Monday, September 9, 2024
HomeCyber Security NewsETHERLED - A New Attack Method to Exfiltrate Data from Air-Gapped Devices...

ETHERLED – A New Attack Method to Exfiltrate Data from Air-Gapped Devices using LED Indicators

Published on

A researcher from Israel, Mordechai Guri, has concluded that he has discovered the possibility of exfiltrating data from air-gapped systems using the LED indicators that are mounted on network cards. 

The method is called ‘ETHERLED,’ it uses a form of turning blinking LEDs into Morse code signals, which any attacker can use to decode the lights.

Attack Model

An air-gapped computer’s card requires a camera to be mounted with a direct line of sight to LED lights that might be used to capture the signals. As a result of these, information can be stolen through the translation of these data into binary data.

- Advertisement - EHA

Network interface cards are components of computers that allow computers to communicate with each other over a network. When the user is connected to a network and data activity occurs, LEDs that are integrated into the network connector simply alert about the status of the network.

An intruder trying to control NIC LEDs with ETHERLED must breach the target environment and plant malicious code that permits the intruder to do so.

In the subsequent phase of the attack, the attacker will begin to collect data and exfiltrate it. A covert optical channel is used to transmit sensitive information during this phase. Status LED indicator on the network card is used to accomplish this.

ETHERLED in Action

Here below in the video, you can see the ETHERLED in action:-

The final stage of the optical signal detection process involves a hidden camera that is placed in a specific area in order to receive the optical signals. It is possible that the surveillance camera used in this scenario was a vulnerable device or a smartphone camera.

There are several types of information that can be leaked by the attack, including:-

  • Passwords
  • RSA encryption keys
  • Keystrokes
  • Textual content

This malware can alter the connectivity status of the NIC or change the LEDs that are needed for generating the signals directly by attacking the drive for the NIC.

There are a variety of hardware features that may be exploited by the threat actor. Consequently, the threat actor alters the speed and toggles the Ethernet interface, which results in light blinks as well as changes in the color of the light.

A Morse code pattern corresponding to dots and dashes lasting between 100 milliseconds and 300 milliseconds was generated for data exfiltration by means of single-status LEDs.

As a countermeasure, it is recommended that cameras and video recorders not be installed in sensitive zones. Not only that, even black tape can be used to cover the status LEDs.

Secure Azure AD Conditional Access – Download Free White Paper

Gurubaran
Gurubaran
Gurubaran is a co-founder of Cyber Security News and GBHackers On Security. He has 10+ years of experience as a Security Consultant, Editor, and Analyst in cybersecurity, technology, and communications.

Latest articles

Vulnerabilities in IBM Products Let Attackers Exploit & Launch DOS Attack

IBM has issued a security bulletin addressing critical vulnerabilities in its MQ Operator and...

BBTok Abuses Legitimate Windows Utility Command Tool to Stay Undetected

Cybercriminals in Latin America have increased their use of phishing scams targeting business transactions...

Predator Spyware Exploiting “one-click” & “zero-click” Flaws

Recent research indicates that the Predator spyware, once thought to be inactive due to...

Tropic Trooper Attacks Government Organizations to Steal Sensitive Data

Tropic Trooper (aka KeyBoy, Pirate Panda, and APT23) is a sophisticated cyberespionage APT group,...

Free Webinar

Decoding Compliance | What CISOs Need to Know

Non-compliance can result in substantial financial penalties, with average fines reaching up to $4.5 million for GDPR breaches alone.

Join us for an insightful panel discussion with Chandan Pani, CISO - LTIMindtree and Ashish Tandon, Founder & CEO – Indusface, as we explore the multifaceted role of compliance in securing modern enterprises.

Discussion points

The Role of Compliance
The Alphabet Soup of Compliance
Compliance
SaaS and Compliance
Indusface's Approach to Compliance

More like this

Vulnerabilities in IBM Products Let Attackers Exploit & Launch DOS Attack

IBM has issued a security bulletin addressing critical vulnerabilities in its MQ Operator and...

BBTok Abuses Legitimate Windows Utility Command Tool to Stay Undetected

Cybercriminals in Latin America have increased their use of phishing scams targeting business transactions...

Predator Spyware Exploiting “one-click” & “zero-click” Flaws

Recent research indicates that the Predator spyware, once thought to be inactive due to...