Monday, December 4, 2023

ETHERLED – A New Attack Method to Exfiltrate Data from Air-Gapped Devices using LED Indicators

A researcher from Israel, Mordechai Guri, has concluded that he has discovered the possibility of exfiltrating data from air-gapped systems using the LED indicators that are mounted on network cards. 

The method is called ‘ETHERLED,’ it uses a form of turning blinking LEDs into Morse code signals, which any attacker can use to decode the lights.

Attack Model

An air-gapped computer’s card requires a camera to be mounted with a direct line of sight to LED lights that might be used to capture the signals. As a result of these, information can be stolen through the translation of these data into binary data.

Network interface cards are components of computers that allow computers to communicate with each other over a network. When the user is connected to a network and data activity occurs, LEDs that are integrated into the network connector simply alert about the status of the network.

An intruder trying to control NIC LEDs with ETHERLED must breach the target environment and plant malicious code that permits the intruder to do so.

In the subsequent phase of the attack, the attacker will begin to collect data and exfiltrate it. A covert optical channel is used to transmit sensitive information during this phase. Status LED indicator on the network card is used to accomplish this.

ETHERLED in Action

Here below in the video, you can see the ETHERLED in action:-

The final stage of the optical signal detection process involves a hidden camera that is placed in a specific area in order to receive the optical signals. It is possible that the surveillance camera used in this scenario was a vulnerable device or a smartphone camera.

There are several types of information that can be leaked by the attack, including:-

  • Passwords
  • RSA encryption keys
  • Keystrokes
  • Textual content

This malware can alter the connectivity status of the NIC or change the LEDs that are needed for generating the signals directly by attacking the drive for the NIC.

There are a variety of hardware features that may be exploited by the threat actor. Consequently, the threat actor alters the speed and toggles the Ethernet interface, which results in light blinks as well as changes in the color of the light.

A Morse code pattern corresponding to dots and dashes lasting between 100 milliseconds and 300 milliseconds was generated for data exfiltration by means of single-status LEDs.

As a countermeasure, it is recommended that cameras and video recorders not be installed in sensitive zones. Not only that, even black tape can be used to cover the status LEDs.

Secure Azure AD Conditional Access – Download Free White Paper


Latest articles

Active Attacks Targeting Google Chrome & ownCloud Flaws: CISA Warns

The CISA announced two known exploited vulnerabilities active attacks targeting Google Chrome & own...

Cactus Ransomware Exploiting Qlik Sense code execution Vulnerability

A new Cactus Ransomware was exploited in the code execution vulnerability to Qlik Sense...

Hackers Bypass Antivirus with ScrubCrypt Tool to Install RedLine Malware

The ScrubCrypt obfuscation tool has been discovered to be utilized in attacks to disseminate the RedLine Stealer...

Hotel’s Hacked Logins Let Attacker Steal Guest Credit Cards

According to a recent report by Secureworks, a well-planned and advanced phishing attack was...

Critical Zoom Vulnerability Let Attackers Take Over Meetings

Zoom, the most widely used video conferencing platform has been discovered with a critical...

Hackers Using Weaponized Invoice to Deliver LUMMA Malware

Hackers use weaponized invoices to exploit trust in financial transactions, embedding malware or malicious...

US-Seized Crypto Currency Mixer Used by North Korean Lazarus Hackers

The U.S. Treasury Department sanctioned the famous cryptocurrency mixer Sinbad after it was claimed...

API Attack Simulation Webinar

Live API Attack Simulation

In the upcoming webinar, Karthik Krishnamoorthy, CTO and Vivek Gopalan, VP of Products at Indusface demonstrate how APIs could be hacked.The session will cover:an exploit of OWASP API Top 10 vulnerability, a brute force account take-over (ATO) attack on API, a DDoS attack on an API, how a WAAP could bolster security over an API gateway

Related Articles