The Glowworm attack

Glowworm is a novel technique that leverages optical emanations from a device’s power indicator LED to recover sounds from connected peripherals, and spy on electronic conversations from a distance of as much as 35 meters.


What is a Glowworm attack

Named the “Glowworm attack,” the findings were published by a group of academics from the Ben-Gurion University of the Negev, describing how the method can be used by eavesdroppers to recover sound by analyzing optical measurements obtained via an electro-optical sensor directed at the power indicator LED of various devices.

Accompanying the experimental setup is an optical-audio transformation (OAT), that allows for retrieving sound by isolating the speech from the optical measurements obtained by directing an electro-optical sensor at the device’s power indicator LED.

Glowworm builds on an attack called Lamphone, which was demonstrated by the same researchers, that enables the recovery of sound from a victim’s room that contains an overhead hanging bulb.

Both methods retrieve sound from light via an electro-optical sensor, but they are also different: while the Lamphone attack exploits a light bulb’s minuscule vibrations – which are the result of sound waves hitting the bulb – Glowworm is an attack that exploits the way that electrical circuits were designed.


Glowworm Experiment

The researchers demonstrated how a Glowworm attack might work by pointing a telescope with an electro-optical sensor from 35 meters away at speakers connected to a laptop. 

The sensor was aimed at the speakers’ power-indicator LED and the laptop screen was not visible. The team was successfully able to capture a statement played on the speakers and translated by Glowworm.

While most business being conducted over platforms like Skype is far from sensitive enough to attract eavesdroppers armed with telescopes and Glowworm, the finding is a good reminder that manufacturers can’t always be relied upon to consider these types of TEMPEST attacks.

“This is a very interesting attack that for the overwhelming number of users has no real risk,” said John Bambenek, from Netenrich.

“That said, for devices and environments where espionage is important, physical security remains key. No visibility from unprotected space should be possible into highly sensitive environments and devices should be designed to be segmented so sensitive information can’t be gleaned because manufacturers were too lazy to put LEDs on a clear line in the box.”

Here is possible to have an explanation about the demonstration.


Attack’s features

Glowworm hinges on the optical correlation between the sound that is played by connected speakers and the intensity of their power indicator LED, which are not only connected directly to the power line but also that the intensity of a device’s power indicator LED is influenced by the power consumption.

What’s more, the quality of the sound recovered is proportional to the quality of the equipment used by the eavesdropper.

In a real-world scenario, the threat model aims the speech generated by participants in a virtual meeting platform such as Zoom, Google Meet, and Microsoft Teams, with the malicious party located in a room in an adjacent building, enabling the adversary to recover sound from the power indicator LED of the speakers.

In an indirect attack scenario where the power indicator LED isn’t visible from outside the room, the eavesdropper can recover sound from the power indicator LED of the device used to provide the power to the speaker.

Although such attacks can be countered on the consumer side by placing a black tape over a device’s power indicator LED, the researchers recommend device manufacturers integrate a capacitor or an operational amplifier to eliminate the power consumption fluctuations that occur when the speakers produce sound.

However, as the researchers said, while the cost of countermeasures might seem negligible, given the probability that the devices are mass-produced, the addition of a component to prevent the attack could cost a manufacturer millions of dollars. 

Given the cost-driven nature of consumers and the profit-driven nature of manufacturers, known vulnerabilities are often ignored as a means of reducing costs. This fact may leave many devices vulnerable to Glowworm attacks for years to come.