Security Experts:

Connect with us

Hi, what are you looking for?


Data Protection

Router LEDs Allow Data Theft From Air-Gapped Computers

The status LEDs present on networking equipment such as routers and switches can be abused to exfiltrate sensitive data from air-gapped systems at relatively high bit rates, researchers have demonstrated.

The status LEDs present on networking equipment such as routers and switches can be abused to exfiltrate sensitive data from air-gapped systems at relatively high bit rates, researchers have demonstrated.

A paper published this week by the Cyber Security Research Center at the Ben-Gurion University of the Negev in Israel shows how data can be transferred from an air-gapped computer by modulating it using the blinking of a router’s LEDs.

The attack can be carried out either by planting malicious firmware on the targeted router or remotely using a software exploit. The firmware attack may be more difficult to carry out as the router needs to be infected either via the supply chain or social engineering, but the software attack could be easier to conduct given that many devices are affected by remotely exploitable vulnerabilities.

Once the targeted router or switch has been compromised, the attacker can take control of how the LEDs blink. Then, using various data modulation methods, each LED or a combination of LEDs can be used to transmit data to a receiver, which can be a camera or a light sensor.

For example, a “0” bit is transmitted if an LED is off for a specified duration, and a “1” bit is sent if the LED is on for a specified duration. Logical “0” or “1” bits can also be modulated through changes in frequency. In the case of devices that have multiple LEDs, the attacker can use the blinking lights to represent a series of bits, which results in a higher transfer rate.

According to researchers, the method can be used to exfiltrate data at a rate of up to 1,000 bits per second per LED, which is more than enough for stealing passwords and encryption keys. On a networking device with seven LEDs, experts managed to obtain a transfer rate of 10,000 bits per second, or roughly 1 kilobyte per second.

However, the transfer rate also depends on the receiver. For example, if an entry-level DSLR camera is used to capture video of the blinking LEDs, the maximum bit rate that can be achieved at 60 frames per second is 15 bits per second for each LED. The attacker could also use a smartphone camera and obtain a transfer rate of up to 60 bits per second.

The most efficient camera is a GoPro Hero5, which can record at up to 240 frames per second, resulting in a maximum bit rate of up to 120 bits per second for each LED. On the other hand, the best transfer rate can be achieved using a light sensor as the receiver.

In the past years, researchers at the Ben-Gurion University of the Negev have identified several methods that can be used to exfiltrate data from air-gapped systems, including via scannersHDD activity LEDs, USB devices, the noise emitted by hard drives and fans, and heat emissions.

Written By

Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join this webinar to learn best practices that organizations can use to improve both their resilience to new threats and their response times to incidents.


Join this live webinar as we explore the potential security threats that can arise when third parties are granted access to a sensitive data or systems.


Expert Insights

Related Content

Application Security

Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.

Data Protection

The CRYSTALS-Kyber public-key encryption and key encapsulation mechanism recommended by NIST for post-quantum cryptography has been broken using AI combined with side channel attacks.

Data Protection

The cryptopocalypse is the point at which quantum computing becomes powerful enough to use Shor’s algorithm to crack PKI encryption.

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...

Identity & Access

Zero trust is not a replacement for identity and access management (IAM), but is the extension of IAM principles from people to everyone and...

Network Security

NSA publishes guidance to help system administrators identify and mitigate cyber risks associated with transitioning to IPv6.


Websites of German airports, administration bodies and banks were hit by DDoS attacks attributed to Russian hacker group Killnet

Identity & Access

Hackers rarely hack in anymore. They log in using stolen, weak, default, or otherwise compromised credentials. That’s why it’s so critical to break the...