A new class of passive TEMPEST attack converts LED output into intelligible audio.
Researchers at Ben-Gurion University of the Negev have demonstrated a novel way to spy on electronic conversations. A new paper released today outlines a novel passive form of the TEMPEST attack called Glowworm, which converts minute fluctuations in the intensity of power LEDs on speakers and USB hubs back into the audio signals that caused those fluctuations.
The Cyber@BGU team—consisting of Ben Nassi, Yaron Pirutin, Tomer Gator, Boris Zadov, and Professor Yuval Elovici—analyzed a broad array of widely used consumer devices including smart speakers, simple PC speakers, and USB hubs. The team found that the devices’ power indicator LEDs were generally influenced perceptibly by audio signals fed through the attached speakers.
Although the fluctuations in LED signal strength generally aren’t perceptible to the naked eye, they’re strong enough to be read with a photodiode coupled to a simple optical telescope. The slight flickering of power LED output due to changes in voltage as the speakers consume electrical current are converted into an electrical signal by the photodiode; the electrical signal can then be run through a simple Analog/Digital Converter (ADC) and played back directly.
A novel passive approach
With sufficient knowledge of electronics, the idea that a device’s supposedly solidly lit LEDs will “leak” information about what it’s doing is straightforward. But to the best of our knowledge, the Cyber@BGU team is the first to both publish the idea and prove that it works empirically.
The strongest features of the Glowworm attack are its novelty and its passivity. Since the approach requires absolutely no active signaling, it would be immune to any sort of electronic countermeasure sweep. And for the moment, a potential target seems unlikely to either expect or deliberately defend against Glowworm—although that might change once the team’s paper is presented later this year at the CCS 21 security conference.
The attack’s complete passivity distinguishes it from similar approaches—a laser microphone can pick up audio from the vibrations on a window pane. But defenders can potentially spot the attack using smoke or vapor—particularly if they know the likely frequency ranges an attacker might use.
Glowworm requires no unexpected signal leakage or intrusion even while actively in use, unlike “The Thing.” The Thing was a Soviet gift to the US Ambassador in Moscow, which both required “illumination” and broadcast a clear signal while illuminated. It was a carved wooden copy of the US Great Seal, and it contained a resonator that, if lit up with a radio signal at a certain frequency (“illuminating” it), would then broadcast a clear audio signal via radio. The actual device was completely passive; it worked a lot like modern RFID chips (the things that squawk when you leave the electronics store with purchases the clerk forgot to mark as purchased).
Accidental defense
Despite Glowworm’s ability to spy on targets without revealing itself, it’s not something most people will need to worry much about. Unlike the listening devices we mentioned in the section above, Glowworm doesn’t interact with actual audio at all—only with a side effect of electronic devices that produce audio.
This means that, for example, a Glowworm attack used successfully to spy on a conference call would not capture the audio of those actually in the room—only of the remote participants whose voices are played over the conference room audio system.
The need for a clean line of sight is another issue that means that most targets will be defended from Glowworm entirely by accident. Getting a clean line of sight to a windowpane for a laser microphone is one thing—but getting a clean line of sight to the power LEDs on a computer speaker is another entirely.
Humans generally prefer to face windows themselves for the view and have the LEDs on devices face them. This leaves the LEDs obscured from a potential Glowworm attack. Defenses against simple lip-reading—like curtains or drapes—are also effective hedges against Glowworm, even if the targets don’t actually know Glowworm might be a problem.
Finally, there’s currently no real risk of a Glowworm “replay” attack using video that includes shots of vulnerable LEDs. A close-range, 4k at 60 fps video might just barely capture the drop in a dubstep banger—but it won’t usefully recover human speech, which centers between 85Hz-255Hz for vowel sounds and 2KHz-4KHz for consonants.
Turning out the lights
Although Glowworm is practically limited by its need for clear line of sight to the LEDs, it works at significant distance. The researchers recovered intelligible audio at 35 meters—and in the case of adjoining office buildings with mostly glass facades, it would be quite difficult to detect.
For potential targets, the simplest fix is very simple indeed—just make sure that none of your devices has a window-facing LED. Particularly paranoid defenders can also mitigate the attack by placing opaque tape over any LED indicators that might be influenced by audio playback.
On the manufacturer’s side, defeating Glowworm leakage would also be relatively uncomplicated—rather than directly coupling a device’s LEDs to the power line, the LED might be coupled via an opamp or GPIO port of an integrated microcontroller. Alternatively (and perhaps more cheaply), relatively low-powered devices could damp power supply fluctuations by connecting a capacitor in parallel to the LED, acting as a low-pass filter.
For those interested in further details of both Glowworm and its effective mitigation, we recommend visiting the researchers’ website, which includes a link to the full 16-page white paper.
Source: Ars Technica