Optical Covert Channel from Air-Gapped Networks via Remote Orchestration of Router/Switch LEDs

Abstract

Air-gapped networks are separated from the Internet due to the sensitive information they stores. It is shown that attackers can use the status LEDs of routers and switches to exfiltrate data optically. However, the current methods require the compromise of the network device (e.g., router) by infecting its firmware. In this paper we show how attackers can covertly leak sensitive data from air-gapped networks via the row of status LEDs on non-compromised networking equipment such as LAN switches and routers. We introduce new types of attack called host-level attack, in which a malicious code run in a host connected to the network can indirectly control the LEDs, without requiring a code execution within the LAN switch or router. We present a version of the host-level attack that doesn't require special privileges (e.g., root or admin) and is also effective when running from within a Virtual Machine (VM), despite the network isolation. We provide the technical background and implementation details and discuss set of preventive countermeasures.