Want to read Slashdot from your mobile device? Point it at m.slashdot.org and keep reading!

 



Forgot your password?
typodupeerror
Security Communications Data Storage Network Networking Privacy

Malware Uses Router LEDs To Steal Data From Secure Networks (bleepingcomputer.com) 105

An anonymous reader writes: Researchers from the Ben-Gurion University of the Negev in Israel have developed malware that when installed on a router or a switch can take control over the device's LEDs and use them to transmit data in a binary format to a nearby attacker, who can capture it using simple video recording equipment. The attack is similar to the LED-it-GO attack developed by the same team, which uses a hard drive's blinking LED to steal data from air-gapped computers. Because routers and switches have many more LEDs than a hard drive, this attack scenario is much more efficient, as it can transmit data at about the same speed, but multiplied by the number of ports/LEDs. Researchers say they were able to steal data by 1000 bits/ per LED, making this the most efficient attack known to date. The attack worked best when coupled with optical sensors, which are capable of sampling LED signals at high rates, enabling data reception at a higher bandwidth than other typical video recording equipment. A video of the attack is available here.
This discussion has been archived. No new comments can be posted.

Malware Uses Router LEDs To Steal Data From Secure Networks

Comments Filter:
  • by Anonymous Coward on Tuesday June 06, 2017 @08:40PM (#54565011)

    If your routers are insecure enough that someone can sneak in, reprogram them to flash their LEDs and install sensors to pick up the flashing LEDs you have bigger issues.

    • Aside from the 'researchers were looking for publication; not a practical exfiltration strategy' issue; I imagine that it would be most useful in a comparatively complex network where you can't necessarily do anything excessively shady looking over the network interfaces without the risk of being caught by the IDS or similar.

      For your basic "router is what turns the cable into wifi, right?" network setup, sure, this is absurdly perverse: you own the router, just use their own internet connection for whate
      • It seems to me like it's most plausibly useful in a context where you have owned the surveillance network and can point a camera at a router. But then you're limited to whatever data transmission rate you can manage given the limitations of the environment. However, what if you used many pieces of equipment in the DC, and many cameras?

      • I can think of a far more efficient way to exfiltrate data from a network: write a program to generate 2D color bitmaps and display them onscreen to photograph them.

        If you're using remote desktop and can do screen captures, you can literally pack up to 24 bits into every single pixel on the screen.

        Worst-case, with a high-end Android phone's ~12 megapixel camera photographing the screen, you could pack at least 8 bits into every 4x4 pixel square (2x2 of color, separated from adjacent data blocks by 2 pixels

    • by msauve ( 701917 )
      "If your routers are insecure enough that someone can sneak in, reprogram them to flash their LEDs and install sensors to pick up the flashing LEDs you have bigger issues."

      And, I'll be glad to sell you a $1000 piece of opaque tape to put over the LEDs to obviate the attack. Maybe I'll write a formal paper about the method, which will then become a /. article.
    • by hawguy ( 1600213 ) on Wednesday June 07, 2017 @12:34AM (#54566107)

      If your routers are insecure enough that someone can sneak in, reprogram them to flash their LEDs and install sensors to pick up the flashing LEDs you have bigger issues.

      Lots of companies colocate in "secure" datacenters where their equipment cages are walled off by nothing more than chain link fences with equipment stacked in bare racks, plainly visible to anyone walking by.

      If you can find a software vulnerability and hack into one of their switches/routers, you can use this technique to extract data from their network without tripping any IDS sensors -- all you need to do is rent a neighboring cage and point a camera at the switches.

      The company across the courtyard from us has a bit stack of network switches facing the window. Same problem - get someone to infect their network from within (through, say, a compromised USB key) and you can send data all day long over the lights without anyone noticing any unusual outbound traffic.

      • If you can find a software vulnerability and hack into one of their switches/routers, you can use this technique to extract data from their network without tripping any IDS sensors

        I'm curious to learn about this IDS that can catch traffic from compromised network hardware but can't catch the act of compromising network hardware. This is an impractical POC for anything but the most outlandish spy movies. There are far easier ways to exfiltrate data.

