back to article Boffins get routers spilling secrets through their LEDs

Back in February, it was hard drive lights that leaked data. Now, the side-channel experts at Israel's Ben-Gurion University have applied a similar principle to routers. The attraction of signalling from a router is clear: is you can get the router to leak admin credentials, you don't just p0wn one machine, but probably the …

  1. doug_bostrom

    IIRC a similar problem was identified with with network switches (can't remember the brand) nearly 20 years ago. Packets were being faithfully repeated as ones and zeros via panel LEDs. Something along those lines.

    1. I am the liquor

      Rings a bell. I've a feeling it was ISDN modems. It would've had to be something low-bandwidth certainly.

  2. Christian Berger

    Well of course that works

    LEDs are an output device, so obviously you can output any data via it. And before you ask, you can also 'leak' data via soundcards, printers or screens, just like you can do it via power consumption.

    The point is, if an attacker can execute code on your computer, you probably have lost. That's why things like office macros, Javascript, or any of the successors are so problematic. They break down the barrier between data and code.

  3. Brian Miller

    Signalling by light? Really?

    Let's see, if you have control of the "router," and it's running Linux, and you can upload new firmware or just drop a new binary on the drive, then of course you can do all sorts of things!!

    In other news, water is still wet.

    They could also just send the data by audio side channel by loading a text-to-speech module, and announcing all the important bits on the PA system. (Ah, hacking the PA system, that brings back memories. They never did find out who did that...)

    1. m0rt

      Re: Signalling by light? Really?

      The point is, you have a potential airgapping of your your ill gotton information. No trace other than the router payload.

      At a certain level, this is useful. Especially for stealing Spectrum games.

    2. Anonymous Coward
      Anonymous Coward

      Ah, hacking the PA system, that brings back memories

      Me too.

      Mate and I connected an old Quad amp up to the 100v tannoy line.

      The occasional fake message suitably distorted to match the real thing ....

      Watch the manglement waddling around like demented ducks trying to work out what was happening ...

      Ok, their normal state but on steroids.

      The problem came when the lady on the switchboard put out a real call at the same time. The Quad won. Blissful silence till someone replaced the fuse at the back of the tannoy amplifrier.

      Ac even after all these years ...

      1. Mike 16

        Re: Ah, hacking the PA system, that brings back memories

        At least two memories for me.

        1) In a certain Telco office, some of the frame-men had a small speaker "tapping" the leased-line from a radio station studio to their transmitter. Music while you work, what could possibly go wrong? Then one day someone had a minor industrial accident and expressed their pain/anger verbally and forcefully. Every speaker is a microphone, especially when there is nothing but a transformer between it and the line. The "not ready for FCC" outburst was broadcast, and it was a race between the crew disconnecting and hiding evidence and the supervisors commanding that the culprits be found, under pressure from a major corporation.

        2) At one job, we had an "advanced computer-controlled" phone system, with some quirks. One was that in some circumstances, a conversation could be "conferenced" to a paging number. One amusing instance had the whole engineering building listening in to a purchasing agent "negotiating" a kickback. We reported the issue to the phone vendor, but were told it was impossible. Our favorite bug-hunter figured out the exact sequence needed to trigger it, and next time he was waiting for his girlfriend (who happened to work for said phone vendor), to come out for lunch, he connected Dial a Prayer to their paging system from a lobby phone. An update that fixed the problem came out a bit later.

    3. Mage Silver badge

      Re: Signalling by light? Really?

      It's even built in!

      You can program your own morse code on a router LED. I did this 10 years ago.

      The trick requires compromising the router security FIRST, so then it can "phone home" on the WAN anyway.

  4. jake Silver badge

    I'm not sure why you're still reporting on these clowns.

    Bottom line: If I can run arbitrary code on a given machine, I control that machine. This is not news. It's not even a hack. (Am I the only one who wrote a little bit of assembler to turn on and off the NumLock LED to match the actual state of the key back in the day?)

    1. Jason Bloomberg Silver badge

      Re: I'm not sure why you're still reporting on these clowns.

      Its real claim to fame is that it allows information to be leaked without that leak being detected. It would be easy enough to have a compromised PC or router send a packet out to a server but there may be something up-stream which detects such a leak. It also works where the system is air-gapped and not connected to the wider internet.

      So really it's an answer to; how would we get data out of an air-gapped of tightly monitored network without anyone realising we were doing that?

