Malware Uses Router LEDs to Steal Data From Secure Networks

  • June 6, 2017
  • 10:10 AM
  • 0

Blinking router LEDs

Specially-designed malware installed on a router or a switch can take control over the device’s LEDs and use them to transmit data in a binary format to a nearby attacker, who can capture it using simple video recording equipment.

This attack scenario is the creation of a talented team of researchers from the Cyber Security Research Center at the Ben-Gurion University of the Negev in Israel, who previously researched other types of data exfiltration scenarios relying on hard drive LEDs, coil whine, headphones, and others.

Attackers need to install malware on routers, switches

The entire operation is centered around a piece of malware the researchers created and named xLED.

This malware will intercept specific data passing through the router, break it down into its binary format, and use a router LED to signal the data to a nearby attacker, with the LED turned on standing for a binary one and the LED turned off representing a binary zero.

An attacker with a clear line of sight to the equipment can record the blinking operation. This “attacker” can be a security camera, a company insider, recording equipment mounted on a drone, and various other setups where a video recording device has a clear sight of the router or switch’s blinking LEDs.

The more router LEDs, the higher the exfiltration speed

During their tests, researchers say they’ve tested various configurations for the video recording setup, such as optical sensors, security/CCTV cameras, extreme cameras, smartphone cameras, wearable/hidden cameras, and others.

The research team says it achieved the best results with optical sensors because they are capable of sampling LED signals at high rates, enabling data reception at a higher bandwidth than other typical video recording equipment.

Researchers say that by using optical sensors, they were able to exfiltrate data at a rate of more than 1000 bit/sec per LED. Since routers and switches have more than one LED, the exfiltration speed can be increased many times over if multiple LEDs are used for data exfiltration. Basically, the more ports the router and switch has, the more data the malware can steal from the device.

The upside and downside of xLED attacks

Below is a table comparing speeds for other non-standard data exfiltration techniques. Taking into account that multiple LEDs can be used, stealing data using the xLED method is by far the most efficient and speedier of all.

Comparisson of exfiltration speeds for various attacks

Just like most of the data exfiltration scenarios from the table above, most only exist at the theoretical level and have various downsides. The problem with xLED is that the malware needs to run on the router or switch we need to steal data from.

For this, an attacker would need to find a security weakness in the device that would allow him to install the malware, either via a remote code execution flaw or a tainted firmware update.

The problem here is that once an attacker has gained access to a router or switch, there’s no reason to play around with blinking LEDs, as there are many other more efficient methods of stealing a company’s data, especially after you've hacked one of its routers.

Albeit somewhat impractical, this research is part of a larger effort from the same research team that has spent the past few years exploring various methods of stealing data from air-gapped systems. Previously, the Ben-Gurion team has come up with various wacky hacking techniques, such as:

LED-it-Go - exfiltrate data from air-gapped systems via an HDD's activity LED
SPEAKE(a)R - use headphones to record audio and spy on nearby users
9-1-1 DDoS - launch DDoS attacks that can cripple a US state's 911 emergency systems
USBee - make a USB connector's data bus give out electromagnetic emissions that can be used to exfiltrate data
AirHopper - use the local GPU card to emit electromagnetic signals to a nearby mobile phone, also used to steal data
Fansmitter - steal data from air-gapped PCs using sounds emanated by a computer's GPU fan
DiskFiltration - use controlled read/write HDD operations to steal data via sound waves
BitWhisper - exfiltrate data from non-networked computers using heat emanations

Unnamed attack - uses flatbed scanners to relay commands to malware infested PCs or to exfiltrate data from compromised systems

If you want to read more about the research team’s work, the paper is entitled xLED: Covert Data Exfiltration from Air - Gapped  Networks via Router LEDs. Below is a video of an xLED attack in progress.

Related Articles:

New LamePyre macOS Malware Sends Screenshots to Attacker

Android Malware Tricks User to Log into PayPal to Steal Funds

Emotet Banking Trojan Loves U.S.A Internet Providers

Emotet Trojan Begins Stealing Victim's Email Using New Module

AutoHotkey Malware Is Now a Thing

Catalin Cimpanu
Catalin Cimpanu is the Security News Editor for Bleeping Computer, where he covers topics such as malware, breaches, vulnerabilities, exploits, hacking news, the Dark Web, and a few more. Catalin previously covered Web & Security news for Softpedia between May 2015 and October 2016. The easiest way to reach Catalin is via his XMPP/Jabber address at For other contact methods, please visit Catalin's author page.
Post a Comment Community Rules
You need to login in order to post a comment

Not a member yet? Register Now

You may also like:

Newsletter Sign Up

To receive periodic updates and news from BleepingComputer, please use the form below.


Remember Me
Sign in anonymously


Help us understand the problem. What is going on with this comment?

Learn more about what is not allowed to be posted.