Skip to Main Content
PCMag editors select and review products independently. If you buy through affiliate links, we may earn commissions, which help support our testing.

xLED Malware Steals Data Using Router LEDs

Data is converted into a binary format and transmitted by flashing the LED activity lights while a nearby camera records their output.

Updated June 7, 2017
Network router

Malware comes in many forms, but the xLED malware is one of the most bizarre (and novel) forms of malicious software I've ever heard about. It is capable of infecting a router or switch and then stealing data by flashing the LEDs such devices always have.

According to Bleeping Computer, the xLED malware was created by a team at the Cyber Security Research Center at the Ben-Gurion University of the Negev in Israel. They've had previous success using the LED on a hard drive and a drone to capture the data. But targeting switches and routers allows for much greater data capture because there's many more LEDs over which to transmit.

The data stealing works by firstly infecting the target switch or router with the malware. Once installed, the data theft can be carried out by converting data into a binary format of zeros and ones. Then each LED on the device can transmit a binary digit: turned on for one and off for zero.

In order to record the data a camera is required. This could be mounted on a drone looking through a window, a bribed security guard setting one up, or a hacked security camera. Much is dependant on the setting and situation.

Recording can also be done using optical sensors, and this apparently gives the best results because it can record the LED light changes at a much higher sampling rate. Combine that with multiple LED lights from which to record on an individual switch/router and the researchers managed to achieve a data stealing rate of 1,000 bits/second per LED.

The most difficult part of allowing this malware to work is installing it on the router or switch in the first place. However, we can't forget this is just a piece of research and not a real attack vector. But it could be in the future, and by identifying it as a potential weakness in a network, manufacturers can think about ways to counter it in case someone does try to deploy this type of malware. Duct tape, perhaps?

Industry Insight: How Will Cloud Security Evolve in 2017?
PCMag Logo Industry Insight: How Will Cloud Security Evolve in 2017?

Like What You're Reading?

Sign up for SecurityWatch newsletter for our top privacy and security stories delivered right to your inbox.

This newsletter may contain advertising, deals, or affiliate links. Subscribing to a newsletter indicates your consent to our Terms of Use and Privacy Policy. You may unsubscribe from the newsletters at any time.


Thanks for signing up!

Your subscription has been confirmed. Keep an eye on your inbox!

Sign up for other newsletters

About Matthew Humphries

Senior Editor

I started working at PCMag in November 2016, covering all areas of technology and video game news. Before that I spent nearly 15 years working at Geek.com as a writer and editor. I also spent the first six years after leaving university as a professional game designer working with Disney, Games Workshop, 20th Century Fox, and Vivendi.

Read Matthew's full bio

Read the latest from Matthew Humphries