Security Experts:

Connect with us

Hi, what are you looking for?


Endpoint Security

Ethernet LEDs Can Be Used to Exfiltrate Data From Air-Gapped Systems

A researcher from the Ben-Gurion University of the Negev in Israel has published a paper describing a method that can be used to silently exfiltrate data from air-gapped systems using the LEDs of various types of networked devices.

A researcher from the Ben-Gurion University of the Negev in Israel has published a paper describing a method that can be used to silently exfiltrate data from air-gapped systems using the LEDs of various types of networked devices.

The new attack has been dubbed ETHERLED and it relies on the LEDs attached to the integrated network interface controller (NIC) of devices such as PCs, servers, printers, network cameras, and embedded controllers.

An attack scenario assumes that the attacker has somehow managed to gain access to the targeted air-gapped device — via social engineering, malicious insiders or a supply chain attack — to plant a piece of malware that collects sensitive data and uses a covert channel to exfiltrate it to the attacker.

Researcher Mordechai Guri showed that an attacker could transmit sensitive information such as passwords, encryption keys and even text files by encoding and modulating them over optical signals that rely on the blinking patterns or blinking frequency of the Ethernet LEDs.


The NIC typically has two LEDs: an activity LED that is usually green and a status LED that changes between green and amber depending on the link speed. For example, the status LED can be amber for 1 Gb connections, green for 100 Mb connections and it can turn off for 10 Mb connections.

There are several methods that can be used to control these LEDs, including via code that runs as a kernel driver or within the NIC firmware. This only works if the attacker has elevated privileges, but it also provides the highest level of control.

An attacker could also control the link status LED by using operating system commands to change the link speed of the Ethernet controller in order to cause the LED to turn green, amber or off. The attacker can also turn the status LED on or off by enabling or disabling the Ethernet interface.

In order to transmit the data, the attacker can use several types of modulation, including on-off keying (OOK), blink frequency, and color modulation.

When the OOK modulation is used, a ‘0’ bit is transmitted if the LED is turned off, and a ‘1’ bit is transmitted if the LED is turned on. When the blink frequency variant is used, the LED blinking at a certain frequency means ‘0’ and a different frequency means ‘1’. Also, each LED color can be used to encode a different bit — for example, green is ‘1’ and amber is ‘0’.

The transmitted data — that is, the blinking LEDs — can be recorded using various types of cameras. Experiments conducted by Guri showed that an HD webcam could record from up to 10 meters (32 feet), but a telescope could allow the attacker to capture the data from more than 100 meters (320 feet). A Samsung Galaxy phone’s camera can be used for distances of up to 30 meters (98 feet).

Etherled attack distance using various cameras

As for how quickly the data can be exfiltrated, it depends on the type of modulation that is used and the method used to control the LEDs. If the link status control is used with OOK and blink frequency modulation, only 1 bit/sec can be exfiltrated, but the maximum bit rate jumps to 100 bits/sec if the driver/firmware control method is used.

If driver/firmware control are used with two LED colors, a password can be exfiltrated in just one second and a Bitcoin private key in 2.5 seconds. A 1 Kb text file can be stolen in less than two minutes.

Etherled attack speed

This is not the first time a researcher from the Ben-Gurion University of the Negev has presented a way to covertly exfiltrate data from air-gapped networks. In the past years, the university’s researchers showed how hackers could exfiltrate data using RAM-generated Wi-Fi signals, fan vibrationsheat emissions, HDD LEDs, infrared cameras, magnetic fields, power lines, router LEDs, scanners, screen brightness, USB devices, and noise from hard drives and fans.

Written By

Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join this webinar to learn best practices that organizations can use to improve both their resilience to new threats and their response times to incidents.


Join this live webinar as we explore the potential security threats that can arise when third parties are granted access to a sensitive data or systems.


Expert Insights

Related Content

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...

Network Security

NSA publishes guidance to help system administrators identify and mitigate cyber risks associated with transitioning to IPv6.


Websites of German airports, administration bodies and banks were hit by DDoS attacks attributed to Russian hacker group Killnet

Identity & Access

Zero trust is not a replacement for identity and access management (IAM), but is the extension of IAM principles from people to everyone and...

Identity & Access

Hackers rarely hack in anymore. They log in using stolen, weak, default, or otherwise compromised credentials. That’s why it’s so critical to break the...


The overall effect of current global geopolitical conditions is that nation states have a greater incentive to target the ICS/OT of critical industries, while...

CISO Strategy

Varied viewpoints as related security concepts take on similar traits create substantial confusion among security teams trying to evaluate and purchase security technologies.

Network Security

Attack surface management is nothing short of a complete methodology for providing effective cybersecurity. It doesn’t seek to protect everything, but concentrates on areas...