Visible to the public xLED: Covert Data Exfiltration from Air-Gapped Networks via Switch and Router LEDs

TitlexLED: Covert Data Exfiltration from Air-Gapped Networks via Switch and Router LEDs
Publication TypeConference Paper
Year of Publication2018
AuthorsGuri, M., Zadov, B., Daidakulov, A., Elovici, Y.
Conference Name2018 16th Annual Conference on Privacy, Security and Trust (PST)
Date PublishedAug. 2018
PublisherIEEE
ISBN Number978-1-5386-7493-2
KeywordsAir gaps, air-gap, air-gapped network, bit rate 1.0 bit/s, bit rate 2000.0 bit/s, Cameras, composability, Computer crime, covert channel (key words), covert data exfiltration, covert-channel, Ezfiltration, hermetic isolation, Human Behavior, Internet, invasive software, IT network, LAN routers, LAN switches, light emitting diodes, Local area networks, low-level control, malicious code, Malware, Metrics, Network, networking equipment, optical, Optical sensors, optical signals, Protocols, pubcrawl, remote cameras, resilience, Resiliency, router LED, security cameras, sensitive information, smart phones, smartphone cameras, status LED, switch LED, telecommunication security, transmission protocol, xLED
Abstract

An air-gapped network is a type of IT network that is separated from the Internet - physically - due to the sensitive information it stores. Even if such a network is compromised with a malware, the hermetic isolation from the Internet prevents an attacker from leaking out any data - thanks to the lack of connectivity. In this paper we show how attackers can covertly leak sensitive data from air-gapped networks via the row of status LEDs on networking equipment such as LAN switches and routers. Although it is known that some network equipment emanates optical signals correlated with the information being processed by the device ('side-channel'), malware controlling the status LEDs to carry any type of data ('covert-channel') has never studied before. Sensitive data can be covertly encoded over the blinking of the LEDs and received by remote cameras and optical sensors. A malicious code is executed in a compromised LAN switch or router allowing the attacker direct, low-level control of the LEDs. We provide the technical background on the internal architecture of switches and routers at both the hardware and software level which enables these attacks. We present different modulation and encoding schemas, along with a transmission protocol. We implement prototypes of the malware and discuss its design and implementation. We tested various receivers including remote cameras, security cameras, smartphone cameras, and optical sensors, and discuss detection and prevention countermeasures. Our experiments show that sensitive data can be covertly leaked via the status LEDs of switches and routers at bit rates of 1 bit/sec to more than 2000 bit/sec per LED.

URLhttps://ieeexplore.ieee.org/document/8514196
DOI10.1109/PST.2018.8514196
Citation KeyguriXLEDCovertData2018