xLED Malware Steals Secure Data Using Router LEDs

A newly discovered malware developed specifically for routers or a network switch has the ability to take over the compromised devices’ LEDs to use them to transmit data in binary to a nearby attacker or recording camera.

A new report by Bleeping Computer puts the spotlight on xLED, an entirely bizarre but ingenious malware that steals data from secure networks before transmitting it by flashing the device’s LEDs.

The exploit is created by a team of cybersecurity researchers in Israel, making it the work of white-hat hackers.

Titled xLED, the malware was developed and named by the team of researchers and tasked to intercept specific data passing through the router. From there, on in, the malware breaks down the data into its binary format, with the LED turned on representing binary “1” and the blank LED showing to be a binary “0”. This would be visible to an attacker, be it a company insider or recording equipment like CCTV cameras or camera-mounted drones.

The researchers claim that they tested a number of recording configurations including optical sensors, smartphone cameras, wearable or hidden cameras, CCTV cameras and more.  The best results were achieved through optical sensors, according to researchers. This is because they are particularly capable of sampling LED signals at high frame-capture rates, exfiltrating data at a rate of over 1000 bits/sec for every LED. A typical modern router has at least 5 LEDs, which allows the speed of exfiltrating data see a significant increase.

In a published research paper, researchers wrote:

Optical sensors are used to measure the light levels and can be sampled at very high rates, hence allowing reception of data at a higher bit rate than standard cameras.

A demonstration of the malware compromising a TP-Link router can be found below:

The biggest hurdle for the attacker would be installing the malware in the targeted router in the first place.

Image credit: Flickr.