Israeli researcher Mordechai Guri has discovered a new method for exfiltrating data using network card LEDs. Baptized ETHERLED, this find is both amazing and ingenious!
Thanks to the ETHERLED method, the blinking LEDs present on the network cards are transformed into morse signals which can be decoded by an attacker! To capture these signals, it is necessary to be equipped all the same, because it is necessary a camera that visualizes live indicator lights of the network card of the target computer. Then, these signals are translated into binary to reconstruct the information.
This method to steal information applies to air-gapped networks, i.e. when the computer is on a completely isolated network (because it is very sensitive, for example). Since it is isolated and has no internet access, it is more difficult for attackers to reach it unless they use suitable methods, such as this one. The diagram below illustrates an example, where it almost feels like James Bond with the drone that is there to capture the Morse signals from the network card! ?
Even though the system is isolated in an air-gapped network, Mordechai Guri asserts that if an attacker manages to infect the target computer with malwareit can make replace the network card driver with a malicious version which modifies the color of the LED and the frequency of flashing: as it did with the ETHERLED method. Even if he takes the example of a computer, this method can work with other devices equipped with Ethernet network cards: printers, NAS, routers, etc. It should be kept in mind that without the initial infection, i.e. the malware on the target computer that will modify the network card driver, this method cannot be used.
Depending on the lights lit on the network card and the color of the lights lit, this makes it possible to obtain the information in binary: 00, 01 or 10. Based on the Morse method, it is also necessary to include pause times between signals. Although it may seem like an eternity to translate information, according to the security researcher, the time required to disclose passwords thanks to ETHERLED varies between 1 second and 1.5 minutes, depending on the attack method used. Another example, the time required varies between 2.5 seconds and 4.2 minutes for Bitcoin private keys, and between 42 seconds and one hour for 4096-bit RSA keys.
After reading this article, you will never look at network card LEDs the same way! ?