        • by tlhIngan ( 30335 )

          I'm curious to learn about this IDS that can catch traffic from compromised network hardware but can't catch the act of compromising network hardware. This is an impractical POC for anything but the most outlandish spy movies. There are far easier ways to exfiltrate data.

          If you have a lot of time, you can easily blink a network LED without most IDSes detecting it by simply bringing the link up and down. It's a slow process since it takes several seconds for the LED to react, but if you have enough machines

          • If you have a lot of time, you can easily blink a network LED without most IDSes detecting it by simply bringing the link up and down.

            I can't think of anything noisier and more disruptive than one or more NICs constantly going up and down.

        • by hawguy ( 1600213 )

          If you can find a software vulnerability and hack into one of their switches/routers, you can use this technique to extract data from their network without tripping any IDS sensors

          I'm curious to learn about this IDS that can catch traffic from compromised network hardware but can't catch the act of compromising network hardware. This is an impractical POC for anything but the most outlandish spy movies. There are far easier ways to exfiltrate data.

          "Hey guys, we just had a huge DoS traffic flood - overwhelmed our IDS for a few minutes, but everything looks good now. Looks like it made one of our core switches reboot. Weird. But everything is back online now, IDS isn't reporting anything unusual so at least we can be certain there's no data leak!"

        • There are far easier ways to exfiltrate data.

          You mean like print out secured documents, fold them up, stick them in a pocket, and walk out the door? It sounds like that is what Reality Winner did.

    • dont need to sneak in.

      just install it at the factory or just before its delivered and hack the cameras securing the datacenter.

  • Is that like making the Kessel Run in 12 parsecs?

    • And how is it even pronounced? "One thousand bits per per LED"? "One thousand bits over per LED"? "One thousand bits-slash per LED"?
    • Parsec is distance.

  • by Anonymous Coward

    Come on editors.
    Assuming video recording at 30/frames a second, each bit requiring at least 2 frames I'm guessing it's around 1000 bits/minute.

  • by poity ( 465672 )

    entire room wrapped in tape

  • by Anonymous Coward

    Wireless by definition makes the network insecure...

  • Almost old school (Score:5, Informative)

    by fuzzyfuzzyfungus ( 1223518 ) on Tuesday June 06, 2017 @09:17PM (#54565205) Journal
    This looks like a contemporary attempt to revive a classic [www.foo.be].

    Back in the Before Times; you could get serial modems that did DES(maybe 3DES? my memory grows fuzzy) in hardware, to allow systems without built in line security measures to be run over phone lines(ATMs, that sort of thing). It was cleartext on the RS-232 link between the device and the modem; but that was supposed to be physically secured inside the chassis; then encrypted between the modems on each end of the line; and decrypted at the far end, presumably in a secure location.

    Some designs, whether out of lack of imagination, incompetence, or sneaky malice, had LEDs that were more or less directly tied to the cleartext serial input; and the LEDs and drive circuitry were quite capable of blinking at the rates of at least the slower serial links; so you could read the unencrypted serial traffic right off the fancy 'secure' modem's blinkenlights(at a fair distance, with magnification).

    This study tested ethernet gear as well; but found that(if unmodified) it was of relatively limited use: data rates were far too high for LEDs to be driven directly by high/low values in the data stream; and instead blinked in ways only indirectly associated with traffic activity, mostly for diagnostic convenience.

    This new one requires that the system be maliciously modified, so it lacks the charm of the original; but takes advantage of the fact that indicator LEDs can still blink pretty fast(and some are GPIO controlled) so they can still be shoved into transmitting information; but now you have to handle that yourself, rather than having the vendor do it for you.
  • I think "bits per LEDsecond " is the funniest unit I've seen in a long damned time. "This exploit grabs data at 1000 bits/LED*s"

  • IrDA (Score:5, Informative)

    by Dan East ( 318230 ) on Tuesday June 06, 2017 @09:20PM (#54565217) Journal

    What do you think IrDA is (was)? Same thing using infrared LEDs is all. It supported up to 115.2 kbit/s, and that's just on one "channel" (LED). Back in 2004 I bitbanged IrDA with a micro-controller in a homebrew PS1 controller adapter that allowed me to use the controller with a Pocket PC. It was one-way communication, because the controller just needed to communicate button presses to the Pocket PC. It worked quite well. Anyway, assuming there is a relatively low-level access for toggling the LEDs on or off on a [insert device name here], such a method of transmitting data is patently obvious...
    The "scary" thing is that communications of this sort are far beyond the refresh rate of the human eye, and so the end result is that the LED simply looks about half the normal brightness and does not appear to pulsate or anything.

