ETHERLED: Sending Covert Morse Signals from Air-Gapped Devices via Network Card (NIC) LEDs

TL;DR

This paper introduces ETHERLED, a novel covert channel exploiting NIC LEDs on air-gapped devices to exfiltrate data via Morse-coded optical signals, which can be intercepted from significant distances.

Contribution

The paper presents a new method for data exfiltration from air-gapped devices using NIC LEDs controlled by malware, including implementation details and potential countermeasures.

Findings

Data can be transmitted via NIC LEDs over tens to hundreds of meters.

Malware can control LEDs using documented and undocumented commands.

Effective countermeasures can mitigate this covert channel.

Abstract

Highly secure devices are often isolated from the Internet or other public networks due to the confidential information they process. This level of isolation is referred to as an 'air-gap .' In this paper, we present a new technique named ETHERLED, allowing attackers to leak data from air-gapped networked devices such as PCs, printers, network cameras, embedded controllers, and servers. Networked devices have an integrated network interface controller (NIC) that includes status and activity indicator LEDs. We show that malware installed on the device can control the status LEDs by blinking and alternating colors, using documented methods or undocumented firmware commands. Information can be encoded via simple encoding such as Morse code and modulated over these optical signals. An attacker can intercept and decode these signals from tens to hundreds of meters away. We show an evaluation and discuss defensive and preventive countermeasures for this exfiltration attack.