You may not believe it, but it is possible to spy on secret conversations that are taking place in a room from a nearby distant place simply by watching a light bulb hanging there – visible from a window – and the amount of it measure the light it emits.
A team of cyber security researchers has developed and demonstrated a novel side-channel attack technique that eavesdroppers can use to recover the full sound from a victim's room with a light bulb hanging over their heads.
The results were published in a new article by a team of scientists – Ben Nassi, Yaron Pirutin, Adi Shamir, Yuval Elovici and Boris Zadov – from the Israeli Ben Gurion University of the Negev and the Weizmann Institute for Science on Black Has USA 2020 conference later in August.
The technology called "Lamphone" for long distance listening works by optically detecting tiny sound waves via an electro-optical sensor directed at the light bulb and using them to restore speech and recognize music.
How does the "Lamphone Attack" work?
The central premise of Lamphone is to detect vibrations from hanging lightbulbs as a result of air pressure fluctuations that occur naturally when sound waves hit their surface, and to measure the tiny changes in lightbulb output that trigger these small vibrations to pick up snippets of conversation and identify music.
"We assume that a victim is in a room / office with a hanging light bulb," said the researchers. "We consider an eavesdropper as a malicious entity interested in spying on the victim to capture the victim's conversations and use the information provided in the conversation (e.g., stealing the victim's credit card number and blackmail based conduct the exposed private information from the victim, etc.). "
To achieve this, the structure consists of a telescope that enables a close-up view of the room with the light bulb from a distance, an electro-optical sensor that is attached to the telescope to convert light into electrical current, and an analog-to-telescope digital converter Conversion of the sensor output into a digital signal and a laptop for processing incoming optical signals and outputting the restored sound data.
"Lamphone takes advantage of the visual microphone (it is passive) and the laser microphone (it can be used in real time) to restore speech and vocals," the researchers said.
Demonstration of the Lamphone attack
The result? The researchers found an audible excerpt from President Donald Trump's speech that could be transcribed by Google's Speech to Text API. They also reproduced a recording of the Beatles "Let It Be" and Coldplay's "Clocks" that were clear enough to be recognized by song identification services like Shazam and SoundHound.
"We show how eavesdropping in air pressure on the surface of the hanging light bulb (in response to noise) that causes the light bulb to vibrate very easily (a millidegree vibration) can be exploited by eavesdroppers to passively restore speech and singing externally and in real time, "the researchers sketched.
"We analyze the reaction of a hanging light bulb to sound using an electro-optical sensor and learn how to isolate the audio signal from the optical signal. Based on our analysis, we develop an algorithm to restore sound from the optical measurements obtained from the vibrations of a the light bulb and the electro-optical sensor are detected. "
The development complements a growing list of sophisticated techniques that can be used to track down unsuspecting users and extract acoustic information from devices that are supposed to function as microphones, e.g. B. Motion sensors, speakers, vibration devices, magnetic hard drives and even wooden tables.
How far can an attacker spy on the Lamphone attack?
The new approach is effective from a distance – starting with a telescope and an electro-optical sensor worth $ 400, at least 25 meters from the target, and can be further enhanced with long-range devices.
Lamphone side-channel attacks can be used in real-time scenarios, unlike previous eavesdropping setups like Visual Microphone, which are hampered by long processing times to restore even a few seconds of speech.
Because the scenario is completely external, the attack does not require a malicious actor to compromise a victim's device.
Given that the effectiveness of the attack depends heavily on light output, the countermeasure proposed by the paper's authors is to reduce the amount of light picked up by the electro-optical sensor by using a weaker light bulb and a curtain wall to cover that of a room limit emitted light.
The researchers also suggest using a heavier light bulb to minimize vibrations caused by changes in air pressure.