A researcher from Israel, Mordechai Guri, has concluded that he has discovered the possibility of exfiltrating data from air-gapped systems using the LED indicators that are mounted on network cards.
The method is called ‘ETHERLED,’ it uses a form of turning blinking LEDs into Morse code signals, which any attacker can use to decode the lights.
An air-gapped computer’s card requires a camera to be mounted with a direct line of sight to LED lights that might be used to capture the signals. As a result of these, information can be stolen through the translation of these data into binary data.
Network interface cards are components of computers that allow computers to communicate with each other over a network. When the user is connected to a network and data activity occurs, LEDs that are integrated into the network connector simply alert about the status of the network.
An intruder trying to control NIC LEDs with ETHERLED must breach the target environment and plant malicious code that permits the intruder to do so.
In the subsequent phase of the attack, the attacker will begin to collect data and exfiltrate it. A covert optical channel is used to transmit sensitive information during this phase. Status LED indicator on the network card is used to accomplish this.
Here below in the video, you can see the ETHERLED in action:-
The final stage of the optical signal detection process involves a hidden camera that is placed in a specific area in order to receive the optical signals. It is possible that the surveillance camera used in this scenario was a vulnerable device or a smartphone camera.
There are several types of information that can be leaked by the attack, including:-
This malware can alter the connectivity status of the NIC or change the LEDs that are needed for generating the signals directly by attacking the drive for the NIC.
There are a variety of hardware features that may be exploited by the threat actor. Consequently, the threat actor alters the speed and toggles the Ethernet interface, which results in light blinks as well as changes in the color of the light.
A Morse code pattern corresponding to dots and dashes lasting between 100 milliseconds and 300 milliseconds was generated for data exfiltration by means of single-status LEDs.
As a countermeasure, it is recommended that cameras and video recorders not be installed in sensitive zones. Not only that, even black tape can be used to cover the status LEDs.
Secure Azure AD Conditional Access – Download Free White Paper
A very important message from the Norwegian National Cyber Security Centre (NCSC) says that Secure Socket Layer/Transport Layer Security (SSL/TLS)…
Linux is widely used in numerous servers, cloud infrastructure, and Internet of Things devices, which makes it an attractive target…
ViperSoftX malware, known for stealing cryptocurrency information, now leverages Tesseract, an open-source OCR engine, to target infected systems, which extracts…
Santander has confirmed that there was a major data breach that affected its workers and customers in Spain, Uruguay, and…
The U.S. government has offered a prize of up to $5 million for information that leads to the arrest and…
Russia leverages a mix of state-backed Advanced Persistent Threat (APT) groups and financially motivated cybercriminals to achieve its strategic goals,…