XLED: Covert Data Exfiltration from Air-Gapped Networks via Switch and Router LEDs

Mordechai Gur; Boris Zadov; Andrey Daidakulov; Yuval Elovici

doi:10.1109/PST.2018.8514196

XLED: Covert Data Exfiltration from Air-Gapped Networks via Switch and Router LEDs

Mordechai Gur, Boris Zadov, Andrey Daidakulov, Yuval Elovici

Research output: Chapter in Book/Report/Conference proceeding › Conference contribution › peer-review

28 Scopus citations

Abstract

An air-gapped network is a type of IT network that is separated from the Internet - physically - due to the sensitive information it stores. Even if such a network is compromised with a malware, the hermetic isolation from the Internet prevents an attacker from leaking out any data - thanks to the lack of connectivity. In this paper we show how attackers can covertly leak sensitive data from air-gapped networks via the row of status LEDs on networking equipment such as LAN switches and routers. Although it is known that some network equipment emanates optical signals correlated with the information being processed by the device ('side-channel'), malware controlling the status LEDs to carry any type of data ('covert-channel') has never studied before. Sensitive data can be covertly encoded over the blinking of the LEDs and received by remote cameras and optical sensors. A malicious code is executed in a compromised LAN switch or router allowing the attacker direct, low-level control of the LEDs. We provide the technical background on the internal architecture of switches and routers at both the hardware and software level which enables these attacks. We present different modulation and encoding schemas, along with a transmission protocol. We implement prototypes of the malware and discuss its design and implementation. We tested various receivers including remote cameras, security cameras, smartphone cameras, and optical sensors, and discuss detection and prevention countermeasures. Our experiments show that sensitive data can be covertly leaked via the status LEDs of switches and routers at bit rates of 1 bit/sec to more than 2000 bit/sec per LED.

Original language	English
Title of host publication	2018 16th Annual Conference on Privacy, Security and Trust, PST 2018
Editors	Robert H. Deng, Stephen Marsh, Jason Nurse, Rongxing Lu, Sakir Sezer, Paul Miller, Liqun Chen, Kieran McLaughlin, Ali Ghorbani
Publisher	Institute of Electrical and Electronics Engineers
ISBN (Electronic)	9781538674932
DOIs	https://doi.org/10.1109/PST.2018.8514196
State	Published - 29 Oct 2018
Event	16th Annual Conference on Privacy, Security and Trust, PST 2018 - Belfast, Northern Ireland, United Kingdom Duration: 28 Aug 2018 → 30 Aug 2018

Publication series

Name	2018 16th Annual Conference on Privacy, Security and Trust, PST 2018

Conference

Conference	16th Annual Conference on Privacy, Security and Trust, PST 2018
Country/Territory	United Kingdom
City	Belfast, Northern Ireland
Period	28/08/18 → 30/08/18

Keywords

Ezfiltration; air-gap; network; optical; covert channel (key words)

ASJC Scopus subject areas

Computer Networks and Communications
Information Systems and Management
Safety, Risk, Reliability and Quality

Access to Document

10.1109/PST.2018.8514196

Cite this

Gur, M., Zadov, B., Daidakulov, A., & Elovici, Y. (2018). XLED: Covert Data Exfiltration from Air-Gapped Networks via Switch and Router LEDs. In R. H. Deng, S. Marsh, J. Nurse, R. Lu, S. Sezer, P. Miller, L. Chen, K. McLaughlin, & A. Ghorbani (Eds.), 2018 16th Annual Conference on Privacy, Security and Trust, PST 2018 [8514196] (2018 16th Annual Conference on Privacy, Security and Trust, PST 2018). Institute of Electrical and Electronics Engineers. https://doi.org/10.1109/PST.2018.8514196

Gur, Mordechai ; Zadov, Boris ; Daidakulov, Andrey et al. / XLED : Covert Data Exfiltration from Air-Gapped Networks via Switch and Router LEDs. 2018 16th Annual Conference on Privacy, Security and Trust, PST 2018. editor / Robert H. Deng ; Stephen Marsh ; Jason Nurse ; Rongxing Lu ; Sakir Sezer ; Paul Miller ; Liqun Chen ; Kieran McLaughlin ; Ali Ghorbani. Institute of Electrical and Electronics Engineers, 2018. (2018 16th Annual Conference on Privacy, Security and Trust, PST 2018).

