ETHERLED – A New Attack Method to Exfiltrate Data from Air-Gapped Devices using LED Indicators

A researcher from Israel, Mordechai Guri, has concluded that he has discovered the possibility of exfiltrating data from air-gapped systems using the LED indicators that are mounted on network cards. 

The method is called ‘ETHERLED,’ it uses a form of turning blinking LEDs into Morse code signals, which any attacker can use to decode the lights.

Attack Model

An air-gapped computer’s card requires a camera to be mounted with a direct line of sight to LED lights that might be used to capture the signals. As a result of these, information can be stolen through the translation of these data into binary data.

Network interface cards are components of computers that allow computers to communicate with each other over a network. When the user is connected to a network and data activity occurs, LEDs that are integrated into the network connector simply alert about the status of the network.


An intruder trying to control NIC LEDs with ETHERLED must breach the target environment and plant malicious code that permits the intruder to do so.

In the subsequent phase of the attack, the attacker will begin to collect data and exfiltrate it. A covert optical channel is used to transmit sensitive information during this phase. Status LED indicator on the network card is used to accomplish this.

ETHERLED in Action

Here below in the video, you can see the ETHERLED in action:-

The final stage of the optical signal detection process involves a hidden camera that is placed in a specific area in order to receive the optical signals. It is possible that the surveillance camera used in this scenario was a vulnerable device or a smartphone camera.

There are several types of information that can be leaked by the attack, including:-

  • Passwords
  • RSA encryption keys
  • Keystrokes
  • Textual content

This malware can alter the connectivity status of the NIC or change the LEDs that are needed for generating the signals directly by attacking the drive for the NIC.

There are a variety of hardware features that may be exploited by the threat actor. Consequently, the threat actor alters the speed and toggles the Ethernet interface, which results in light blinks as well as changes in the color of the light.

A Morse code pattern corresponding to dots and dashes lasting between 100 milliseconds and 300 milliseconds was generated for data exfiltration by means of single-status LEDs.

As a countermeasure, it is recommended that cameras and video recorders not be installed in sensitive zones. Not only that, even black tape can be used to cover the status LEDs.

Secure Azure AD Conditional Access – Download Free White Paper


Please enter your comment!
Please enter your name here