Network card LEDs can leak confidential data from secure devices using Morse code


Ben Gurion University’s Head of Cybersecurity Research and Development, Dr. Mordechai Guri, discovered a new technique that sends Morse code signals through LEDs on network interface cards.

Attackers can use the technique, named ETHERLED, to leak data from isolated networked devices like PCs, printers, network cameras, embedded controllers and servers.

Dr. Guri said isolated devices are highly secure hardware isolated from the Internet or other public networks because of the confidential information they process.

However, using the ETHERLED technique, attackers can still exfiltrate confidential data using the devices’ network cards.

“Networked devices have a built-in Network Interface Controller (NIC) that includes status and activity LEDs.”

“We show that malware installed on the device can control status lights by blinking and alternating colors, using documented methods or undocumented firmware commands.”

“Information can be encoded using simple coding such as Morse code and modulated onto these optical signals. An attacker can intercept and decode these signals from tens or hundreds of meters away,” Dr Guri said.

To decrypt the messages, the attackers would need either a hidden camera with a direct line of sight or access to a surveillance camera vulnerable to remote exploitation.

The ETHERLED method can leak passwords, RSA encryption keys, and keystrokes to cameras 10-50m from the compromised device.

Dr. Guri recommended countermeasures that include covering status LEDs with black tape, adding random noise to modulated signals, and restricting camera zones in relevant environments.

Now Read: Iranian Malware Steals User Data from Gmail, Yahoo! and Microsoft Outlook


Comments are closed.