency based modulation and encoding schemas, along with a simple transmission protocol. We implement a prototype of an exfiltration malware and discuss its design and implementation. We evaluate this method with a few routers and different types of LEDs. In addition, we tested various receivers including remote cameras, security cameras, smartphone cameras, and optical sensors, and also discuss different detection and prevention countermeasures. Our experiment shows that sensitive data can be covertly leaked via the status LEDs of switches and routers at a bit rates of 10 bit/sec to more than 1Kbit/sec per LED.