Security researchers have uncovered a new attack method, “Glowworm,” that can recover audio from a device’s LED power indicator light.
In a new paper, researchers from Ben-Gurion University say an attacker could use this technique to essentially spy on conversations over popular videoconferencing platforms like Zoom, Microsoft Teams, Google Meet and others.
Using the Glowworm method, an attacker can convert small changes to the LED power light into audio – a new class of optical TEMPEST attacks.
According to the paper, there is an optical correlation between sound played by connected speakers and the intensity of their power indicator LED, “due to the facts that: (1) the power indicator LED of various devices is connected directly to the power line, (2) the intensity of a device’s power indicator LED is correlative to the power consumption, and (3) many devices lack a dedicated means of countering this phenomenon.”
To pull this off, an attacker would transform optical into audio using an electro-optical sensor and point it at the power indicator LED of speakers, USB hub splitters, microcontrollers or other devices.
However, the attacker would have to be relatively close to the device – within 15 meters for good intelligibility and 35 meters for fair intelligibility. Also, the LED indicator would have to be visible from that distance.
Here’s more from the paper:
The main components used to perform the Glowworm attack are: (1) A telescope – This piece of equipment is used to focus the field of view on a device’s power indicator LED from a distance. (2) An electro-optical sensor – This sensor is mounted on the telescope and consists of a photodiode that converts light into an electrical current; the current is generated when photons are absorbed in the photodiode. (3) A sound recovery system – This system receives an optical signal as input and outputs the recovered acoustic signal. The eavesdropper can implement such a system with: (a) dedicated hardware (e.g., using capacitors, resistors), or (b) the use of ADC to sample the electro-optical sensor and process the data using a sound recovery algorithm running on a laptop. In this study, we use the latter digital approach.
According to the paper, some manufacturers don’t integrate voltage stabilizers or filters in some products, which helps makes this attack possible.
The researchers say they disclosed the details of the attack with manufacturers of devices used in the research, including Logitech, Google, Creative, TP-Link, Raspberry Pi, Winner and MIRACASE.