XLED: Covert Data Exfiltration from Air-Gapped Networks via Switch and Router LEDs

Mordechai Gur, Boris Zadov, Andrey Daidakulov, Yuval Elovici

Research output: Chapter in Book/Report/Conference proceedingConference contributionpeer-review

34 Scopus citations


An air-gapped network is a type of IT network that is separated from the Internet - physically - due to the sensitive information it stores. Even if such a network is compromised with a malware, the hermetic isolation from the Internet prevents an attacker from leaking out any data - thanks to the lack of connectivity. In this paper we show how attackers can covertly leak sensitive data from air-gapped networks via the row of status LEDs on networking equipment such as LAN switches and routers. Although it is known that some network equipment emanates optical signals correlated with the information being processed by the device ('side-channel'), malware controlling the status LEDs to carry any type of data ('covert-channel') has never studied before. Sensitive data can be covertly encoded over the blinking of the LEDs and received by remote cameras and optical sensors. A malicious code is executed in a compromised LAN switch or router allowing the attacker direct, low-level control of the LEDs. We provide the technical background on the internal architecture of switches and routers at both the hardware and software level which enables these attacks. We present different modulation and encoding schemas, along with a transmission protocol. We implement prototypes of the malware and discuss its design and implementation. We tested various receivers including remote cameras, security cameras, smartphone cameras, and optical sensors, and discuss detection and prevention countermeasures. Our experiments show that sensitive data can be covertly leaked via the status LEDs of switches and routers at bit rates of 1 bit/sec to more than 2000 bit/sec per LED.

Original languageEnglish
Title of host publication16th Annual Conference on Privacy, Security and Trust, PST 2018
EditorsRobert H. Deng, Stephen Marsh, Jason Nurse, Rongxing Lu, Sakir Sezer, Paul Miller, Liqun Chen, Kieran McLaughlin, Ali Ghorbani
PublisherInstitute of Electrical and Electronics Engineers
ISBN (Electronic)9781538674932
StatePublished - 29 Oct 2018
Event16th Annual Conference on Privacy, Security and Trust, PST 2018 - Belfast, Northern Ireland, United Kingdom
Duration: 28 Aug 201830 Aug 2018


Conference16th Annual Conference on Privacy, Security and Trust, PST 2018
Country/TerritoryUnited Kingdom
CityBelfast, Northern Ireland


  • Ezfiltration; air-gap; network; optical; covert channel (key words)

ASJC Scopus subject areas

  • Computer Networks and Communications
  • Information Systems and Management
  • Safety, Risk, Reliability and Quality


Dive into the research topics of 'XLED: Covert Data Exfiltration from Air-Gapped Networks via Switch and Router LEDs'. Together they form a unique fingerprint.

Cite this