Network card LEDs can leak confidential data from secure devices using Morse code
Ben Gurion University’s head of cyber security research and development, Dr Mordechai Guri, has discovered a new technique that sends Morse code signals via the LEDs on network interface cards.
Attackers can use the technique, named ETHERLED, to leak data from air-gapped networked devices like PCs, printers, network cameras, embedded controllers, and servers.
Dr Guri said air-gapped devices are highly secure hardware isolated from the Internet or other public networks due to the confidential information they process.
However, by using the ETHERLED technique, attackers can still exfiltrate confidential data using devices’ network cards.
“Networked devices have an integrated network interface controller (NIC) that includes status and activity indicator LEDs.”
“We show that malware installed on the device can control the status LEDs by blinking and alternating colours, using documented methods or undocumented firmware commands.”
“Information can be encoded via simple encoding such as Morse code and modulated over these optical signals. An attacker can intercept and decode these signals from tens to hundreds of meters away,” Dr Guri said.
To decrypt the messages, attackers would need either a hidden camera with a direct line of sight or access to a surveillance camera vulnerable to remote exploitation.
The ETHERLED method can leak passwords, RSA encryption keys, and keystrokes to cameras between 10 and 50m away from the compromised device.
Dr Guri has recommended countermeasures that include covering the status LEDs with black tape, adding random noise to the modulated signals, and restricting the camera zones in relevant environments.