No.

But someone who has the required physical access to your router to see the LEDs could trivially access your home network and monitor network traffic that way.

The most likely way that the NSA would read your web activity is by tapping into your ISP to access the aggregated traffic, not hit your home individually unless you're on a (very, very high) priority list.
posted by dvrmmr at 10:33 AM on January 18, 2015 [1 favorite]

No they don't.
posted by turkeyphant at 10:33 AM on January 18, 2015

At best, your router might flicker on a per packet basis (although TBH it would be more likely to be flickering per frame, which means a packet plus ancillary, localized routing data), but router speeds are measured in packets per second.

There's really no reason for the router to essentially go through the contents of a packet, i.e. bit or even just byte by byte.

The only thing I could quickly google that really describes what the lights measure is this, from some standard Cisco boilerplate:

Off—In the Cisco IOS software, but no network activity.

Blink (500 ms ON, 500 ms OFF)—In ROMMON [a diagnostic mode], no errors.

Blink (500 ms ON, 500 ms OFF, 2 seconds between codes)—In ROMMON, error detected.

Blink (less than 500 ms)—In the Cisco IOS software, the blink rate reflects the level of activity.

That doesn't tell me what actually is being reflected, i.e. whether there is a 1:1 ratio of packets/frames to blinks, or 10:1 or 100:1 or 1000:1, even. But it is very unlikely to be blinking your bits.

In olden times, and probably still, there was much discussion of electronic detection methods, such as the vaunted TEMPEST attack against which many of our most secure systems are supposedly hardened. In reality most hacking has turned out to be based on social engineering exploits, such as getting someone to load a virus into a network using a thumb drive. This is believed to be, for example, how "A MAJOR DEVELOPED COUNTRY AND POSSIBLY AN ALLY" (use your imagination) managed to get the Stuxnet virus into Iranian nuclear sites.

Similarly I would be much more concerned about using any sort of consumer computer software (like Windows, especially older and non-updated version) without the proper firewall and virus protections, and doing online banking, and not using a password locker, and numerous other things that put you more at risk of compromise. It's like everybody worrying about the possibility of a plane crash, when the death rate from jaywalking is so much higher.
posted by dhartung at 10:54 AM on January 18, 2015 [3 favorites]

In theory, yes, it's totally possible (via an "optical" TEMPEST attack). But would the NSA go to all that trouble, unless you were some kinda big fish? Probably not.
posted by un petit cadeau at 10:55 AM on January 18, 2015 [2 favorites]

You can deduce something about the nature of the traffic on a port by looking at the LED: irregular blinking means data is being transferred; regular blinking means the port is idle. But that's all you can deduce: the LED does not blink for each data bit as it goes by. In any case if you can see the LEDs, you have physical access to the wiring, and can tap it.
posted by monotreme at 1:00 PM on January 18, 2015

The optical detection method described above by un petit cadeau applied to old dial-up modems operating at a maximum of 56 Kbits per second. Your cable/DSL modem and router are operating at megabits per second.

Typically they employ a pulse stretcher to indicate activity. When activity is detected, the LED flashes on for a minimum pulse of several milliseconds which corresponds to thousands of individual bits. So no, they don't flash for individual bits and therefore no bit data can be detected.
posted by JackFlash at 4:51 PM on January 18, 2015

This stuff was on the usual tech news sites 12 years ago:

Journal
ACM Transactions on Information and System Security (TISSEC) TISSEC Homepage archive
Volume 5 Issue 3, August 2002
Pages 262-289
ACM New York, NY, USA
doi>10.1145/545186.545189

full text

(please pardon the munged formatting that follows)

Abstact:
Information Leakage from Optical Emanations
JOE LOUGHRY Lockheed Martin Space Systems and DAVID A. UMPHRESS Auburn University
A previously unknown form of compromising emanations has been discovered. LED status indica-tors on data communication equipment, under certain conditions, are shown to carry a modulatedoptical signal that is significantly correlated with information being processed by the device. Phys-ical access is not required; the attacker gains access to all data going through the device, including plaintext in the case of data encryption systems. Experiments show that it is possible to intercept data under realistic conditions at a considerable distance. Many different sorts of devices, including modems and Internet Protocol routers, were found to be vulnerable. A taxonomy of compromising optical emanations is developed, and design changes are described that will successfully block this kind of “Optical TEMPEST” attack.

Categories and Subject Descriptors: C.2.0 [
Computer-Communication Networks
]: General—
security and protection
(
e.g., firewalls
); D.4.6 [
Operating Systems
]: Security and Protection—
invasivesoftware
(
e.g.,viruses,worms,Trojanhorses
);E.3[
DataEncryption
]:
codebreaking
;K.6.5[
Management of Computing and Information Systems
]: Security and Protection—
unautho-rized access
(
e.g., hacking, phreaking
)General Terms: Experimentation, Security Additional Key Words and Phrases: COMINT, communication, compromising emanations,COMSEC, covert channel, EMSEC, encryption, fiber optics, information displays, light emittingdiode (LED), SIGINT, TEMPEST
posted by sebastienbailard at 5:36 PM on January 18, 2015

Sebastienbailard, you have simply re-linked to the same article that un petit cadeau did above. Did you read it? As pointed out previously this technique was demonstrated for old dial-up 56 Kbit modems, not modern cable/dsl modems and routers.
posted by JackFlash at 6:03 PM on January 18, 2015

Yes, this hack has been demonstrated.
posted by w0mbat at 9:01 PM on January 18, 2015

As pointed out previously this technique was demonstrated for old dial-up 56 Kbit modems, not modern cable/dsl modems and routers.

Quite right. Sorry, I was skimming.
posted by sebastienbailard at 12:22 AM on January 19, 2015

can somebody with the right technology snoop on my network traffic by observing the LEDs on my kit?

Not if you slap a piece of duct tape over it (visually at least), if you're that worried about it.
posted by radwolf76 at 7:03 AM on January 19, 2015

When you do any sensitive stuff on the internet, you should be using encryption. If you use gmail, it should be https://mail.google.com/, not http://mail.google.com/. That security may not be as tough as the NSA, but trying to crack your banking with encrypted blinky lights is only for the movies. the cheesy movies.
posted by theora55 at 2:39 PM on January 19, 2015

When you do any sensitive stuff on the internet, you should be using encryption.

The point of this hack is that you can intercept traffic over the local subnet which never makes it to the internet. For example, the traffic between a front end and back end server, inside a locked cage at a colo, which the target may not have encrypted because the performance hit seemed unnecessary for local traffic.

I've no idea if this attack ever gets used in practise, but unless router manufacturers have started blurring the data (e.g. with a capacitor on the LED circuit) it's still theoretically possible to extract data from an unobscured LED that's having the raw network data fed through it.
posted by w0mbat at 9:34 AM on January 22, 2015

This thread is closed to new comments.