New “Glowworm Attack” recovers audio from devices’ power LEDs | GeekComparison

This three minute video outlines how Glowworm works and provides examples of optically restored audio.

Researchers at Ben-Gurion University of the Negev have demonstrated a new way to spy on electronic conversations. A new paper released today outlines a new passive form of the TEMPEST attack called Glowworm that converts minute fluctuations in the intensity of power LEDs on speakers and USB hubs back into the audio signals that caused those fluctuations.

The [email protected] team, consisting of Ben Nassi, Yaron Pirutin, Tomer Gator, Boris Zadov and Professor Yuval Elovici, analyzed a wide range of commonly used consumer devices, including smart speakers, basic PC speakers and USB hubs. The team found that the devices’ power indicator LEDs were generally noticeably affected by audio signals passed through the connected speakers.

Although the fluctuations in the signal strength of LEDs are generally not noticeable to the naked eye, they are strong enough to be read with a photodiode coupled to a simple optical telescope. The slight flickering of the power LED output due to voltage changes when the speakers consume electrical current is converted into an electrical signal by the photodiode; the electrical signal can then be passed through a simple analog-to-digital converter (ADC) and played directly.

A new passive approach

With enough knowledge of electronics, the idea that a device’s supposedly solid-lit LEDs will “leak” information about what it’s doing is simple. But to our knowledge, the [email protected] team is the first to both publish the idea and prove it works empirically.

The strongest features of the Glowworm attack are its novelty and passivity. Since the approach requires absolutely no active signalling, it would be immune to any kind of electronic countermeasures. And right now, it seems unlikely that a potential target is expecting Glowworm or deliberately defending against it, though that could change once the team’s paper is presented at the CCS 21 security conference later this year.

The complete passivity of the attack sets it apart from similar approaches: a laser microphone can pick up sound from the vibrations on a pane of glass. But defenders may be able to spot the attack using smoke or vapor, especially if they know the likely frequency ranges an attacker could use.

Glowworm does not require unexpected signal leakage or intrusion, even during active use, unlike ‘The Thing’. The Thing was a Soviet gift to the U.S. ambassador in Moscow, requiring both “illumination” and sending a clear signal while lit. It was a carved wood copy of the United States Great Seal, and it contained a resonator that, when illuminated with a radio signal at a certain frequency (“lit”), would transmit a clear audio signal over the radio. The actual device was completely passive; it worked much like modern RFID chips (the things that beep when you leave the electronics store with purchases that the store clerk forgot to mark as purchased).

Inadvertent defense

Despite Glowworm’s ability to spy on targets without revealing itself, most people don’t have much to worry about. Unlike the listening devices we mentioned in the section above, Glowworm doesn’t interact with actual audio at all – only with a side effect of electronic devices producing audio.

This means, for example, that a Glowworm attack successfully used to spy on a conference call will not capture the audio of those who are actually in the room, but only the remote participants whose voices are played over the audio system of the conference room.

The need for a clear line of sight is another issue, meaning most targets are defended against Glowworm completely by accident. Getting a good view of a glass pane for a laser microphone is one thing, but getting a good view of the power LEDs on a computer speaker is quite another.

People generally prefer to look at windows themselves for the view and have the LEDs on devices pointed at them. This will keep the LEDs hidden from a possible Glowworm attack. Defenses against simple lip-reading, such as curtains or curtains, are also effective hedges against Glowworm, even if the targets are unaware that Glowworm can be a problem.

Finally, there is currently no real risk of a Glowworm “replay” attack using video that captures vulnerable LEDs. A close-range, 4K at 60fps video might just catch the drop in a dubstep stunner, but it won’t usefully restore human speech, which is between 85Hz-255Hz for vowel sounds and 2KHz-4KHz for consonants.

Turn off the lights

While Glowworm is practically limited by the need for a clear line of sight to the LEDs, it works at a considerable distance. The researchers recovered intelligible audio at 35 meters away – and in the case of neighboring office buildings with mostly glass facades, it would be quite difficult to detect.

For potential targets, the simplest solution is very simple indeed: just make sure none of your devices have a window-facing LED. Paranoid defenders in particular can also mitigate the attack by placing opaque tape over LED indicators that can be affected by audio playback.

On the manufacturer’s side, beating Glowworm leakage would also be relatively straight forward – rather than connecting a device’s LEDs directly to the power line, the LED could be coupled through an opamp or GPIO port of an integrated microcontroller . Alternatively (and perhaps cheaper), relatively low-power devices can dampen power supply fluctuations by connecting a capacitor in parallel with the LED, which acts as a low-pass filter.

For those interested in more details on both Glowworm and its effective control, we recommend visiting the researchers’ website, which contains a link to the full 16-page white paper.

Image by boonchai wedmakawand/Getty Images

Leave a Comment