Israeli researchers show how malware can steal data from Wi-Fi routers

Guri’s findings are just the latest in a series of studies at BGU’s Cyber Security Research Center dedicated to uncovering and demonstrating vulnerabilities of electronic devices.

June 6, 2017 06:09
3 minute read.
Computer hacking

Computer hacking (illustrative). (photo credit: REUTERS)


Dear Reader,
As you can imagine, more people are reading The Jerusalem Post than ever before. Nevertheless, traditional business models are no longer sustainable and high-quality publications, like ours, are being forced to look for new ways to keep going. Unlike many other news organizations, we have not put up a paywall. We want to keep our journalism open and accessible and be able to keep providing you with news and analysis from the frontlines of Israel, the Middle East and the Jewish World.

As one of our loyal readers, we ask you to be our partner.

For $5 a month you will receive access to the following:

  • A user experience almost completely free of ads
  • Access to our Premium Section
  • Content from the award-winning Jerusalem Report and our monthly magazine to learn Hebrew - Ivrit
  • A brand new ePaper featuring the daily newspaper as it appears in print in Israel

Help us grow and continue telling Israel’s story to the world.

Thank you,

Ronit Hasin-Hochman, CEO, Jerusalem Post Group
Yaakov Katz, Editor-in-Chief


Hackers may be able to siphon sensitive files, passwords and other private data through the flickering LED signal lights of common Wi-Fi routers, Ben-Gurion University researchers have found.

In a recently completed study, Dr. Mordechai Guri and his team demonstrated how a type of malware they developed – dubbed “xLED” – can silently override LED functionality by infecting firmware within the device. Once xLED infects the network device, it is able to gain full control of the flashing lights, which are typically used to monitor traffic activity, generate alerts and provide status updates.

“Sensitive data can be encoded and sent via the LED light pulses in various ways,” said Guri, who is head of research and development at the university’s Cyber Security Research Center. “An attacker with access to a remote or local camera, or with a light sensor hidden in the room, can record the LED’s activity and decode the signals.”

The xLED malware can program LED lights to flash at very fast speeds, the study showed. Because a typical router or network switch contains at least six such LEDs, the transmission rate can be multiplied significantly, enabling the leakage of a significant amount of sensitive information that can be recorded by a remote camera or light sensor, according to the research.

“Unlike network traffic that is heavily monitored and controlled by firewalls, this covert channel is currently not monitored,” Guri said. “As a result, it enables attackers to leak data while evading firewalls, air gaps [computers not hooked up to the Internet] and other data-leakage prevention methods.”

Guri’s findings are just the latest in a series of studies at BGU’s Cyber Security Research Center dedicated to uncovering and demonstrating vulnerabilities of electronic devices. In the past two years, researchers have successfully demonstrated how malware can siphon data from computer speakers, headphone jacks, hard drives, computer fans, 3D printers, smartphones, LED bulbs and other connected devices.

In March, Guri and his team showed how information can similarly be stolen from an isolated “air-gapped” computer’s hard drive by reading the pulses of light on the LED drive even when these computers are isolated from public networks.

While Guri’s lab-tested xLED is able to steal information from routers, he acknowledged that no such malware is known to be out there circulating in the world just yet. In the future, however, hackers might use similar methods to threaten big institutions such as banks, he told The Jerusalem Post on Monday.

A computer might be very well guarded, but the router connected to the machine might be much less secure, according to Guri. After infecting the router with the malware, hackers would just need a visible “line of sight” – even from outside a window – to monitor the LEDs, he added.

“The access to the router can be much easier for hackers,” Guri said. “It gives some kind of access point, attack vector.”

The hacker could access any files, movies, texts or images on a computer connected to that router, he explained.

“The malware just has to choose what it wants to leak,” Guri said.

Accompanying a paper they wrote about their findings, Guri and his team also uploaded a video to YouTube on Monday demonstrating xLED’s power to covertly exfiltrate data using the LEDs of a typical TP-LINK router. The malware exfiltrates the data via seven LEDs at a rate of 10,000 bits per second, with each LED blinking more than 1,000 times per second. Slowing down the transmission 166 times, the video challenges viewers to figure out what exactly xLED is exfiltrating.

When asked by the Post what the answer to that challenge might be, Guri encouraged readers to try decoding the puzzle for themselves.

“It’s a famous book,” he said.

Join Jerusalem Post Premium Plus now for just $5 and upgrade your experience with an ads-free website and exclusive content. Click here>>

Related Content

Tel Aviv-Yafo Municipality installs sidewalk LED lights to protect 'smartphone zombies'
March 19, 2019
S. Korea radar and thermal system warns 'smartphone zombies' of traffic