Malware Uses Router LEDs To Steal Data From Secure Networks (bleepingcomputer.com) 105
An anonymous reader writes: Researchers from the Ben-Gurion University of the Negev in Israel have developed malware that when installed on a router or a switch can take control over the device's LEDs and use them to transmit data in a binary format to a nearby attacker, who can capture it using simple video recording equipment. The attack is similar to the LED-it-GO attack developed by the same team, which uses a hard drive's blinking LED to steal data from air-gapped computers. Because routers and switches have many more LEDs than a hard drive, this attack scenario is much more efficient, as it can transmit data at about the same speed, but multiplied by the number of ports/LEDs. Researchers say they were able to steal data by 1000 bits/ per LED, making this the most efficient attack known to date. The attack worked best when coupled with optical sensors, which are capable of sampling LED signals at high rates, enabling data reception at a higher bandwidth than other typical video recording equipment. A video of the attack is available here.
Re: (Score:2, Interesting)
There's a piece of electrical tape over my router LEDs so I can sleep...
Re: (Score:3)
Yep, just like the check engine light in the dashboard of my car. Problem solved!
Re: (Score:2)
Or some duct tape.
Re: (Score:2)
Not an "attack" (Score:2, Insightful)
It's not an attack. It's a sidechannel communication mechanism, and the optical sensors needed to pick it up are going to be pretty damn obvious sitting on the floor if a datacenter.
Re: (Score:2)
in that case you would just lose some transmit speed. ..this is fucking stupid. it's a custom firmware for a router that sends stuff out over the LED. it's fucking stupid and COULD HAVE BEEN FUCKING MADE 17 YEARS AGO.
like, it doesn't prove anything. it just proves that you could do something that you already knew that could be done.
Re: (Score:2)
hardware randomize the time the LEDs stay on... Either a LFSR or a noise source hooked up to a comparator. That'll slow things down tremendously.
Or we could just stop using LEDs for every damn indicator on devices like this.
This is why I own electrical tape.
Re: (Score:2)
Re: good grief (Score:2)
Depends on the frequency of the signal and size of the capacitor and probably needs a resistor too but it would also add size and cost. You'd still be able to do some data exchange, you'd just have to tune it to the speed of the RC network.
Re: (Score:2)
The downside being that it can't be done by the manufacturer unless they use low-spec parts so there is significant variation in response time between individual devices.
Re: (Score:2)
Then send 1 bit per second. Across the entire router, this could still be easily 10-20bits/s and even 1 bit/s is plenty to extract information like encryption keys. As long as I can modulate the behavior of the LED's, I can send data. The reason I can modulate the LED's in the first place is so the system doesn't need the extra circuitry to detect packets moving on the network, just wire it directly to the CPU and let it handle the blinking.
You can avoid these attacks by directly attaching the LED via a cir
Re: (Score:2)
Re: (Score:2)
Yeah, you need to add a resistor and a capacitor to the data line, and you'd only decrease, not prevent the flickering which carries the signal. So, small benefit. Personally, I'd put the black boxes into an opaque cabinet. Problem eliminated. If
Re: (Score:2)
Soldering components into everything with an LED is not something I'd want to do, but if manufacturers put in caps with wide variations in capacitance - instead of buying parts that deviate from the expected values by .001%, they vary by 10% - then the frequency of the flicker would be too unpredictable to be exploited.
security of routers (Score:5, Insightful)
If your routers are insecure enough that someone can sneak in, reprogram them to flash their LEDs and install sensors to pick up the flashing LEDs you have bigger issues.
Re: (Score:2)
For your basic "router is what turns the cable into wifi, right?" network setup, sure, this is absurdly perverse: you own the router, just use their own internet connection for whate
Re: (Score:2)
It seems to me like it's most plausibly useful in a context where you have owned the surveillance network and can point a camera at a router. But then you're limited to whatever data transmission rate you can manage given the limitations of the environment. However, what if you used many pieces of equipment in the DC, and many cameras?
Re: (Score:2)
I can think of a far more efficient way to exfiltrate data from a network: write a program to generate 2D color bitmaps and display them onscreen to photograph them.
If you're using remote desktop and can do screen captures, you can literally pack up to 24 bits into every single pixel on the screen.
Worst-case, with a high-end Android phone's ~12 megapixel camera photographing the screen, you could pack at least 8 bits into every 4x4 pixel square (2x2 of color, separated from adjacent data blocks by 2 pixels
Re: (Score:2)
And, I'll be glad to sell you a $1000 piece of opaque tape to put over the LEDs to obviate the attack. Maybe I'll write a formal paper about the method, which will then become a
Re:security of routers (Score:5, Interesting)
If your routers are insecure enough that someone can sneak in, reprogram them to flash their LEDs and install sensors to pick up the flashing LEDs you have bigger issues.
