- Mordechai Guri, an Israeli security researcher warns about a possible technique for stealing sensitive data from PCs.
- This technique relies on the manipulation of ethernet LED on systems to send information via morse codes.
- It is possible to exfiltrate data from air-gapped computers. However, due to the possible transmission speeds, it is only viable to steal small-sized sensitive data with this technique.
As hackers become more and more innovative, security researchers are trying their best to predict their innovative attacks. An Israeli researcher named Mordechai Guri has revealed a way to exfiltrate data from computers via their LED indicators for ethernet ports. This technique works on air-gapped systems as well.
Morse codes via ethernet LEDs
Guri’s technique, dubbed ETHERLED, relies on malware that can go between the ethernet driver and the hardware itself or directly install malicious firmware to manipulate the LED indicators on them. This includes manipulation of LEDs blinking frequency, duration, and color. Those actions are also possible when the malicious software makes constant changes in connection speeds and turns the ethernet on/off, but results in slower LED blinking speeds.
As a result of manipulation, the LEDs can blink to send information via morse codes. The LEDs on ethernet devices are capable of blinking for 10 milliseconds, which makes the “dots” in the morse codes. In this case, dashes could be 30 milliseconds and the spaces 70 milliseconds if the LEDs are manipulated at the firmware level.
Faster with firmware changes
With the original driver and a standalone malware that simply turns off and on the ethernet card, and changes the ethernet speed, those blinks can shoot a minimum of 100 ms bursts, which results in much slower data transmission speeds. With those speeds, it is still possible to steal passwords, Bitcoin private keys, and more.
A password that is 100 bits big, can be transmitted in 0.7 minutes by utilizing both of the LEDs on the ethernet if the attacker could not manage to install malicious firmware. If the attackers can change the firmware, the time required to transmit the password goes down to just 1 second. RSA encryption keys could be transmitted in 42 seconds, and Bitcoin private keys in 2.5.
While those possibilities are impressive, there is a big catch. To capture the transmissions, the attacker requires to see or record the morse codes, and 10 milliseconds of bursts are too fast to capture with normal cameras in the market. The best surveillance cameras can capture only 30 fps, which means they can go down to 33 milliseconds. 60 fps cameras, which are very common in mobile phones can go down to 16 milliseconds at best.
To successfully capture the LED blinks at that speed, the camera should be capable of recording at least 100 fps. Still, those transmissions could be done at way lower speeds as we mentioned before and it might still be a big threat for organizations.