Glowworm Attack Retrieves Sound From Devices Via LED Indicators

Another viable spying strategy has surfaced online as researchers teamed up to leverage optical changes in LED indicators. Dubbed “Glowworm,” the new attack reads optical changes in LED indicators of target devices to retrieve the sounds played. Exploiting this attack allows an adversary to listen to the sounds without physical interaction with the target system.

Glowworm Attack Targeting LED Indicators

Researchers from Ben-Gurion University of the Negev, Israel, have devised a Glowworm attack as a sneaky strategy for spying.

Briefly, the attack aims at recovering the audio played on the target device by recording the light changes in the LED indicator due to the sounds played on the device speakers. This optical TEMPEST attack involves using an electro-optical sensor aimed at the LED sensor. It then transforms the optical signals into sound signals to recover the speech.

This way, the Glowworm attack resembles the Lamphone attack that also transforms recorded light into sound to recover data. However, the two are different in the way they work. While Lamphone simply records the light-bulb fluctuations due to the vibrations generated after sound waves’ impact, Glowworm actually exploits how the electrical circuitry behaves. As the researchers explained in their research paper,

We show that the power indicator LED of various devices leaks information regarding the sound played by connected speakers. This occurs in devices whose power indicator LED is connected directly to the device’s power line and lack integrated voltage stabilizers. As a result, the optical response (intensity) of the power indicator LED of such devices is correlative to the power consumed by the device. This fact can be exploited to recover sound from the connected speakers directly, by obtaining optical measurements via an electro-optical sensor directed at the speakers’ power indicator LED, or indirectly, by obtaining optical measurements via an electro-optical sensor directed at the power indicator LED of the device used to supply power to the speakers (e.g., USB hub, microcontrollers).

The attack methodology

In their study, the researchers aimed at retrieving sounds from the target device during an ongoing virtual meeting. For successful exploitation, the attacker needs to be present within 35 meters from the victim’s device. This includes a presence in a nearby room or a car.

If the LED indicator of the target device’s speakers falls within the visible range for the attacker, Glowworm becomes possible. The attacker can either exploit the LED indicator of the speakers or the LED indicators of the device powering the speakers.

Then, using simple equipment that includes a telescope, an electro-optical sensor, and a sound recovery system, Glowworm can execute.

The following video demonstrates the Glowworm attack in a real-time scenario.

Suggested Countermeasures

Regarding the feasibility of the Glowworm attack, the researchers explained that these attacks are useful for an adversary in today’s scenario, given the increase in virtual interactions globally due to the COVID-19 pandemic. An adversary can easily spy on Zoom, Skype, and other virtual meetings and communications through these attacks.

To mitigate this attack, the researchers advise numerous countermeasures. First, manufacturers may consider segregating the LED indicator from the power line by integrating a capacitor or an additional OPAMP in between.

Secondly, consumers can easily avoid this attack by covering the LED indicator via black tape.

The researchers have set up a dedicated website to explain more details about Glowworm.

Let us know your thoughts in the comments.

Related posts

Water Facilities Must Secure Exposed HMIs – Warns CISA

Microsoft December Patch Tuesday Arrived With 70+ Bug Fixes

NachoVPN Attack Risks Corporate VPN Clients