Malware Turns Routers Into Network Security Hack Beacons With xLED Data Exfiltration

Most wireless routers are equipped with a series of LEDs to indicate things like network connectivity and activity, though if a router has been compromised with malware, those blinking lights could reveal more than the owner bargained for. Using specially crafted malware, an attacker could instruct those LEDs to transmit data in a binary format.

TP-Link TL-WR841ND
Image Source: TP-Link

The attack was outlined in a paper by a team of researches from the Cyber Security Research Center at the Ben-Gurion University of the Negev in Israel. It is the same team of security researchers that previously wrote about data exfiltration schemes involving hard drive LEDs, coil whine, headphones, and other unique methods.

A proof-of-concept malware called xLED shows how a router can be compromised. What it does is spy on certain data that is transmitted to and from a wireless router, then turns it into a binary format. Those binary bits can then be flashed to a nearby attacker or video camera using the router's built-in LED systems.

"A malicious code is executed on the LAN switch or router, allowing full control of the status LEDs. Sensitive data can be encoded and modulated over the blinking of the LEDs. The generated signals can then be recorded by various types of remote cameras and optical sensors," the researchers explain in their paper (PDF).

There are a number of ways to capture the binary data. In lieu of a nearby spy, the blinking lights can be captured by a security camera, a drone equipped with recording equipment, or any other recording device that has a clear line of sight with the router or switch.

Router LEDs
Image Source: Cyber Security Research Center

It is an interesting concept, but is it practical? One thing to keep in mind here is that this type of attack requires hacking into a router or switch. However, if a router or switch has already been compromised, there are other ways of plucking data that are easier than recording LED transmissions.

Nevertheless, this is an example of a crafty attack and another reminder to never take security for granted.