In the LED blink, the secrets slide: the rise of the theft of visual data

For decades, systems that are physically isolated from external networks were the last line of defense for high security environments: nuclear facilities, defense networks, research, development and critical infrastructure. But in 2025, even isolation is not enough. Why? Because the attackers learned to flash the data.

Welcome to the world of secret visual data, as the LEDS manipulates, the MORSE symbol becomes a mediator, and the surveillance cameras are like listening posts.

Data leakage with light

This technique is deceptive, but incredibly effective.

1. A air -collected system is injured with specialized harmful programs by accessing the exhibition USB at risk or infiltration of the supply chain.

2. Harmful programs encrypt sensitive data (passwords, encryption keys, documents) to a binary or practical code.

3. Then the data is adjusted in visual signals by a LED lamp over the plane, usually:

   1. HDD activity performs

   2. Keyboard indicators (NUM lock, hats lock

   3. The state of the router port is

   4. LEDS IR in surveillance cameras

4. A striker with access to a smart line using a smartphone, drone, a camera, telescope, or kidnapped CCTV, and flash patterns.

5. On the side of the attacker, visual data is decoded in a normal text using signal processing or computer vision tools.

   

How to work

Let us divide it with an example using a surveillance camera with LER IR:

Step 1: Spreading malware

• Men software is delivered by infected fixed programs, an interior USB engine, or pre -installed Rootkit.
• Harmful programs were able to access the IR IR controls for the camera, and are often available through low -level applications or correction facades.

Step 2: Data coding and modifying it

Sensitive data (for example, “Rootpassword123”) is converted into a binary or practical code:

`"R" in Morse: .-. `

Or

    `in binary: 01010010` 

• The data is framed with starting/stopping serials to help synchronize while decoding.
• Timing is crucial: the various time breaks must be fixed (for example, 100 milliliters, 100 mm per bit).

Step 3: Visual transmission

IR LED is fast and invisible to the human eye, but it can be detected for most cameras or infrared sensors.

    `LED on = binary 1` 

    `LED off = binary 0` 

• The transmission rates range from 10-100 bits per second, depending on the type LED and brightness.

Step 4: Visual capture

The attacker plays a camera inside Los (vision line). It can be:

• Tampering camera camera
• Camera installed on drones at night
• The smartphone from a nearby building
• The entire frame analysis picks up a flashing pattern.
• OpenCV or similar libraries are used to extract the signal and decode it.

Step 5: Reconstruction

The software cancels the update of the light pulses, rebuilds the bilateral flow, and restores it to the human readable content.

Real world applications

This is not just a theory. Here are some of the concept attacks that showed this technique in the wilderness:

Jabour Air (Ben Gurion University):

• Amid the attack: LEDS IR on surveillance cameras
• Data rate: ~ 20 bits per second
• Range: up to 25 meters

LED-IT-G

• Average attack: hard drive lamps
• Data rate: ~ 100 bits per second
• Range: up to 30 meters

XLED

• Medium attack: keyboard indicators (hats lock, lock, etc.)
• Data rate: ~ 60 bits per second
• Range: up to 20 meters

Glow

• Amid the attack: leakage from the sound to light from LEDS Power
• Data rate: negative signal leakage, is not coded by malware
• Range: It can be discovered with visual line sensors

Risk factors: where it can happen

This attack is especially dangerous in:

• High security laboratories in the air
• Industrial Control Systems (ICS)
• Safe server rooms with exposed LED lamps
• Offices using monitoring of infrared paper to monitor the night

If you have:

• Line of Sight Lides,
• Men’s infection transmission,
• Observation infrastructure, then, you have a viable eXFiltration channel.

How to defend against LED COVERT channels

Reducing a multi -layer approach:

1) Physical controls

The lamp mass with an inappropriate tape or shield covers.

• Use blacking or anti -Arabic glass containers in sensitive areas.
• Put sensitive systems in closed transparent environments.

2). Monitor

• Discover unauthorized LED lush patterns using visual sensors or detect anomalies based on machine learning.
• LOG and Audit LED use via fixed programs (when necessary).

3). Fixed program and hardening operating system

• Camera LED applications to combat applications to combat Camera LED unless necessary.
• Spread the health/firmware health verification tools in the air -transported systems.
• LEDS disable the keyboard and the steering of the router port where it is not used.

Final ideas

The LED blink was harmless – a negative sign of the activity. But in 2025, it could be an electronic whisper, and the secrets bleed at night. In a world where radio silence is no longer sufficient, organizations must now think about photons as well as packages.

Therefore, the next time your devices start in a strange flash, do not call them, call the CIA.