      It's good lateral thinking but it does seem to be devolving into it all being a variation on a theme; an observable and controllable entity can be used for signalling. Next week they might be telling us they can transfer data by speeding up and slowing down case fans by modulating the amount of code executed to change temperatures.

      1. Adam JC

        Re: I'm not sure why you're still reporting on these clowns.

        "Next week they might be telling us they can transfer data by speeding up and slowing down case fans by modulating the amount of code executed to change temperatures."

        Funny you should say that...

        https://www.theregister.co.uk/2016/06/24/israeli_researcher_fans_fears_heres_another_way_to_cross_the_airgap/

      2. Anonymous Coward
        Anonymous Coward

        Re: I'm not sure why you're still reporting on these clowns.

        > "So really it's an answer to; how would we get data out of an air-gapped of tightly monitored network without anyone realising we were doing that?"

        Whilst also being able to log in to it and run software....

    2. Down not across

      Re: I'm not sure why you're still reporting on these clowns.

      Am I the only one who wrote a little bit of assembler to turn on and off the NumLock LED to match the actual state of the key back in the day?

      Nope. Definitely not. I abused the keyboard controller a lot back in the days of DOS and Coheren t. I had a 286 laptop (more like a luggable) that had all keyboard lights in nice row under the screen, so I often repurposed them for other than their intended use.

  5. Sgt_Oddball
    Holmes

    Hummm...

    Are we talking one LED or multiple? What of using different colours to multiplex the bit rate (I know my router at home has 3 different colours, green red and amber)

    1. jake Silver badge

      Re: Hummm...

      Produce what you see fit. Running code trumps all.

  6. Anonymous Coward
    WTF?

    So line of sight,....

    ...of a compromised router, with a camera in front.

    Remind me how this will happen in the real world?

    To get to the secured air gapped routers in a data centre with no windows perhaps?

    1. Arthur the cat Silver badge

      Re: So line of sight,....

      ...of a compromised router, with a camera in front.

      Remind me how this will happen in the real world?

      To get to the secured air gapped routers in a data centre with no windows perhaps?

      Ah, but they'll have also hacked the smartphone of someone who goes into the data centre so the camera on that can be used to exfiltrate data via an ad hoc WiFi mesh through other hacked phones in the building. :-)

      This is what Bruce Schneier calls "a Hollywood Scenario" - implausible (and often impossible) in real life, but fun when combined with popcorn and a willing suspension of disbelief. The problem comes when the media and/or politicians use Hollywood Scenarios to demand Something Must Be Done (with a side order of Think Of The Children).

  7. Anonymous Coward
    Anonymous Coward

    I think I'll store this vulnerability under the "screen door on a submarine" section of my files along with "Chocolate Teapots" and "Trap door in a canoe"

    1. an it guy

      unfortunately for you, chocolate teapots do work, though a one-time use.

      http://www.bbc.com/news/uk-england-york-north-yorkshire-29126161

      and to purchase ... http://www.schokolat.co.uk/chocolate-teapot/

  8. wyatt

    Security starts with physical access, compromise that and further exploitation is possible. It's probably the cheapest option to implement as well.

  9. PNGuinn
    Go

    So, "take over" your own router

    Play blinkenlights yourself when bored

    Create pretty patterns for the Xmas season.

    DIY advertising / slogan board.

    Produce fake news.

    Give the PFY an epileptic fit.

    If Big Brother is watching: Leak false data. Transmit key watchwords for TLAs eyes only.

    The opportunities for perverted fun must be endless ....

  10. John Smith 19 Gold badge
    Facepalm

    "Probably the best countermeasure...pay attention to the firmware on your routers. ®

    SOP for most people here?

  11. Herby

    All of this gives new meaning to:

    "Relaxen und watchen das blinkenlichten"

    See: this.

  12. John Brown (no body) Silver badge

    physical access...tape over the LEDs

    If you've got physical access to the target's facility, things work much better: an optical sensor (Guri's group used a Thorlabs PDA100A) could operate at more than 1 Kbps and as high as 3.5 Kbps.

    Probably the best countermeasure is tape over the LEDs

    Seems a bit pointless if the bad guys not only have physical access but have already compromised the router anyway.

  13. hammarbtyp

    Oh, lordy, please don't let the management see this, otherwise they will ordering us to wear blindfolds when near a router

  14. razorfishsl

    This is old research,

    papers were written about this years ago and presented at a security conference.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like