A New Class Of Passive TEMPEST Attack Converts LED Output Into Intelligible Audio


Researchers at Ben Gurion University of the Negev demonstrated a new method of monitoring electronic conversations. A new paper published today outlines a new passive form of TEMPEST attack called Glowworm, which converts small fluctuations in the power LED intensity on speakers and USB hubs back into the audio signal that causes these fluctuations.

The [email protected] team (consisting of Ben Nassi, Yaron Pirutin, Tomer Gator, Boris Zadov, and Professor Yuval Elovici) analyzed widely used consumer devices, including smart speakers, simple PC speakers, and USB hubs. The team found that the power indicator LED of the device is usually significantly affected by the audio signal fed through the connected speakers.

Although fluctuations in the signal strength of LEDs are usually not detectable with the naked eye, they are strong enough to be read with a photodiode coupled to a simple optical telescope. The power LED output caused by the voltage change when the speaker consumes current flickers slightly, which is converted into an electrical signal by a photodiode; then, the electrical signal can be run through a simple analog-to-digital converter (ADC) and played directly.

A novel passive approach


With enough electronics knowledge, the idea that a device that is considered to be a steadily lit LED will "leak" information about what it is doing is simple. But as far as we know, the [email protected] team is the first team to publish this idea and prove that it is empirically effective.

The biggest feature of Glowworm attack is its novelty and passivity. Since this method absolutely does not require active signals, it is not affected by any type of electronic countermeasure scanning. For the time being, potential targets seem unlikely to anticipate or deliberately defend against Glowworm-although this may change once the team's paper is published at the CCS 21 security conference later this year.

The complete passivity of this attack sets it apart from similar methods—laser microphones can pick up audio from vibrations on the window glass. But defenders may use smoke or steam to detect attacks—especially if they know the frequency range the attacker may use.

Glowworm requires no unexpected signal leakage or intrusion even while actively in use, unlike "The Thing." The Thing was a Soviet gift to the US Ambassador in Moscow, which both required "illumination" and broadcast a clear signal while illuminated. It was a carved wooden copy of the US Great Seal, and it contained a resonator that, if lit up with a radio signal at a certain frequency ("illuminating" it), would then broadcast a clear audio signal via radio. The actual device was completely passive; it worked a lot like modern RFID chips (the things that squawk when you leave the electronics store with purchases the clerk forgot to mark as purchased).


Accidental defense
Although Glowworm can monitor the target without exposing itself, this is not something most people need to worry about. Unlike the listening devices we mentioned in the previous section, Glowworm does not interact with actual audio at all-only a side effect of the electronic device that produces the audio.

This means that, for example, a Glowworm attack successfully used to monitor a conference call will not capture the audio of the person who is actually in the room-only the audio of the remote participant whose voice is played through the audio system of the conference room.

The need for a clear line of sight is another issue, which means that most targets will be completely accidental and unable to defend against Glowworm. Getting a clear line of sight to the window glass of the laser microphone is one thing, but getting a clear line of sight to the power LED on the computer speaker is another matter entirely.

Humans usually prefer to face the window to gain a view, and let the LED on the device face the window. This makes it impossible for LEDs to avoid potential firefly attacks. Defensive simple lip readings—such as curtains or curtains—are also effective hedges against fireflies, even if the target doesn't actually know that fireflies may be a problem.

Finally, there is currently no real risk of using a video containing a vulnerable LED lens to perform a Glowworm "replay" attack. A close-range 4k video at 60 fps may barely capture the drop in dubstep pops-but it will not effectively restore human speech, and its center is between 85Hz-255Hz of vowels and 2KHz-4KHz of consonants.


Turn out the lights
Although Glowworm is actually limited by its need for a clear LED sight, it can work over long distances. The researchers recovered intelligible audio at 35 meters - and it is difficult to detect when the adjacent office building mostly uses glass curtain walls.

For potential targets, the simplest repair method is indeed very simple-just make sure that none of your devices have window-facing LEDs. Particularly paranoid defenders can also mitigate attacks by placing opaque tape on any LED indicators that may be affected by audio playback.

On the manufacturer's side, eliminating Glowworm leakage is relatively simple-instead of directly coupling the device's LED to the power line, it is better to couple the LED through an operational amplifier or GPIO port of an integrated microcontroller. Or (perhaps cheaper), a relatively low-power device can suppress power fluctuations by connecting a capacitor in parallel to the LED, acting as a low-pass filter.

For those interested in more details about Glowworm and its effective mitigation measures, we recommend visiting the researcher’s website, which contains a link to the full 16-page white paper.