A team of cybersecurity researchers has developed and demonstrated a novel side-channel attacking technique that can be applied by eavesdroppers to recover full sound from a victim's room that contains an overhead hanging bulb.
The findings were published in a new paper by a team of academics—Ben Nassi, Yaron Pirutin, Adi Shamir, Yuval Elovici and Boris Zadov—from the Israeli's Ben-Gurion University of the Negev and the Weizmann Institute of Science, which will also be presented at the Black Hat USA 2020 conference later this August.
The technique for long-distance eavesdropping, called "Lamphone," works by capturing minuscule sound waves optically through an electro-optical sensor directed at the bulb and using it to recover speech and recognize music.
How Does the 'Lamphone Attack' Work?
The central premise of Lamphone hinges on detecting vibrations from hanging bulbs as a result of air pressure fluctuations that occur naturally when sound waves hit their surfaces and measuring the tiny changes in the bulb's output that those small vibrations trigger to pick up snippets of conversations and identify music.
"We assume a victim located inside a room/office that contains a hanging light bulb," the researchers said. "We consider an eavesdropper a malicious entity that is interested in spying on the victim in order to capture the victim's conversations and make use of the information provided in the conversation (e.g., stealing the victim's credit card number, performing extortion based on private information revealed by the victim, etc.)."
To achieve this, the setup consists of a telescope to provide a close-up view of the room containing the bulb from a distance, an electro-optical sensor that's mounted on the telescope to convert light into an electrical current, an analog-to-digital converter to transform the sensor output to a digital signal, and a laptop to process incoming optical signals and output the recovered sound data.
"Lamphone leverages the advantages of the Visual Microphone (it is passive) and laser microphone (it can be applied in real-time) methods of recovering speech and singing," the researchers said.
Lamphone Attack Demonstration
The result? The researchers recovered an audible extract of President Donald Trump's speech that could be transcribed by Google's Speech to Text API. They also reproduced a recording of the Beatles' "Let It Be" and Coldplay's "Clocks" that were clear enough to be recognized by song identification services like Shazam and SoundHound.
"We show how fluctuations in the air pressure on the surface of the hanging bulb (in response to sound), which cause the bulb to vibrate very slightly (a millidegree vibration), can be exploited by eavesdroppers to recover speech and singing, passively, externally, and in real-time," the researchers outlined.
"We analyze a hanging bulb's response to sound via an electro-optical sensor and learn how to isolate the audio signal from the optical signal. Based on our analysis, we develop an algorithm to recover sound from the optical measurements obtained from the vibrations of a light bulb and captured by the electro-optical sensor."
🔐 Mastering API Security: Understanding Your True Attack Surface
Discover the untapped vulnerabilities in your API ecosystem and take proactive steps towards ironclad security. Join our insightful webinar!Join the Session
The development adds to a growing list of sophisticated techniques that can be leveraged to snoop on unsuspecting users and extract acoustic information from devices intended to function as microphones, such as motion sensors, speakers, vibration devices, magnetic hard disk drives, and even wooden tables.
From How Far An Attacker Can Spy On Using the Lamphone Attack?
The new approach is effective from great distances — starting with at least 25 meters away from the target using a telescope and a $400 electro-optical sensor, and can further be amplified with high-range equipment.
Lamphone side-channel attacks can be applied in real-time scenarios, unlike previous eavesdropping setups such as Visual Microphone, which are hampered by lengthy processing times to even recover a few seconds of speech.
Moreover, since it's an entirely external scenario, the attack doesn't require a malicious actor to compromise any victim's device.
Given the effectiveness of the attack relies heavily on the light output, the countermeasures proposed by the paper's authors involve reducing the amount of light captured by the electro-optical sensor by using a weaker bulb and a curtain wall to limit the light emitted from a room.
The researchers also suggest using a heavier bulb to minimize vibrations caused by changes in air pressure.