@inproceedings{392b586767c54eb4b30f5ccaa342c6a1,

title = "XLED: Covert Data Exfiltration from Air-Gapped Networks via Switch and Router LEDs",

abstract = "An air-gapped network is a type of IT network that is separated from the Internet - physically - due to the sensitive information it stores. Even if such a network is compromised with a malware, the hermetic isolation from the Internet prevents an attacker from leaking out any data - thanks to the lack of connectivity. In this paper we show how attackers can covertly leak sensitive data from air-gapped networks via the row of status LEDs on networking equipment such as LAN switches and routers. Although it is known that some network equipment emanates optical signals correlated with the information being processed by the device ('side-channel'), malware controlling the status LEDs to carry any type of data ('covert-channel') has never studied before. Sensitive data can be covertly encoded over the blinking of the LEDs and received by remote cameras and optical sensors. A malicious code is executed in a compromised LAN switch or router allowing the attacker direct, low-level control of the LEDs. We provide the technical background on the internal architecture of switches and routers at both the hardware and software level which enables these attacks. We present different modulation and encoding schemas, along with a transmission protocol. We implement prototypes of the malware and discuss its design and implementation. We tested various receivers including remote cameras, security cameras, smartphone cameras, and optical sensors, and discuss detection and prevention countermeasures. Our experiments show that sensitive data can be covertly leaked via the status LEDs of switches and routers at bit rates of 1 bit/sec to more than 2000 bit/sec per LED.",

keywords = "Ezfiltration; air-gap; network; optical; covert channel (key words)",

author = "Mordechai Gur and Boris Zadov and Andrey Daidakulov and Yuval Elovici",

note = "Publisher Copyright: {\textcopyright} 2018 IEEE.; 16th Annual Conference on Privacy, Security and Trust, PST 2018 ; Conference date: 28-08-2018 Through 30-08-2018",

year = "2018",

month = oct,

day = "29",

doi = "10.1109/PST.2018.8514196",

language = "English",

series = "2018 16th Annual Conference on Privacy, Security and Trust, PST 2018",

publisher = "Institute of Electrical and Electronics Engineers",

editor = "Deng, {Robert H.} and Stephen Marsh and Jason Nurse and Rongxing Lu and Sakir Sezer and Paul Miller and Liqun Chen and Kieran McLaughlin and Ali Ghorbani",

booktitle = "2018 16th Annual Conference on Privacy, Security and Trust, PST 2018",

address = "United States",

}

Gur, M, Zadov, B, Daidakulov, A & Elovici, Y 2018, XLED: Covert Data Exfiltration from Air-Gapped Networks via Switch and Router LEDs. in RH Deng, S Marsh, J Nurse, R Lu, S Sezer, P Miller, L Chen, K McLaughlin & A Ghorbani (eds), 2018 16th Annual Conference on Privacy, Security and Trust, PST 2018., 8514196, 2018 16th Annual Conference on Privacy, Security and Trust, PST 2018, Institute of Electrical and Electronics Engineers, 16th Annual Conference on Privacy, Security and Trust, PST 2018, Belfast, Northern Ireland, United Kingdom, 28/08/18. https://doi.org/10.1109/PST.2018.8514196

XLED: Covert Data Exfiltration from Air-Gapped Networks via Switch and Router LEDs. / Gur, Mordechai; Zadov, Boris; Daidakulov, Andrey et al.
2018 16th Annual Conference on Privacy, Security and Trust, PST 2018. ed. / Robert H. Deng; Stephen Marsh; Jason Nurse; Rongxing Lu; Sakir Sezer; Paul Miller; Liqun Chen; Kieran McLaughlin; Ali Ghorbani. Institute of Electrical and Electronics Engineers, 2018. 8514196 (2018 16th Annual Conference on Privacy, Security and Trust, PST 2018).

