Isolated devices can send hidden Morse signals through network card LEDs


A security researcher who has a long line of work demonstrating new methods of exfiltrating data from isolated systems has come up with another technique that involves sending Morse code signals through LEDs on interface boards. network (NIC).

The approach, code name ETHERLEDcomes from Dr. Mordechai Guri, head of R&D at the Center for Cybersecurity Research at Ben-Gurion University of the Negev in Israel, who recently described GAIROSCOPE, a method of transmitting ultrasonic data to smartphone gyroscopes.

cyber security

“Malware installed on the device could programmatically control the status light by flashing or alternating its colors, using documented methods or undocumented firmware commands,” Dr. Guri said.

“Information can be encoded via simple coding such as Morse code and modulated onto these optical signals. An attacker can intercept and decode these signals from tens or hundreds of meters away.”

air gap

A network interface card, also known as a network interface controller or network adapter, is a computer hardware component that connects a computer to a computer network. Integrated LEDs in the network connector inform the user if the network is connected and when data activity occurs.

ETHERLED, like other adversarial approaches against isolated systems, forces the intruder to enter the target environment and implant malicious code that allows control of the LEDs on the network card.

Next comes the data collection and exfiltration phase of the attack, during which sensitive information such as credentials and biometrics are encoded and sent over a secret optical channel using the LED indicators. network card status.

In the last step, the optical signals are received via a hidden camera which is positioned in a location with a direct line of sight to the compromised sending computer. Alternatively, the camera could also be a surveillance camera vulnerable to remote exploitation or a smartphone involving a rogue insider.

cyber security

The attack can be used to leak various types of information, including passwords, RSA encryption keys, keystrokes, and textual content, to cameras located anywhere between 10m and 50m, a distance that can be extended to a few hundred meters using a telescope. and special focus lenses.


Additionally, the ETHERLED method is designed to work with any device or hardware that ships with Ethernet cards, such as printers, network cameras, network-attached storage (NAS), embedded systems, and others. IoT devices.

Countermeasures include restricting cameras and video recorders to sensitive areas, covering status lights with black tape to physically block optical emanation, reprogramming software to defeat the encoding scheme and the environmental scrambling to add random noise to modulated signals.


Comments are closed.