The Lamphone Attack

Today it’s possible to spy on secret conversations happening in a room from a remote location just by observing a light bulb hanging in there – visible from a window – and measuring the amount of light it emits.  


The Findings

A team of cybersecurity researchers has recently developed and demonstrated a novel side-channel attacking technique that can be applied by eavesdroppers to recover full sound from a victim’s room that contains an overhead hanging bulb.

The findings were published in a new paper by a team of academics from the Israeli’s Ben-Gurion University of the Negev and the Weizmann Institute of Science.

The technique for long-distance eavesdropping, called “Lamphone,” works by capturing minuscule sound waves optically through an electro-optical sensor directed at the bulb and using it to recover speech and recognize music.  


How Does the ‘Lamphone Attack’ Work?

The central premise of Lamphone hinges on detecting vibrations from hanging bulbs as a result of air pressure fluctuations that occur naturally when sound waves hit their surfaces and measuring the tiny changes in the bulb’s output that those small vibrations trigger to pick up snippets of conversations and identify music.

To achieve this, the setup consists of a telescope to provide a close-up view of the room containing the bulb from a distance, an electro-optical sensor that’s mounted on the telescope to convert light into an electrical current, an analog-to-digital converter to transform the sensor output to a digital signal, and a laptop to process incoming optical signals and output the recovered sound data.  


Lamphone Attack Demonstration

The result? The researchers recovered an audible extract of Donald Trump’s speech and also reproduced a recording of the Beatles’ “Let It Be” and Coldplay’s “Clocks” that were clear enough to be recognized by song identification services.

Researchers have shown how fluctuations in the air pressure on the surface of the hanging bulb (in response to sound), which cause the bulb to vibrate very slightly (a millidegree vibration), can be exploited by eavesdroppers to recover sounds.

The development adds to a growing list of sophisticated techniques that can be leveraged to snoop on unsuspecting users and extract acoustic information from devices intended to function as microphones, such as motion sensors, speakers, vibration devices, magnetic hard disk drives, and even wooden tables.

Here is possible to have an explanation about the demonstration.  


From How Far An Attacker Can Spy On Using the Lamphone Attack?

The new approach is effective from great distances – starting with at least 25 meters away from the target using a telescope and a $400 electro-optical sensor, and can further be amplified with high-range equipment.

Lamphone side-channel attacks can be applied in real-time scenarios, unlike previous eavesdropping setups such as Visual Microphone, which are hampered by lengthy processing times to even recover a few seconds of speech.

Moreover, since it’s an entirely external scenario, the attack doesn’t require a malicious actor to compromise any victim’s device.

Given the effectiveness of the attack relies heavily on the light output, the countermeasures proposed by the paper’s authors involve reducing the amount of light captured by the electro-optical sensor by using a weaker bulb and a curtain wall to limit the light emitted from a room.

The researchers also suggest using a heavier bulb to minimize vibrations caused by changes in air pressure.