xLED Malware Steals Data Using Router LEDs

Data is converted into a binary format and transmitted by flashing the LED activity lights while a nearby camera records their output.

Malware comes in many forms, but the xLED malware is one of the most bizarre (and novel) forms of malicious software I’ve ever heard about. It is capable of infecting a router or switch and then stealing data by flashing the LEDs such devices always have.

According to Bleeping Computer, the xLED malware was created by a team at the Cyber Security Research Center at the Ben-Gurion University of the Negev in Israel. They’ve had previous success using the LED on a hard drive and a drone to capture the data. But targeting switches and routers allows for much greater data capture because there’s many more LEDs over which to transmit.


The data stealing works by firstly infecting the target switch or router with the malware. Once installed, the data theft can be carried out by converting data into a binary format of zeros and ones. Then each LED on the device can transmit a binary digit: turned on for one and off for zero.

In order to record the data a camera is required. This could be mounted on a drone looking through a window, a bribed security guard setting one up, or a hacked security camera. Much is dependant on the setting and situation.

Recording can also be done using optical sensors, and this apparently gives the best results because it can record the LED light changes at a much higher sampling rate. Combine that with multiple LED lights from which to record on an individual switch/router and the researchers managed to achieve a data stealing rate of 1,000 bits/second per LED.

The most difficult part of allowing this malware to work is installing it on the router or switch in the first place. However, we can’t forget this is just a piece of research and not a real attack vector. But it could be in the future, and by identifying it as a potential weakness in a network, manufacturers can think about ways to counter it in case someone does try to deploy this type of malware. Duct tape, perhaps?



Skip to content