ETHERLED: Air-gapped systems leak data via network card LEDs

Israeli researcher Mordechai Guri has discovered a new method to exfiltrate data from air-gapped systems using the LED indicators on network cards. Dubbed ‘ETHERLED’, the method turns the blinking lights into Morse code signals that can be decoded by an attacker.

Capturing the signals requires a camera with a direct line of sight to LED lights on the air-gapped computer’s card. These can be translated into binary data to steal information.

ETHERLED attack diagram (arxiv.org)

Air-gapped systems are computers typically found in highly-sensitive environments (e.g. critical infrastructure, weapon control units) that are isolated from the public internet for security reasons.

However, these systems work in air-gapped networks and still use a network card. If an intruder infects them with specially crafted malware, they could replace the card driver with a version that modifies the LED color and blinking frequency to send waves of encoded data, Mordechai Guri has found.

The ETHERLED method can work with other peripherals or hardware that use LEDs as status or operational indicators like routers, network-attached storage (NAS) devices, printers, scanners, and various other connected devices.

Compared to previously disclosed data exfiltration methods based on optical emanation that take control of LEDs in keyboards and modems, ETHERLED is a more covert approach and less likely to raise suspicion.

ETHERLED details

The attack begins with planting on the target computer malware that contains a modified version of the firmware for the network card. This allows taking control of the LED blinking frequency, duration, and color.

Code to control LED indicators (arxiv.org)

Alternatively, the malware can directly attack the drive for the network interface controller (NIC) to change connectivity status or to modulate the LEDs required for generating the signals.

The three potential attack methods (arxiv.org)

The researcher found that the malicious driver can exploit documented or undocumented hardware functionality to fiddle with network connection speeds and to enable or disable the Ethernet interface, resulting in light blinks and color changes.

Network card indicators lighting up to convey signals (arxiv.org)

Guri’s tests show that each data frame begins with a sequence of ‘1010’, to mark the start of the package, followed by a payload of 64 bits.

Signal contents (arxiv.org)

For data exfiltration through single status LEDs, Morse code dots and dashes lasting between 100 ms and 300 ms were generated, separated by indicator deactivation spaces between 100 ms and 700 ms.

The bitrate of the Morse code can be increased by up to ten times (10m dots, 30m dashes, and 10-70ms spaces) when using the driver/firmware attack method.

To capture the signals remotely, threat actors can use anything from smartphone cameras (up to 30 meters), drones (up to 50m), hacked webcams (10m), hacked surveillance cameras (30m), and telescopes or cameras with telephoto or superzoom lenses (over 100 meters).

The time needed to leak secrets such as passwords through ETHERLED ranges between 1 second and 1.5 minutes, depending on the attack method used, 2.5 sec to 4.2 minutes for private Bitcoin keys, and 42 seconds to an hour for 4096-bit RSA keys.

Times required to transmit secrets (arxiv.org)

Other exfiltration channels

Mordechai also published a paper on ‘GAIROSCOPE’, an attack on air-gapped systems relying on the generation of resonance frequencies on the target system, captured by a nearby (up to 6 meters) smartphone’s gyroscope sensor.

In July, the same researcher presented the ‘SATAn’ attack, which uses SATA cables inside computers as antennas, generating data-carrying electromagnetic waves that can be captured by nearby (up to 1.2 meters) laptops.

The complete collection of Dr. Mordechai Guri’s air-gap covert channel methods can be found in a dedicated section on the Ben-Gurion University of the Negev website.

Comments

merc123wp – 2 days ago
Ahh…flash back to 2017 when I first saw them using HDD LED’s.

https://www.bleepingcomputer.com/news/security/malware-uses-blinking-hard-drive-leds-to-transmit-data-to-nearby-cameras/
GT500 – 2 days ago
I’m not certain I’d call it “air gapped” if the system first has to be infected with malware to pull it off. The idea of “air gapped” is that nothing else is physically connected to the system, and thus it can not be infected, so any malware would have to be installed on the system when it is being set up and before it is installed in its final “air gapped” configuration (or via a USB device connected to the system at some later point, although this may be a breach of security protocol for an “air gapped” system).
anonmosses – 2 days ago
True. If I wanted to infect something before putting it into an air-gapped setup, I might just hide a subsystem inside that captures and transmits data on RF with much better bandwidth, but I certainly wouldn’t call it a new attack vector.
Superjet6258 – 2 days ago
a) supply-chain attacks b) social attacks (“drop a USB stick in the parking lot”), c) insider attacks (bribe someone to plug in a USB stick)… oh hey that’s how Stuxnet is believed to have been introduced!

The point of an air-gapped network is not only to make it harder for malware to enter but also to make it harder to exfiltrate sensitive data (indeed in many cases the *entire* purpose is to make it difficult to exfiltrate sensitive data).

There is no idea that an air-gapped network means it “can not be infected”.
ComputerGeek01 – 2 days ago
So you first need to infect the system, then you need to control a camera at it that has the frame rate fast enough to capture the sequence. If you could decode the data without the malware leg of this I’d call it devastating. But you need to control two disparate systems in order for this to work as written.
h_b_s – 2 days ago
Don’t immediately discount this work. There’s plenty of people that simply assume that “airgapped” means “no access from outside”. That’s not the case if you neglect the physical security for the site… like *most* IT people tend to do. Security is about layers: physical, electronic/data, social. I can’t count the number of times I’ve seen physical locks with the combination written on the wall next to the lock. Don’t even get me started on the number of businesses that treat their employees like dirt and somehow expect them to care about the security implications of their actions with work IT devices.

Getting in most businesses, even physically inside them, is usually the easiest part of exfiltration.

Getting stuff out then becomes fairly trivial. Add a rogue AP somewhere. Drop a camera somewhere pointed at a keyboard or monitor – or a wall where the NIC’s LEDs reflect off it. Some businesses all you have to do is get at their IP cameras – which are usually either unguarded completely or use the default password. Seriously. It’s not difficult to get at these companies if you bother to do your homework.
ftcm207 – 1 day ago
I thought air gapped means not networked. Maybe not.

But if so, using a network card’s LEDs for a computer that isn’t networked doesn’t seem useful, unless the LEDs can be made to blink even without an ethernet link (cable).

The Iranian enrichment facility hacked years ago I think had air gapped PCs but an engineer or physicist was tricked into bringing in an infected USB flash drive. The centrifuges were damaged by malicious operation from the virus.

Anyway, if security is so high that a PC is air gapped, you might as well go to the trouble of removing the network card or disabling a main-board adapter plus covering the jack and lights.