Tuesday, December 3, 2024
HomeCyber Security NewsETHERLED - A New Attack Method to Exfiltrate Data from Air-Gapped Devices...

ETHERLED – A New Attack Method to Exfiltrate Data from Air-Gapped Devices using LED Indicators

Published on

SIEM as a Service

A researcher from Israel, Mordechai Guri, has concluded that he has discovered the possibility of exfiltrating data from air-gapped systems using the LED indicators that are mounted on network cards. 

The method is called ‘ETHERLED,’ it uses a form of turning blinking LEDs into Morse code signals, which any attacker can use to decode the lights.

Attack Model

An air-gapped computer’s card requires a camera to be mounted with a direct line of sight to LED lights that might be used to capture the signals. As a result of these, information can be stolen through the translation of these data into binary data.

- Advertisement - SIEM as a Service

Network interface cards are components of computers that allow computers to communicate with each other over a network. When the user is connected to a network and data activity occurs, LEDs that are integrated into the network connector simply alert about the status of the network.

An intruder trying to control NIC LEDs with ETHERLED must breach the target environment and plant malicious code that permits the intruder to do so.

In the subsequent phase of the attack, the attacker will begin to collect data and exfiltrate it. A covert optical channel is used to transmit sensitive information during this phase. Status LED indicator on the network card is used to accomplish this.

ETHERLED in Action

Here below in the video, you can see the ETHERLED in action:-

The final stage of the optical signal detection process involves a hidden camera that is placed in a specific area in order to receive the optical signals. It is possible that the surveillance camera used in this scenario was a vulnerable device or a smartphone camera.

There are several types of information that can be leaked by the attack, including:-

  • Passwords
  • RSA encryption keys
  • Keystrokes
  • Textual content

This malware can alter the connectivity status of the NIC or change the LEDs that are needed for generating the signals directly by attacking the drive for the NIC.

There are a variety of hardware features that may be exploited by the threat actor. Consequently, the threat actor alters the speed and toggles the Ethernet interface, which results in light blinks as well as changes in the color of the light.

A Morse code pattern corresponding to dots and dashes lasting between 100 milliseconds and 300 milliseconds was generated for data exfiltration by means of single-status LEDs.

As a countermeasure, it is recommended that cameras and video recorders not be installed in sensitive zones. Not only that, even black tape can be used to cover the status LEDs.

Secure Azure AD Conditional Access – Download Free White Paper

Gurubaran
Gurubaran
Gurubaran is a co-founder of Cyber Security News and GBHackers On Security. He has 10+ years of experience as a Security Consultant, Editor, and Analyst in cybersecurity, technology, and communications.

Latest articles

PEFT-As-An-Attack, Jailbreaking Language Models For Malicious Prompts

Federated Parameter-Efficient Fine-Tuning (FedPEFT) is a technique that combines parameter-efficient fine-tuning (PEFT) with federated...

Hackers Cloning Websites, Exploiting RCE Flaws To Gain Access To Shopping Platforms

Cybercriminals are leveraging AI-powered phishing attacks, website cloning tools, and RCE exploits to target...

Hackers Exploited Windows Event Logs Tool log Manipulation, And Data Exfiltration

wevtutil.exe, a Windows Event Log management tool, can be abused for LOLBAS attacks. By...

Threat Actors Allegedly Claims Breach of EazyDiner Reservation Platform

Reports have emerged of a potential data breach involving EazyDiner, a leading restaurant reservation...

API Security Webinar

72 Hours to Audit-Ready API Security

APIs present a unique challenge in this landscape, as risk assessment and mitigation are often hindered by incomplete API inventories and insufficient documentation.

Join Vivek Gopalan, VP of Products at Indusface, in this insightful webinar as he unveils a practical framework for discovering, assessing, and addressing open API vulnerabilities within just 72 hours.

Discussion points

API Discovery: Techniques to identify and map your public APIs comprehensively.
Vulnerability Scanning: Best practices for API vulnerability analysis and penetration testing.
Clean Reporting: Steps to generate a clean, audit-ready vulnerability report within 72 hours.

More like this

PEFT-As-An-Attack, Jailbreaking Language Models For Malicious Prompts

Federated Parameter-Efficient Fine-Tuning (FedPEFT) is a technique that combines parameter-efficient fine-tuning (PEFT) with federated...

Hackers Cloning Websites, Exploiting RCE Flaws To Gain Access To Shopping Platforms

Cybercriminals are leveraging AI-powered phishing attacks, website cloning tools, and RCE exploits to target...

Hackers Exploited Windows Event Logs Tool log Manipulation, And Data Exfiltration

wevtutil.exe, a Windows Event Log management tool, can be abused for LOLBAS attacks. By...