Optical TEMPEST Sound Recovery via a Device’s Power Indicator LED
Glowworm Attack
Ben Nassi Yaron Pirutin Tomer Cohen Galor Yuval Elovici Boris Zadov
Ben-Gurion University of the Negev
We recovered speech from speakers by analyzing the
intensity of their power LED from a distance of 25 meters.
Abstract
Two main classes of optical TEMPEST attacks against the confidentiality of information processed/delivered by devices have been demonstrated in the past two decades; the first class includes methods for recovering content from monitors, and the second class includes methods for recovering keystrokes from physical and virtual keyboards.
In this paper, we identify a new class of optical TEMPEST attacks: recovering sound by analyzing optical emanations from a device’s power indicator LED.
We analyze the response of the power indicator LED of various devices to sound and show that there is an optical correlation between the sound that is played by connected speakers and the intensity of their power indicator LED due to the facts that: (1) the power indicator LED of various devices is connected directly to the power line, (2) the intensity of a device's power indicator LED is correlative to the power consumption, and (3) many devices lack a dedicated means of countering this phenomenon.
Based on our findings, we present the Glowworm attack, an optical TEMPEST attack that can be used by eavesdroppers to recover sound by analyzing optical measurements obtained via an electro-optical sensor directed at the power indicator LED of various devices (e.g., speakers, USB hub splitters, and microcontrollers).
We propose an optical-audio transformation (OAT) to recover sound by isolating the speech from the optical measurements obtained by directing an electro-optical sensor at a device's power indicator LED.
Finally, we test the performance of the Glowworm attack in various experimental setups and show that an eavesdropper can apply the attack to recover speech from a speaker's power indicator LED with good intelligibility from a distance of 15 meters and with fair intelligibility from 35 meters.
Associated Publications
-
Glowworm Attack: Optical TEMPEST Sound Recovery via a Device’s Power Indicator LED
Results
"Don't Ask Me To Carry An Oily Rag Like That"
"We Will Make America Great Again!"
Which manufacturers are vulnerable to this attack?
In one word, many.
About 50% of the devices we analyzed are vulnerable to the Glowworm Attack.
Some of the vulnerable manufacturers and devices are presented below.
-
Google - Google Home Mini, Google Nest Audio
-
Logitech - Z120 Speakers, S120 speakers
-
JBL - JBL Go 2
-
Sony - SRS-XB33, SRS-XB43
-
CREATIVE - Pebble speakers
-
TP-Link - TP-Link UE330 USB splitter
-
Miracase - Miracase USB splitter model MHUB500
-
Raspberry Pi - 3, 4
Media
Press
_svg.png){kind=logo}
FAQ
Q1: Why do devices leak information from their power indicator LED?
In many devices, the power indicator LED is connected directly to the power line.
As a result, the intensity of a device's power indicator LED is correlative to the power consumption.
In addition, many devices lack dedicated means of countering this phenomenon.
Q2: Why did you call the attack the Glowworm attack?
Both the attack and the insect develop from a bug that emits light.
Q3: What is the difference between the Lamphone and Glowworm attacks?
Both methods recover sound from light via an electro-optical sensor.
The Lamphone attack is a side-channel attack that exploits a light bulb's minuscule vibrations, which are the result of sound waves hitting the bulb.
The Glowworm attack is a TEMPEST attack that exploits the way that electrical circuits were designed. It can recover sound from devices like USB hub splitters that do not move in response to the acoustic information played by the speakers.
Q4: Did you disclose the details of the attack with the manufacturers?
Yes.
Q5: Can attackers apply the Glowworm Attack using a video camera?
No.
Video cameras are limited with regard to their FPS rate and cannot provide the sampling rate required to recover sound from a video that contains a device's LED.