Boffins get routers spilling secrets through their LEDs Back in February, it was hard drive lights that leaked data. Now, the side-channel experts at Israel's Ben-Gurion University have applied a similar principle to routers. The attraction of signalling from a router is clear: is you can get the router to leak admin credentials, you don't just p0wn one machine, but probably the …
LEDs are an output device, so obviously you can output any data via it. And before you ask, you can also 'leak' data via soundcards, printers or screens, just like you can do it via power consumption.
The point is, if an attacker can execute code on your computer, you probably have lost. That's why things like office macros, Javascript, or any of the successors are so problematic. They break down the barrier between data and code.
Let's see, if you have control of the "router," and it's running Linux, and you can upload new firmware or just drop a new binary on the drive, then of course you can do all sorts of things!!
In other news, water is still wet.
They could also just send the data by audio side channel by loading a text-to-speech module, and announcing all the important bits on the PA system. (Ah, hacking the PA system, that brings back memories. They never did find out who did that...)
Me too.
Mate and I connected an old Quad amp up to the 100v tannoy line.
The occasional fake message suitably distorted to match the real thing ....
Watch the manglement waddling around like demented ducks trying to work out what was happening ...
Ok, their normal state but on steroids.
The problem came when the lady on the switchboard put out a real call at the same time. The Quad won. Blissful silence till someone replaced the fuse at the back of the tannoy amplifrier.
Ac even after all these years ...
At least two memories for me.
1) In a certain Telco office, some of the frame-men had a small speaker "tapping" the leased-line from a radio station studio to their transmitter. Music while you work, what could possibly go wrong? Then one day someone had a minor industrial accident and expressed their pain/anger verbally and forcefully. Every speaker is a microphone, especially when there is nothing but a transformer between it and the line. The "not ready for FCC" outburst was broadcast, and it was a race between the crew disconnecting and hiding evidence and the supervisors commanding that the culprits be found, under pressure from a major corporation.
2) At one job, we had an "advanced computer-controlled" phone system, with some quirks. One was that in some circumstances, a conversation could be "conferenced" to a paging number. One amusing instance had the whole engineering building listening in to a purchasing agent "negotiating" a kickback. We reported the issue to the phone vendor, but were told it was impossible. Our favorite bug-hunter figured out the exact sequence needed to trigger it, and next time he was waiting for his girlfriend (who happened to work for said phone vendor), to come out for lunch, he connected Dial a Prayer to their paging system from a lobby phone. An update that fixed the problem came out a bit later.
Bottom line: If I can run arbitrary code on a given machine, I control that machine. This is not news. It's not even a hack. (Am I the only one who wrote a little bit of assembler to turn on and off the NumLock LED to match the actual state of the key back in the day?)
Its real claim to fame is that it allows information to be leaked without that leak being detected. It would be easy enough to have a compromised PC or router send a packet out to a server but there may be something up-stream which detects such a leak. It also works where the system is air-gapped and not connected to the wider internet.
So really it's an answer to; how would we get data out of an air-gapped of tightly monitored network without anyone realising we were doing that?
It's good lateral thinking but it does seem to be devolving into it all being a variation on a theme; an observable and controllable entity can be used for signalling. Next week they might be telling us they can transfer data by speeding up and slowing down case fans by modulating the amount of code executed to change temperatures.
"Next week they might be telling us they can transfer data by speeding up and slowing down case fans by modulating the amount of code executed to change temperatures."
Funny you should say that...
https://www.theregister.co.uk/2016/06/24/israeli_researcher_fans_fears_heres_another_way_to_cross_the_airgap/
Am I the only one who wrote a little bit of assembler to turn on and off the NumLock LED to match the actual state of the key back in the day?
Nope. Definitely not. I abused the keyboard controller a lot back in the days of DOS and Coheren t. I had a 286 laptop (more like a luggable) that had all keyboard lights in nice row under the screen, so I often repurposed them for other than their intended use.
...of a compromised router, with a camera in front.
Remind me how this will happen in the real world?
To get to the secured air gapped routers in a data centre with no windows perhaps?
Ah, but they'll have also hacked the smartphone of someone who goes into the data centre so the camera on that can be used to exfiltrate data via an ad hoc WiFi mesh through other hacked phones in the building. :-)
This is what Bruce Schneier calls "a Hollywood Scenario" - implausible (and often impossible) in real life, but fun when combined with popcorn and a willing suspension of disbelief. The problem comes when the media and/or politicians use Hollywood Scenarios to demand Something Must Be Done (with a side order of Think Of The Children).
Play blinkenlights yourself when bored
Create pretty patterns for the Xmas season.
DIY advertising / slogan board.
Produce fake news.
Give the PFY an epileptic fit.
If Big Brother is watching: Leak false data. Transmit key watchwords for TLAs eyes only.
The opportunities for perverted fun must be endless ....
If you've got physical access to the target's facility, things work much better: an optical sensor (Guri's group used a Thorlabs PDA100A) could operate at more than 1 Kbps and as high as 3.5 Kbps.
Probably the best countermeasure is tape over the LEDs
Seems a bit pointless if the bad guys not only have physical access but have already compromised the router anyway.
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2024