Research output: Chapter in Book/Report/Conference proceeding › Conference contribution › peer-review

TY - GEN

T1 - XLED

T2 - 16th Annual Conference on Privacy, Security and Trust, PST 2018

AU - Gur, Mordechai

AU - Zadov, Boris

AU - Daidakulov, Andrey

AU - Elovici, Yuval

PY - 2018/10/29

Y1 - 2018/10/29

N2 - An air-gapped network is a type of IT network that is separated from the Internet - physically - due to the sensitive information it stores. Even if such a network is compromised with a malware, the hermetic isolation from the Internet prevents an attacker from leaking out any data - thanks to the lack of connectivity. In this paper we show how attackers can covertly leak sensitive data from air-gapped networks via the row of status LEDs on networking equipment such as LAN switches and routers. Although it is known that some network equipment emanates optical signals correlated with the information being processed by the device ('side-channel'), malware controlling the status LEDs to carry any type of data ('covert-channel') has never studied before. Sensitive data can be covertly encoded over the blinking of the LEDs and received by remote cameras and optical sensors. A malicious code is executed in a compromised LAN switch or router allowing the attacker direct, low-level control of the LEDs. We provide the technical background on the internal architecture of switches and routers at both the hardware and software level which enables these attacks. We present different modulation and encoding schemas, along with a transmission protocol. We implement prototypes of the malware and discuss its design and implementation. We tested various receivers including remote cameras, security cameras, smartphone cameras, and optical sensors, and discuss detection and prevention countermeasures. Our experiments show that sensitive data can be covertly leaked via the status LEDs of switches and routers at bit rates of 1 bit/sec to more than 2000 bit/sec per LED.

AB - An air-gapped network is a type of IT network that is separated from the Internet - physically - due to the sensitive information it stores. Even if such a network is compromised with a malware, the hermetic isolation from the Internet prevents an attacker from leaking out any data - thanks to the lack of connectivity. In this paper we show how attackers can covertly leak sensitive data from air-gapped networks via the row of status LEDs on networking equipment such as LAN switches and routers. Although it is known that some network equipment emanates optical signals correlated with the information being processed by the device ('side-channel'), malware controlling the status LEDs to carry any type of data ('covert-channel') has never studied before. Sensitive data can be covertly encoded over the blinking of the LEDs and received by remote cameras and optical sensors. A malicious code is executed in a compromised LAN switch or router allowing the attacker direct, low-level control of the LEDs. We provide the technical background on the internal architecture of switches and routers at both the hardware and software level which enables these attacks. We present different modulation and encoding schemas, along with a transmission protocol. We implement prototypes of the malware and discuss its design and implementation. We tested various receivers including remote cameras, security cameras, smartphone cameras, and optical sensors, and discuss detection and prevention countermeasures. Our experiments show that sensitive data can be covertly leaked via the status LEDs of switches and routers at bit rates of 1 bit/sec to more than 2000 bit/sec per LED.

KW - Ezfiltration; air-gap; network; optical; covert channel (key words)

UR - http://www.scopus.com/inward/record.url?scp=85063189632&partnerID=8YFLogxK

U2 - 10.1109/PST.2018.8514196

DO - 10.1109/PST.2018.8514196

M3 - Conference contribution

AN - SCOPUS:85063189632

T3 - 2018 16th Annual Conference on Privacy, Security and Trust, PST 2018

BT - 2018 16th Annual Conference on Privacy, Security and Trust, PST 2018

A2 - Deng, Robert H.

A2 - Marsh, Stephen

A2 - Nurse, Jason

A2 - Lu, Rongxing

A2 - Sezer, Sakir

A2 - Miller, Paul

A2 - Chen, Liqun

A2 - McLaughlin, Kieran

A2 - Ghorbani, Ali

PB - Institute of Electrical and Electronics Engineers

Y2 - 28 August 2018 through 30 August 2018

ER -

Gur M, Zadov B, Daidakulov A, Elovici Y. XLED: Covert Data Exfiltration from Air-Gapped Networks via Switch and Router LEDs. In Deng RH, Marsh S, Nurse J, Lu R, Sezer S, Miller P, Chen L, McLaughlin K, Ghorbani A, editors, 2018 16th Annual Conference on Privacy, Security and Trust, PST 2018. Institute of Electrical and Electronics Engineers. 2018. 8514196. (2018 16th Annual Conference on Privacy, Security and Trust, PST 2018). doi: 10.1109/PST.2018.8514196

XLED: Covert Data Exfiltration from Air-Gapped Networks via Switch and Router LEDs

Abstract

Publication series

Conference

Keywords

ASJC Scopus subject areas

Access to Document

Other files and links

Fingerprint

Cite this