Lots of companies colocate in "secure" datacenters where their equipment cages are walled off by nothing more than chain link fences with equipment stacked in bare racks, plainly visible to anyone walking by.
If you can find a software vulnerability and hack into one of their switches/routers, you can use this technique to extract data from their network without tripping any IDS sensors -- all you need to do is rent a neighboring cage and point a camera at the switches.
The company across the courtyard from us has a bit stack of network switches facing the window. Same problem - get someone to infect their network from within (through, say, a compromised USB key) and you can send data all day long over the lights without anyone noticing any unusual outbound traffic.
Re: (Score:2)
If you can find a software vulnerability and hack into one of their switches/routers, you can use this technique to extract data from their network without tripping any IDS sensors
I'm curious to learn about this IDS that can catch traffic from compromised network hardware but can't catch the act of compromising network hardware. This is an impractical POC for anything but the most outlandish spy movies. There are far easier ways to exfiltrate data.
Re: (Score:2)
If you have a lot of time, you can easily blink a network LED without most IDSes detecting it by simply bringing the link up and down. It's a slow process since it takes several seconds for the LED to react, but if you have enough machines
Re: (Score:2)
I can't think of anything noisier and more disruptive than one or more NICs constantly going up and down.
Re: (Score:2)
If you can find a software vulnerability and hack into one of their switches/routers, you can use this technique to extract data from their network without tripping any IDS sensors
I'm curious to learn about this IDS that can catch traffic from compromised network hardware but can't catch the act of compromising network hardware. This is an impractical POC for anything but the most outlandish spy movies. There are far easier ways to exfiltrate data.
"Hey guys, we just had a huge DoS traffic flood - overwhelmed our IDS for a few minutes, but everything looks good now. Looks like it made one of our core switches reboot. Weird. But everything is back online now, IDS isn't reporting anything unusual so at least we can be certain there's no data leak!"
Re: (Score:2)
There are far easier ways to exfiltrate data.
You mean like print out secured documents, fold them up, stick them in a pocket, and walk out the door? It sounds like that is what Reality Winner did.
Re: security of routers (Score:1)
dont need to sneak in.
just install it at the factory or just before its delivered and hack the cameras securing the datacenter.
Re: security of routers (Score:1)
or better still.
hack the website providing firmware updates.
1000 bits/ per LED? (Score:2)
Is that like making the Kessel Run in 12 parsecs?
Re: (Score:2)
Re: (Score:1)
The 1000 bps was based on having an high-speed optical sensor. A regular LED can just manage turning off and on and communicating at 1000 bps to an optical sensor.
Against a camera, the number will be somewhere between 30 bps and 240 bps. The issue is that the camera has a shutter speed. (It might not have a physical shutter, but it will have the electronic equivalent.) Often this results in a series of 1(ms) stills taken at 30 or 60 frames per second. Even with a PWM variable brightness algorithm, for
Re: (Score:2)
Depends on how the LED is connected to the rest of the hardware. If the LED is connected to a GPIO pin on a microcontroller 1Mbps+ is easy to do (depends on the LED color and construction AFAIK).
Re: (Score:2)
Parsec is distance.
Re: (Score:2)
So, you own a router enough to send data via its lights to some other dude who can interpret your signals. Why the fuck don't u just tap it at that point? This is an overly complicated exfiltration method that has zero chance of ever mattering. I'm glad some money somewhere got spent for this idiocy
Because the owner of the data is watching for unusual network activity, but not for unusual blinky lights.
1000 bits/ per LED (Score:1)
Come on editors.
Assuming video recording at 30/frames a second, each bit requiring at least 2 frames I'm guessing it's around 1000 bits/minute.
inb4 (Score:2)
entire room wrapped in tape
Secure network? (Score:1)
Wireless by definition makes the network insecure...
Almost old school (Score:5, Informative)
Back in the Before Times; you could get serial modems that did DES(maybe 3DES? my memory grows fuzzy) in hardware, to allow systems without built in line security measures to be run over phone lines(ATMs, that sort of thing). It was cleartext on the RS-232 link between the device and the modem; but that was supposed to be physically secured inside the chassis; then encrypted between the modems on each end of the line; and decrypted at the far end, presumably in a secure location.
