Register or log in to join the discussion!

Jim Salter-August 9, 2021 at 1:00 PM UTC

Researchers at Ben Gurion University of the Negev demonstrated a new method of monitoring electronic conversations. A new paper published today outlines a new passive form of TEMPEST attack called Glowworm, which converts small fluctuations in the power LED intensity on speakers and USB hubs back into the audio signal that causes these fluctuations.

The Cyber​​@BGU team (consisting of Ben Nassi, Yaron Pirutin, Tomer Gator, Boris Zadov, and Professor Yuval Elovici) analyzed widely used consumer devices, including smart speakers, simple PC speakers, and USB hubs. The team found that the power indicator LED of the device is usually significantly affected by the audio signal fed through the connected speaker.

Although fluctuations in the signal strength of LEDs are usually not detectable with the naked eye, they are strong enough to be read with a photodiode coupled to a simple optical telescope. The power LED output flickers slightly due to the voltage change when the speaker consumes current, which is converted into an electrical signal by a photodiode; then, the electrical signal can be run through a simple analog-to-digital converter (ADC) and played directly.

With enough electronics knowledge, the idea that a device that is considered to be a steadily lit LED will "leak" information about what it is doing is simple. But as far as we know, the Cyber@BGU team is the first team to publish this idea and prove that it is empirically effective.

The biggest feature of Glowworm attack is its novelty and passivity. Since this method absolutely does not require active signals, it is not affected by any type of electronic countermeasure scanning. At the moment, potential targets seem unlikely to anticipate or deliberately defend against Glowworm-although this may change once the team's paper is published at the CCS 21 security conference later this year.

The complete passivity of this attack sets it apart from similar methods—laser microphones can pick up audio from vibrations on the window glass. But defenders may use smoke or steam to detect attacks—especially if they know the frequency range the attacker may use.

Unlike "The Thing", Glowworm does not require accidental signal leakage or intrusion even when actively used. This thing is a gift from the Soviet Union to the US ambassador in Moscow. It needs both "lighting" and a clear signal when it is illuminated. It is a wood-carved copy of the Great Seal of the United States. It contains a resonator that, if lit ("illuminated" it) by a radio signal of a specific frequency, will broadcast a clear audio signal over the radio. The actual device is completely passive; it works much like a modern RFID chip (the clerk forgets to mark something as purchased when you leave the electronics store).

Although Glowworm can monitor the target without exposing itself, this is not something most people need to worry about. Unlike the listening devices we mentioned in the previous section, Glowworm does not interact with actual audio at all-only a side effect of the electronic device that produces the audio.

This means that, for example, a Glowworm attack successfully used to monitor a conference call will not capture the audio of the person who is actually in the room-only the audio of the remote participant whose voice is played through the conference room audio system.

The need for a clear line of sight is another problem, which means that most targets will be completely accidental and unable to defend against Glowworm. Getting a clear line of sight to the window glass of the laser microphone is one thing, but getting a clear line of sight to the power LED on the computer speaker is another matter entirely.

Humans usually prefer to face the window to gain a view, and let the LED on the device face the window. This makes it impossible for LEDs to avoid potential firefly attacks. Defensive simple lip readings—such as curtains or curtains—are also effective hedges against fireflies, even if the target doesn't actually know that fireflies may be a problem.

Finally, there is currently no real risk of using a video containing a vulnerable LED lens to perform a Glowworm "replay" attack. A close-range 4k video at 60 fps may barely capture the drop in dubstep pops-but it will not usefully restore human speech, and its center is between 85Hz-255Hz of vowels and 2KHz-4KHz of consonants .

Although Glowworm is actually limited by its need for clear LED sight, it can work over long distances. The researchers recovered intelligible audio at 35 meters - but it is difficult to detect when the adjacent office building mostly uses glass curtain walls.

For potential targets, the simplest repair method is indeed very simple-just make sure that none of your devices have window-facing LEDs. Particularly paranoid defenders can also mitigate attacks by placing opaque tape on any LED indicators that may be affected by audio playback.

On the manufacturer's side, it is relatively simple to eliminate Glowworm leakage-instead of coupling the device's LED directly to the power line, the LED is coupled through the operational amplifier or GPIO port of the integrated microcontroller. Or (perhaps cheaper), a relatively low-power device can suppress power fluctuations by connecting a capacitor in parallel to the LED, acting as a low-pass filter.

For those interested in more details about Glowworm and its effective mitigation measures, we recommend visiting the researcher's website, which contains a link to the full 16-page white paper.

List image courtesy of boonchai wedmakawand / Getty Images

You must log in or create an account to post a comment.

Join the Ars Orbital Transmission mailing list and send updates to your inbox every week.

CNMN Collection WIRED Media Group © 2021 Condé Nast. all rights reserved. Using and/or registering any part of this website signifies acceptance of our user agreement (updated on 1/1/20) and privacy policy and cookie statement (updated on 1/1/20) and Ars Technica appendix (effective on 8/21/) 2018). Ars may receive sales compensation through links on this website. Read our affiliate link policy. Your California Privacy Rights | Do not sell my personal information. Without the prior written permission of Condé Nast, you may not copy, distribute, transmit, cache or otherwise use the information on this website. Ad selection