Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Endpoint Security

Ethernet LEDs Can Be Used to Exfiltrate Data From Air-Gapped Systems

A researcher from the Ben-Gurion University of the Negev in Israel has published a paper describing a method that can be used to silently exfiltrate data from air-gapped systems using the LEDs of various types of networked devices.

A researcher from the Ben-Gurion University of the Negev in Israel has published a paper describing a method that can be used to silently exfiltrate data from air-gapped systems using the LEDs of various types of networked devices.

The new attack has been dubbed ETHERLED and it relies on the LEDs attached to the integrated network interface controller (NIC) of devices such as PCs, servers, printers, network cameras, and embedded controllers.

An attack scenario assumes that the attacker has somehow managed to gain access to the targeted air-gapped device — via social engineering, malicious insiders or a supply chain attack — to plant a piece of malware that collects sensitive data and uses a covert channel to exfiltrate it to the attacker.

Researcher Mordechai Guri showed that an attacker could transmit sensitive information such as passwords, encryption keys and even text files by encoding and modulating them over optical signals that rely on the blinking patterns or blinking frequency of the Ethernet LEDs.

ETHERLED attack

The NIC typically has two LEDs: an activity LED that is usually green and a status LED that changes between green and amber depending on the link speed. For example, the status LED can be amber for 1 Gb connections, green for 100 Mb connections and it can turn off for 10 Mb connections.

There are several methods that can be used to control these LEDs, including via code that runs as a kernel driver or within the NIC firmware. This only works if the attacker has elevated privileges, but it also provides the highest level of control.

An attacker could also control the link status LED by using operating system commands to change the link speed of the Ethernet controller in order to cause the LED to turn green, amber or off. The attacker can also turn the status LED on or off by enabling or disabling the Ethernet interface.

In order to transmit the data, the attacker can use several types of modulation, including on-off keying (OOK), blink frequency, and color modulation.

Advertisement. Scroll to continue reading.

When the OOK modulation is used, a ‘0’ bit is transmitted if the LED is turned off, and a ‘1’ bit is transmitted if the LED is turned on. When the blink frequency variant is used, the LED blinking at a certain frequency means ‘0’ and a different frequency means ‘1’. Also, each LED color can be used to encode a different bit — for example, green is ‘1’ and amber is ‘0’.

The transmitted data — that is, the blinking LEDs — can be recorded using various types of cameras. Experiments conducted by Guri showed that an HD webcam could record from up to 10 meters (32 feet), but a telescope could allow the attacker to capture the data from more than 100 meters (320 feet). A Samsung Galaxy phone’s camera can be used for distances of up to 30 meters (98 feet).

Etherled attack distance using various cameras

As for how quickly the data can be exfiltrated, it depends on the type of modulation that is used and the method used to control the LEDs. If the link status control is used with OOK and blink frequency modulation, only 1 bit/sec can be exfiltrated, but the maximum bit rate jumps to 100 bits/sec if the driver/firmware control method is used.

If driver/firmware control are used with two LED colors, a password can be exfiltrated in just one second and a Bitcoin private key in 2.5 seconds. A 1 Kb text file can be stolen in less than two minutes.

Etherled attack speed

This is not the first time a researcher from the Ben-Gurion University of the Negev has presented a way to covertly exfiltrate data from air-gapped networks. In the past years, the university’s researchers showed how hackers could exfiltrate data using RAM-generated Wi-Fi signals, fan vibrationsheat emissions, HDD LEDs, infrared cameras, magnetic fields, power lines, router LEDs, scanners, screen brightness, USB devices, and noise from hard drives and fans.

Written By

Eduard Kovacs (@EduardKovacs) is a managing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join the session as we discuss the challenges and best practices for cybersecurity leaders managing cloud identities.

Register

SecurityWeek’s Ransomware Resilience and Recovery Summit helps businesses to plan, prepare, and recover from a ransomware incident.

Register

Expert Insights

Related Content

Identity & Access

Zero trust is not a replacement for identity and access management (IAM), but is the extension of IAM principles from people to everyone and...

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...

Cybersecurity Funding

2022 Cybersecurity Year in Review: Top news headlines and trends that impacted the security ecosystem

Endpoint Security

Today, on January 10, 2023, Windows 7 Extended Security Updates (ESU) and Windows 8.1 have reached their end of support dates.

Cybersecurity Funding

Network security provider Corsa Security last week announced that it has raised $10 million from Roadmap Capital. To date, the company has raised $50...

ICS/OT

The overall effect of current global geopolitical conditions is that nation states have a greater incentive to target the ICS/OT of critical industries, while...

Network Security

Attack surface management is nothing short of a complete methodology for providing effective cybersecurity. It doesn’t seek to protect everything, but concentrates on areas...

Application Security

Virtualization technology giant VMware on Tuesday shipped urgent updates to fix a trio of security problems in multiple software products, including a virtual machine...