Some designs, whether out of lack of imagination, incompetence, or sneaky malice, had LEDs that were more or less directly tied to the cleartext serial input; and the LEDs and drive circuitry were quite capable of blinking at the rates of at least the slower serial links; so you could read the unencrypted serial traffic right off the fancy 'secure' modem's blinkenlights(at a fair distance, with magnification).
This study tested ethernet gear as well; but found that(if unmodified) it was of relatively limited use: data rates were far too high for LEDs to be driven directly by high/low values in the data stream; and instead blinked in ways only indirectly associated with traffic activity, mostly for diagnostic convenience.
This new one requires that the system be maliciously modified, so it lacks the charm of the original; but takes advantage of the fact that indicator LEDs can still blink pretty fast(and some are GPIO controlled) so they can still be shoved into transmitting information; but now you have to handle that yourself, rather than having the vendor do it for you.
Re: (Score:2)
Re: (Score:2)
Bits per LEDsecond (Score:2)
I think "bits per LEDsecond " is the funniest unit I've seen in a long damned time. "This exploit grabs data at 1000 bits/LED*s"
IrDA (Score:5, Informative)
What do you think IrDA is (was)? Same thing using infrared LEDs is all. It supported up to 115.2 kbit/s, and that's just on one "channel" (LED). Back in 2004 I bitbanged IrDA with a micro-controller in a homebrew PS1 controller adapter that allowed me to use the controller with a Pocket PC. It was one-way communication, because the controller just needed to communicate button presses to the Pocket PC. It worked quite well. Anyway, assuming there is a relatively low-level access for toggling the LEDs on or off on a [insert device name here], such a method of transmitting data is patently obvious...
The "scary" thing is that communications of this sort are far beyond the refresh rate of the human eye, and so the end result is that the LED simply looks about half the normal brightness and does not appear to pulsate or anything.
Re: (Score:2)
Cryptonomicon (1999) by Neal Stephenson had a scene where a guy was being asked to crunch data (on pain of death) to get the location of buried treasure, and so had to first make a program that obfuscated his screen output to display a bogus location and to blink out the real coordinates to his capslock light in Morse code.
Ten years later, lilspikey made it real.
http://www.psychicorigami.com/... [psychicorigami.com]
Re: (Score:2)
Was going to post that IrDA supported 4Mbps and wondered if I remembered that correctly -> wikipedia check -> realize that IrDA actually supports up to 1Gbps!
Of course one can't bit-bang 4Mbps+ IrDA... Perhaps on those XMOS processors, they are designed for fast bit-banging.
Re: (Score:2)
It was this model:
https://en.wikipedia.org/wiki/... [wikipedia.org]
Ah... old simple fun tech.
So if I get physical access... (Score:5, Insightful)
...to be able to install my own firmware on a router that is on a secure network, then I can access the data on the secure network it is attached to?
I would imagine if you could do all of that that, and be nearby at the time as well, then you could access the secure network by other means.
And all that assumes that data going across the secure network isn't all encrypted, which it typically is.
Re: (Score:2)
The network might be the same as in the very, always secure main building in a city, state or nation.
The network could be very secure but some on site hardware in an office on the same network could be trusted due to
Re: (Score:2)
look, its something that doesnt even need a paper. you can explain the concept in 1 sentence so that a programmer knows that it can be done(But is stupid).
Upgrade your router... (Score:1)
Upgrade your router...install systemd. It'll fuck it up so bad nothing will work.
* INFO: Running install_ubuntu_check_services() /com/ubuntu/upstart: Connection refused
* INFO: Running install_ubuntu_restart_daemons()
Job for salt-minion.service failed because a configured resource limit was exceeded. See "systemctl status salt-minion.service" and "journalctl -xe" for details.
start: Unable to connect to Upstart: Failed to connect to socket
* ERROR: No init.d support for salt-minion w
Deja vu (Score:5, Informative)
LED Lights: Friend or Foe? [slashdot.org] was posted here more than 15 years ago. Everything old is new again (except me, I guess).
Re: (Score:2)
At least as interesting is the 85% decline in comments. Has Netcraft declared /. dead yet?
Tom Cruise (Score:5, Funny)
The only realistic application of this "hack" is in a bad Tom Cruise movie.
Re: (Score:2)
Forget about the routers, etc. Actually, IoT lighting systems are perfect for real world attacks for getting data out of secure facilities.
Re: (Score:2)
Nice movie plot but.... (Score:3)
While this might be used as a plot device on Mr. Robot, I don't expect much to come of this.
fucking stupid (Score:2)
Re: (Score:2)
Re: (Score:2)
Re: (Score:2)
Re: (Score:1)
Same thought, what kind of rate is that?