Glowworm Attack allows sound recovery via a device’s power indicator LED

The Glowworm attack leverages optical emanations from a device’s power indicator LED to recover sounds from connected peripherals and spy on electronic conversations.

Boffins from the Ben-Gurion University of the Negev devised a new attack technique, dubbed the “Glowworm attack,” that leverages optical emanations from a device’s power indicator LED to recover sounds from connected peripherals and spy on electronic conversations.

Researchers analyzed the response of the power indicator LED of various devices to sound and demonstrated that the sound that is played by connected speakers is correlated to the intensity of the power indicator LED.

Experts pointed out that the correlation is due to the facts that the power indicator LED of many devices is connected directly to the power line, the intensity of a device’s power indicator LED is correlative to the power consumption, and many devices lack a dedicated means of countering this phenomenon.

“we present the Glowworm attack, an optical TEMPEST attack that can be used by eavesdroppers to recover sound by analyzing optical measurements obtained via an electro-optical sensor directed at the power indicator LED of various devices (e.g., speakers, USB hub splitters, and microcontrollers).” state the researchers. “We propose an optical-audio transformation (OAT) to recover sound by isolating the speech from the optical measurements obtained by directing an electro-optical sensor at a device’s power indicator LED.”

Glowworm is similar to another attack called Lamphone that was devised by the experts in June 2020. Both techniques allow attackers to recover sound from light via an electro-optical sensor, but while the Lamphone is a side-channel attack that exploits a light bulb’s miniscule vibrations, the Glowworm is a TEMPEST attack that exploits the way that electrical circuits were designed.

In an indirect attack scenario where the power indicator LED isn’t visible from outside the room, the eavesdropper can recover sound from the power indicator LED of the device used to provide the power to the speaker.

“The sound 𝑠𝑛𝑑 (𝑡 ) of the virtual meeting (1) which is played by the connected speakers creates changes in the power consumption of the power indicator LED of a (2) connected peripheral (e.g., the speakers themselves, a USB hub splitter). The eavesdropper directs an electro-optical sensor at the power indicator LED of a connected peripheral using a telescope (3). The optical signal 𝑜𝑝𝑡 (𝑡 ) is sampled from the electro-optical sensor via an ADC (4) and processed, using an algorithm to recover the acoustic signal 𝑠𝑛𝑑∗ (𝑡 ) (5).” continues the experts.

The researchers tested the Glowworm attack in various experimental setups and demonstrate that an attacker could eavesdrop on a conversation by analyzing a speaker’s power indicator LED with good intelligibility from a distance of 15 meters and with fair intelligibility from 35 meters.

About 50% of the devices analyzed by the researchers are vulnerable to the Glowworm attack, below is a list of some of the vulnerable manufacturers:​

• Google – Google Home Mini, Google Nest Audio
• Logitech – Z120 Speakers, S120 speakers
• JBL – JBL Go 2
• Sony – SRS-XB33, SRS-XB43
• CREATIVE – Pebble speakers
• TP-Link – TP-Link UE330 USB splitter
• Miracase – Miracase USB splitter model MHUB500
• Raspberry Pi – 3, 4

The Glowworm attack can be blocked by placing a black tape over a device’s power indicator LED, anyway manufacturers could technically solve it by integrating a capacitor or an operational amplifier to eliminate the interference to power consumption while the speakers produce sound.

“While the cost of our countermeasures might seem negligible, given the likelihood that the devices are mass produced, the addition of a component to prevent the attack could cost a manufacturer millions of dollars,” the researchers conclude. “Given the cost-driven nature of consumers and the profit-driven nature of manufacturers, known vulnerabilities are often ignored as a means of reducing costs. This fact may leave many electrical circuits vulnerable to Glowworm attack for years to come.”

Follow me on Twitter: @securityaffairs and Facebook

[adrotate banner=”9″]

[adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – hacking, Glowworm)

[adrotate banner=”5″]

[adrotate banner=”13″]