IIRC a similar problem was identified with with network switches (can't remember the brand) nearly 20 years ago. Packets were being faithfully repeated as ones and zeros via panel LEDs. Something along those lines.
Boffins get routers spilling secrets through their LEDs
Back in February, it was hard drive lights that leaked data. Now, the side-channel experts at Israel's Ben-Gurion University have applied a similar principle to routers. The attraction of signalling from a router is clear: is you can get the router to leak admin credentials, you don't just p0wn one machine, but probably the …
COMMENTS
-
Tuesday 6th June 2017 04:58 GMT Christian Berger
Well of course that works
LEDs are an output device, so obviously you can output any data via it. And before you ask, you can also 'leak' data via soundcards, printers or screens, just like you can do it via power consumption.
The point is, if an attacker can execute code on your computer, you probably have lost. That's why things like office macros, Javascript, or any of the successors are so problematic. They break down the barrier between data and code.
-
Tuesday 6th June 2017 05:02 GMT Brian Miller
Signalling by light? Really?
Let's see, if you have control of the "router," and it's running Linux, and you can upload new firmware or just drop a new binary on the drive, then of course you can do all sorts of things!!
In other news, water is still wet.
They could also just send the data by audio side channel by loading a text-to-speech module, and announcing all the important bits on the PA system. (Ah, hacking the PA system, that brings back memories. They never did find out who did that...)
-
Tuesday 6th June 2017 10:36 GMT Anonymous Coward
Ah, hacking the PA system, that brings back memories
Me too.
Mate and I connected an old Quad amp up to the 100v tannoy line.
The occasional fake message suitably distorted to match the real thing ....
Watch the manglement waddling around like demented ducks trying to work out what was happening ...
Ok, their normal state but on steroids.
The problem came when the lady on the switchboard put out a real call at the same time. The Quad won. Blissful silence till someone replaced the fuse at the back of the tannoy amplifrier.
Ac even after all these years ...
-
Tuesday 6th June 2017 19:37 GMT Mike 16
Re: Ah, hacking the PA system, that brings back memories
At least two memories for me.
1) In a certain Telco office, some of the frame-men had a small speaker "tapping" the leased-line from a radio station studio to their transmitter. Music while you work, what could possibly go wrong? Then one day someone had a minor industrial accident and expressed their pain/anger verbally and forcefully. Every speaker is a microphone, especially when there is nothing but a transformer between it and the line. The "not ready for FCC" outburst was broadcast, and it was a race between the crew disconnecting and hiding evidence and the supervisors commanding that the culprits be found, under pressure from a major corporation.
2) At one job, we had an "advanced computer-controlled" phone system, with some quirks. One was that in some circumstances, a conversation could be "conferenced" to a paging number. One amusing instance had the whole engineering building listening in to a purchasing agent "negotiating" a kickback. We reported the issue to the phone vendor, but were told it was impossible. Our favorite bug-hunter figured out the exact sequence needed to trigger it, and next time he was waiting for his girlfriend (who happened to work for said phone vendor), to come out for lunch, he connected Dial a Prayer to their paging system from a lobby phone. An update that fixed the problem came out a bit later.
-
-
Tuesday 6th June 2017 05:33 GMT jake
I'm not sure why you're still reporting on these clowns.
Bottom line: If I can run arbitrary code on a given machine, I control that machine. This is not news. It's not even a hack. (Am I the only one who wrote a little bit of assembler to turn on and off the NumLock LED to match the actual state of the key back in the day?)
-
Tuesday 6th June 2017 09:46 GMT Jason Bloomberg
Re: I'm not sure why you're still reporting on these clowns.
Its real claim to fame is that it allows information to be leaked without that leak being detected. It would be easy enough to have a compromised PC or router send a packet out to a server but there may be something up-stream which detects such a leak. It also works where the system is air-gapped and not connected to the wider internet.
So really it's an answer to; how would we get data out of an air-gapped of tightly monitored network without anyone realising we were doing that?
It's good lateral thinking but it does seem to be devolving into it all being a variation on a theme; an observable and controllable entity can be used for signalling. Next week they might be telling us they can transfer data by speeding up and slowing down case fans by modulating the amount of code executed to change temperatures.
-
Tuesday 6th June 2017 12:17 GMT Adam JC
Re: I'm not sure why you're still reporting on these clowns.
"Next week they might be telling us they can transfer data by speeding up and slowing down case fans by modulating the amount of code executed to change temperatures."
Funny you should say that...
https://www.theregister.co.uk/2016/06/24/israeli_researcher_fans_fears_heres_another_way_to_cross_the_airgap/
-
-
Tuesday 6th June 2017 17:47 GMT Down not across
Re: I'm not sure why you're still reporting on these clowns.
Am I the only one who wrote a little bit of assembler to turn on and off the NumLock LED to match the actual state of the key back in the day?
Nope. Definitely not. I abused the keyboard controller a lot back in the days of DOS and Coheren t. I had a 286 laptop (more like a luggable) that had all keyboard lights in nice row under the screen, so I often repurposed them for other than their intended use.
-
-
-
Tuesday 6th June 2017 07:47 GMT Arthur the cat
Re: So line of sight,....
...of a compromised router, with a camera in front.
Remind me how this will happen in the real world?
To get to the secured air gapped routers in a data centre with no windows perhaps?
Ah, but they'll have also hacked the smartphone of someone who goes into the data centre so the camera on that can be used to exfiltrate data via an ad hoc WiFi mesh through other hacked phones in the building. :-)
This is what Bruce Schneier calls "a Hollywood Scenario" - implausible (and often impossible) in real life, but fun when combined with popcorn and a willing suspension of disbelief. The problem comes when the media and/or politicians use Hollywood Scenarios to demand Something Must Be Done (with a side order of Think Of The Children).
-
-
-
Tuesday 6th June 2017 10:26 GMT PNGuinn
So, "take over" your own router
Play blinkenlights yourself when bored
Create pretty patterns for the Xmas season.
DIY advertising / slogan board.
Produce fake news.
Give the PFY an epileptic fit.
If Big Brother is watching: Leak false data. Transmit key watchwords for TLAs eyes only.
The opportunities for perverted fun must be endless ....
-
Tuesday 6th June 2017 22:02 GMT John Brown (no body)
physical access...tape over the LEDs
If you've got physical access to the target's facility, things work much better: an optical sensor (Guri's group used a Thorlabs PDA100A) could operate at more than 1 Kbps and as high as 3.5 Kbps.
Probably the best countermeasure is tape over the LEDs
Seems a bit pointless if the bad guys not only have physical access but have already compromised the router anyway.