New “Glowworm Assault” restores audio from the facility LEDs on the gadgets
This three-minute video describes how Glowworm works and gives examples of visually restored audio.
Researchers at Ben Gurion University in the Negev have shown a novel way to spy on electronic conversations. A new paper released today outlines a novel passive form of the TEMPEST attack called Glowworm, which converts tiny fluctuations in intensity from power LEDs on speakers and USB hubs back into the audio signals that caused those fluctuations.
The Cyber @ BGU team – comprised of Ben Nassi, Yaron Pirutin, Tomer Gator, Boris Zadov, and Professor Yuval Elovici – analyzed a wide range of widely used consumer devices, including smart speakers, simple PC speakers, and USB hubs. The team found that the power LEDs on the devices were generally noticeably affected by audio signals coming in through the connected speakers.
Although the fluctuations in LED signal strength are generally imperceptible to the naked eye, they are large enough to be read with a photodiode coupled to a simple optical telescope. The slight flickering of the power LED output due to voltage changes when the speakers are consuming electrical power are converted into an electrical signal by the photodiode; the electrical signal can then be passed through a simple analog-to-digital converter (ADC) and reproduced directly.
A new kind of passive approach
In this close-range proof-of-concept, a Thorlabs PDA100A2 electro-optical sensor (red) aims at the power LED (yellow) of a USB hub.
Cyber @ BGU
Later experiments increased the range – here we see the PDA100A2 mounted on a telescope, which was trained on the devices to be tested through a glass barrier.
Cyber @ BGU
Unsurprisingly, Glowworm produces a better SNR with simple speakers – but the results can also be used for USB hubs and Raspberry Pis.
Cyber @ BGU
With sufficient knowledge of electronics, the idea that the supposedly permanently lit LEDs of a device can “leak” information about its activity is simple. But to the best of our knowledge, the Cyber @ BGU team is the first to both publish the idea and empirically prove that it works.
The strongest features of the Glowworm attack are its novelty and passivity. Since the approach requires absolutely no active signaling, it would be immune to any type of electronic countermeasure sweep. And right now, it seems unlikely that a potential target is expecting Glowworm or deliberately defending itself against Glowworm – although that could change when the team’s paper is unveiled at the CCS 21 security conference later this year.
The complete passivity of the attack sets it apart from similar approaches – a laser microphone can pick up audio from the vibrations of a window pane. But defenders can potentially detect the attack through smoke or steam – especially if they know the likely frequency ranges an attacker could be using.
Unlike “The Thing”, Glowworm does not require any unexpected signal loss or breakdown, even when actively used. The thing was a Soviet gift to the US ambassador in Moscow that both required “lighting” and sent a clear signal while it was lit. It was a carved wooden copy of the Great Seal of the United States and contained a resonator which, when illuminated (“illuminated”) with a radio signal of a certain frequency, then emitted a clear audio signal over the radio. The actual device was completely passive; it worked much like modern RFID chips (the things that screech when you leave the electronics store with purchases the seller forgot to mark as bought).
Despite Glowworm’s ability to spy on targets without revealing itself, most people don’t need to worry too much. Unlike the eavesdropping devices we mentioned in the section above, Glowworm doesn’t interact with the actual audio at all – just a side effect of electronic devices producing audio.
This means that, for example, a successfully used glowworm attack to spy on a conference call does not capture the audio data of the participants actually in the room, but only of the remote participants whose voices are played over the audio system of the conference room.
The need for a clean line of sight is another issue, which means most targets are completely randomly defended from fireflies. Getting a clear line of sight to a window pane for a laser microphone is one thing – but getting a clean line of sight to the power LEDs on a computer speaker is quite another.
People generally prefer to see windows for the view themselves and see the LEDs on devices across from them. This will hide the LEDs from a potential glowworm attack. Defensive measures against simple lip reading – like drapes or drapes – are also effective safeguards against fireflies, even if the target is unaware that fireflies may be a problem.
Finally, there is currently no real risk of a glowworm “replay” attack using video containing footage of vulnerable LEDs. A close-range 4k video at 60 fps could just about capture the drop of a dubstep bang – but human speech, which is between 85 Hz-255 Hz for vowels and 2 kHz-4 kHz for consonants, is not sensibly restored.
Turn off the light
Although Glowworm is practically limited by the need for a clear line of sight to the LEDs, it functions at a considerable distance. At a distance of 35 meters, the researchers found intelligible audio – and in the case of adjacent office buildings with predominantly glass facades, it would be quite difficult to see.
For potential targets, the simplest solution is very simple indeed – just make sure none of your devices have an LED facing the window. Defenders particularly paranoid can also tone down the attack by placing opaque tape over any LED indicators that could be affected by audio playback.
On the manufacturer’s side, fighting glowworm leakage would also be relatively straightforward – instead of coupling the LEDs of a device directly to the power line, the LED could be coupled via an operational amplifier or GPIO port of an integrated microcontroller. Alternatively (and perhaps cheaper), relatively low power devices could dampen power supply fluctuations by adding a capacitor in parallel with the LED to act as a low pass filter.
For those interested in more details on fireflies and how to effectively contain them, we recommend visiting the researchers’ website, which has a link to the full 16-page white paper.
Offer image from boonchai wedmakawand / Getty Images