[Paper Review] xLED: Covert Data Exfiltration from Air-Gapped Networks via Router LEDs
This paper presents xLED, a covert channel that exfiltrates data from air-gapped networks by manipulating router and switch status LEDs to transmit information via modulated light signals. The attack achieves data rates of 10 bit/sec to over 1,000 bit/sec using amplitude and frequency modulation, captured remotely by cameras or optical sensors, demonstrating a practical side-channel exfiltration vector in isolated networks.
In this paper we show how attackers can covertly leak data (e.g., encryption keys, passwords and files) from highly secure or air-gapped networks via the row of status LEDs that exists in networking equipment such as LAN switches and routers. Although it is known that some network equipment emanates optical signals correlated with the information being processed by the device ('side-channel'), intentionally controlling the status LEDs to carry any type of data ('covert-channel') has never studied before. A malicious code is executed on the LAN switch or router, allowing full control of the status LEDs. Sensitive data can be encoded and modulated over the blinking of the LEDs. The generated signals can then be recorded by various types of remote cameras and optical sensors. We provide the technical background on the internal architecture of switches and routers (at both the hardware and software level) which enables this type of attack. We also present amplitude and frequency based modulation and encoding schemas, along with a simple transmission protocol. We implement a prototype of an exfiltration malware and discuss its design and implementation. We evaluate this method with a few routers and different types of LEDs. In addition, we tested various receivers including remote cameras, security cameras, smartphone cameras, and optical sensors, and also discuss different detection and prevention countermeasures. Our experiment shows that sensitive data can be covertly leaked via the status LEDs of switches and routers at a bit rates of 10 bit/sec to more than 1Kbit/sec per LED.
Motivation & Objective
- To investigate whether status LEDs on networking devices can be exploited as a covert communication channel for data exfiltration.
- To develop and implement a malware-based system that controls LEDs to encode and transmit sensitive data from isolated networks.
- To evaluate the feasibility of remote data reception using common optical sensors, including security cameras and smartphones.
- To assess the detectability and potential countermeasures for such side-channel attacks.
- To demonstrate that even air-gapped systems are vulnerable to data exfiltration through unintended electromagnetic and optical side channels.
Proposed method
- Malware is deployed on a LAN switch or router to gain full control over the status LEDs.
- Data is encoded using amplitude and frequency modulation techniques applied to the LED blinking patterns.
- A custom transmission protocol is designed to structure the data stream for reliable reception.
- The modulated light signals are captured using remote optical receivers, including standard cameras, security cameras, and dedicated optical sensors.
- The system leverages the inherent hardware and software architecture of network devices to enable precise LED control without detection.
- Signal processing at the receiver side decodes the modulated light into binary data, reconstructing the exfiltrated information.
Experimental results
Research questions
- RQ1Can status LEDs on routers and switches be used as a covert communication channel for data exfiltration?
- RQ2What modulation techniques enable reliable data transmission through LED blinking patterns?
- RQ3What are the achievable data rates using different LED types and receiver configurations?
- RQ4How effective are common consumer-grade cameras and optical sensors in capturing and decoding the modulated signals?
- RQ5What are the practical limitations and detection risks of such an attack in real-world air-gapped environments?
Key findings
- The xLED attack successfully exfiltrated data from air-gapped networks using only the status LEDs on routers and switches.
- Data transmission rates ranged from 10 bit/sec to over 1,000 bit/sec, depending on the LED type and modulation scheme.
- Remote cameras, including smartphone and security cameras, were able to capture and decode the modulated LED signals with high accuracy.
- Optical sensors provided the most reliable and high-bandwidth reception, achieving the highest data rates.
- The attack remained undetected in standard network monitoring due to the absence of network traffic or protocol anomalies.
- The method demonstrated feasibility across multiple router and switch models, confirming broad applicability.
Better researchstarts right now
From paper design to paper writing, dramatically reduce your research time.
No credit card · Free plan available
This review was created by AI and reviewed by human editors.