Researchers at Ben-Gurion University in the Negev have demonstrated a new way to spy on electronic conversations. A new article published today describes a new passive form of the TEMPEST attack called Glowworm, which converts minute fluctuations in the intensity of the power LEDs on speakers and USB hubs into the audio signals that caused these. fluctuations.
The Cyber ââ@ BGU team, consisting of Ben Nassi, Yaron Pirutin, Tomer Gator, Boris Zadov and Professor Yuval Elovici, analyzed a wide range of widely used consumer devices including smart speakers, simple speakers PC speakers and USB hubs. The team found that the power LEDs on devices were usually noticeably influenced by the audio signals transmitted from the connected speakers.
Although fluctuations in the strength of the LED signal are usually not noticeable with the naked eye, they are strong enough to be read with a photodiode coupled to a simple optical telescope. The slight flicker of the power LED output due to voltage changes when the speakers draw electric current are converted into an electric signal by the photodiode; the electrical signal can then pass through a simple analog / digital converter (ADC) and read directly.
A new passive approach
With sufficient knowledge of electronics, the idea that a device’s supposedly solid-lit LEDs “divulge” information about what it does is simple. But to our knowledge, the Cyber ââ@ BGU team is the first to both publish the idea and prove that it works empirically.
The strongest characteristics of the Glowworm attack are its novelty and passivity. Since the approach requires absolutely no active signaling, it would be immune to any sort of electronic countermeasure sweep. And for now, it seems unlikely that any potential target would expect or deliberately defend themselves against Glowworm, although that may change once the team’s document is presented later this year at the conference on the CCS security 21.
The total passivity of the attack sets it apart from similar approaches: a laser microphone can pick up audio from vibrations on a glass window. But defenders can potentially spot the attack using smoke or steam, especially if they know the likely frequency ranges an attacker could use.
Glowworm does not require any signal leakage or unexpected intrusion, even when actively used, unlike “The Thing”. The Thing was a Soviet gift to the United States Ambassador in Moscow, which required both “lighting” and broadcast a clear signal when illuminated. It was a carved wooden copy of the Great Seal of the United States, and it contained a resonator which, if turned on with a radio signal at a certain frequency (“lighting it up”), would then broadcast a clear audio signal. by radio. The actual apparatus was completely passive; it worked much like modern RFID chips (things that squeak when you leave the electronics store with purchases the clerk forgot to mark as purchased).
Despite Glowworm’s ability to spy on targets without revealing himself, it’s not something most people will need to worry about much. Unlike the listening devices we mentioned in the section above, Glowworm does not interact with actual audio at all, but only with a side effect of electronic devices that produce audio.
This means that, for example, a Glowworm attack successfully used to spy on a conference call would not capture audio from those who are actually in the room, but only from remote participants whose voices are being played over the room’s audio system. conference room.
Another issue that means most targets will be defended against Glowworm entirely by accident is the need for a clear line of sight. Getting line-of-sight to a glass for a laser microphone is one thing, but getting line-of-sight to the power LEDs of a computer speaker is another.
Humans generally prefer to face the windows themselves for the view and have the LEDs on devices face them. This leaves the LEDs dimmed from a potential Glowworm attack. Lip-reading defenses, such as curtains or drapes, are also effective protections against glowworm, although targets may not really know glowworm can be a problem.
Finally, there is currently no real risk of a Glowworm “replay” attack using video that includes vulnerable LED shots. A close-up 4k at 60 fps video might barely capture the fall of a dubstep banger, but it won’t usefully recover human speech, which is between 85Hz and 255Hz for vowels and 2kHz to 4kHz for vowels. consonants.
Turn off the lights
While Glowworm is virtually limited by its need for line-of-sight to LEDs, it works at a significant distance. The researchers recovered intelligible sound from 35 meters away – and in the case of adjacent office buildings with mostly glass facades, it would be quite difficult to detect.
For potential targets, the simplest solution is indeed very simple: just make sure that none of your devices have LEDs facing the window. Particularly paranoid defenders can also mitigate the attack by placing an opaque strip over any LED indicators that could be influenced by audio playback.
On the manufacturer’s side, beating the Glowworm leaks would also be relatively straightforward. Rather than directly coupling the LEDs of a device to the power line, the LED could be coupled through an operational amplifier or a GPIO port of an integrated microcontroller. Alternatively (and perhaps at a lower cost), relatively low-power devices could dampen fluctuations in the power supply by connecting a capacitor in parallel to the LED, acting as a low-pass filter.
For those interested in more details about Glowworm and its effective mitigation, we recommend visiting the Researchers website, which includes a link to the full 16-page white paper.
Listing Image by boonchai wedmakawand / Getty Images