    • Cryptonomicon (1999) by Neal Stephenson had a scene where a guy was being asked to crunch data (on pain of death) to get the location of buried treasure, and so had to first make a program that obfuscated his screen output to display a bogus location and to blink out the real coordinates to his capslock light in Morse code.

      Ten years later, lilspikey made it real.

      http://www.psychicorigami.com/... [psychicorigami.com]

    • by Megol ( 3135005 )

      Was going to post that IrDA supported 4Mbps and wondered if I remembered that correctly -> wikipedia check -> realize that IrDA actually supports up to 1Gbps!

      Of course one can't bit-bang 4Mbps+ IrDA... Perhaps on those XMOS processors, they are designed for fast bit-banging.

    • by JD-1027 ( 726234 )
      1999-2000 I had two iMacs linked via built in IrDA networking in my dorm room with my roommate. All out of the box stuff built into the iMac.

      It was this model:
      https://en.wikipedia.org/wiki/... [wikipedia.org]

      Ah... old simple fun tech.
  • by StevenMaurer ( 115071 ) on Tuesday June 06, 2017 @09:47PM (#54565359) Homepage

    ...to be able to install my own firmware on a router that is on a secure network, then I can access the data on the secure network it is attached to?

    I would imagine if you could do all of that that, and be nearby at the time as well, then you could access the secure network by other means.

    And all that assumes that data going across the secure network isn't all encrypted, which it typically is.

    • by AHuxley ( 892839 )
      It depends on the site. Tell the workers some nice fiction. Enter a remote site building at night with a door held open by a shift change, ask a cleaner for access due to a lost ID card once trusted in the "secure" building. Use the elevator to get to a floor thats "locked" to most people.
      The network might be the same as in the very, always secure main building in a city, state or nation.
      The network could be very secure but some on site hardware in an office on the same network could be trusted due to
  • by Anonymous Coward

    Upgrade your router...install systemd. It'll fuck it up so bad nothing will work.

    * INFO: Running install_ubuntu_check_services()
    * INFO: Running install_ubuntu_restart_daemons()
    Job for salt-minion.service failed because a configured resource limit was exceeded. See "systemctl status salt-minion.service" and "journalctl -xe" for details.
    start: Unable to connect to Upstart: Failed to connect to socket /com/ubuntu/upstart: Connection refused
    * ERROR: No init.d support for salt-minion w

  • Deja vu (Score:5, Informative)

    by ShaunC ( 203807 ) on Tuesday June 06, 2017 @10:21PM (#54565533)

    LED Lights: Friend or Foe? [slashdot.org] was posted here more than 15 years ago. Everything old is new again (except me, I guess).

  • Tom Cruise (Score:5, Funny)

    by Frosty Piss ( 770223 ) * on Tuesday June 06, 2017 @11:08PM (#54565763)

    The only realistic application of this "hack" is in a bad Tom Cruise movie.

    • by Lennie ( 16154 )

      Forget about the routers, etc. Actually, IoT lighting systems are perfect for real world attacks for getting data out of secure facilities.

  • Impractical but creative, I can dig it.

  • by pcjunky ( 517872 ) <walterp@cyberstreet.com> on Wednesday June 07, 2017 @12:01AM (#54566001) Homepage

    While this might be used as a plot device on Mr. Robot, I don't expect much to come of this.

  • If you are in a position where you can even see the enclosures let alone the Router LED's I have more fucking problems than this attack vector. seriously is their any real Datacentre that would have any exposure to this ANYWHERE?
  • If you have rooted the router and is close enough for optical transfer (aka irDA), would it then not be easier to just plug in network cable?
    • Not if you want to sound like you came up with a really new and cool hacking technique to anyone without a clue.

MS-DOS must die!

Working...